Pragmatic password security in three easy steps

In this article we’ll discuss the challenges of staying secure using passwords, without diving deep into the technical details.

(This is a 6 minute read.)

The problems with passwords

Passwords are rubbish for security!

They don’t accomplish the task you really want them to accomplish; they make you have to think and remember extra stuff when your brain is already busy; and even after you’ve gone to all that effort, it’s still easy for hackers to crack most passwords.

In case that’s hard to swallow, let’s look at exactly what’s wrong with passwords as a security measure:

The underlying premise is broken

The problem is that you want to lock down access to something so only you can use it (say, your email account)… by using a mechanism that is not restricted to you.

It’s a fundamentally flawed approach.

What you need is a mechanism that can only be used by you and nobody/nothing else. This generally means using biometric data (e.g. fingerprints), but biometric technology is still finding its feet in terms of becoming a de facto mainstream standard.

So realistically, we’re stuck with passwords until better solutions like this become mainstream.

Human memory compromises security

The next problem is that we’re humans with finite and variable memories. This means that we can realistically only remember a few passwords, and they can’t be too complex.

So when left to our own own devices, we do four things that reduce password effectiveness:

  1. We reuse passwords. This means that if a reused password is exposed in one instance, it gives cybercriminals access to multiple accounts, apps, and so on.
  2. We sometimes use personal details in passwords– such as memorable dates, the names of our pets or kids, etc. This makes them less secure, as they can become guessable or researchable.
  3. We keep them as short as possible to make them easier to remember. Unfortunately, this also makes them much easier to solve through brute force, i.e. trying each permutation until one works.
  4. We write them down. This creates such obvious security issues that you probably don’t need them explained to you – but just imagine the outcome if, for example, a burglar comes across a password list written on a sticky note next to someone’s computer!

Each one of these human memory-saving compromises undermines the little remaining security that a password gives you.

If your organisation tries to resolve these issues by enforcing regular password rotation (making passwords expire after a short timeframe), this only exacerbates these issues and causes users to create even more predictable passwords – for example, keeping the same password but adding or changing a number on the end of it.

Maths breaks passwords

Finally, there’s the issue that relative to strong cryptographic methods like public/private key pairs (for example encrypted website traffic), passwords are very simple.

Without delving into the technical details, passwords should be stored as a cryptographic hash. This means the password can be tested against the hash, but you can’t work out the password from the hash. (See here for more detail.)

Even if your passwords are correctly stored as one way hashes, it is still quite possible to work out what a password is from scratch.

There are many methods for this. The two main ones are:

  1. Brute force attacks – simply trying all the permutations until the right one is found.
  2. Dictionary based attacks – this is a more efficient approach which all possible words are tested, usually along with lists of common passwords

These kinds of attacks can be limited by application functionality that limits the amount of login attempts per second, but there are two factors that negate this:

  1. Implementation of logon limits is down to the application/solution, and not something the user can control.
  2. If there is a breach of an application and the password hashes are leaked, then these can be attacked at a time or place of the hackers’ choosing, and there is no way for you to know it’s happening.

The simplest way to mitigate these risks is to make the password long and complex in the hope that it’ll never be guessed.

This, of course, completely conflicts with the human element… which can undo your password security measures in moments once you let real users onto your systems!

Password complexity in the real world

Here is a great illustration of password complexity against a brute force attack.

There are two factors here – password length and character set complexity.

As the complexity goes up, the speed to brute force the password goes up significantly once the password length is over 10 characters.

Ten characters is still too short (in our opinion) to allow for advances in technology or approach, so we tend to aim for anything in the bottom of the orange/green range.

Bear in mind this is a brute force approach, and a dictionary based approach will be more efficient – meaning your passwords can be cracked even faster than the chart suggests!

How do we fix these password security problems?

What you’ve read so far may seem like we’ve turned up at a gunfight with a carrot, but there are some pragmatic ways forward.

Fixing these password security problems hinges on trusting a password manager service, mitigating the human factor, and adding a second factor where possible.

Use a password manager

This is a huge trust exercise, but it is now mainstream practice.

A password manager is generally an encrypted database containing all your credentials. They can be local to your machine, an on premises service, or a cloud based offering.

A password manager changes the constraints by:

  1. Creating a strong unique password for each application or website.
  2. Storing all your passwords and automatically populating the login credentials/forms in your browser to minimise friction.

This has a massive effect on password security and strength:

  1. Complexity can be increased to effectively uncrackable levels (until quantum computing hits its stride).
  2. There is no dependency on human memory.
  3. With a password per site/application, should that one password be cracked, it’ll have no impact on any of the other sites/applications you use.

Just by using a password manager, many of the above limitations are now mitigated.

However, password managers need a password to unlock them…!

Use the human brain effectively to make secure yet memorable passwords

Our brains are amazing things. Unfortunately there’s no definitive user manual, but people have discovered some very effective ways to enhance our memory skills.

One of those is mnemonic linking. It sounds very fancy, but it’s basically making a list, and creating an association between all members of the list. From the linked Wikipedia article:

For example, when memorizing the list (dog, envelope, thirteen, yarn, window), one could create a story about a “dog stuck in an envelope, mailed to an unlucky thirteen black cat playing with yarn by the window”. It is argued that the story would be easier to remember than the list itself.

Here’s a TED talk on this, explaining the technique and how accessible it is.

To put this in the context of passwords, this comic strip does a much better job of explaining it than I can:

This approach should work for most people, and shouldn’t be a mental burden. Make the story fun or entertaining and it’ll be a joy to type in your password!

A few pointers:

  1. Use random words to avoid using your personal details in your password as these can be identified from your social media or from social engineering.
  2. Aim for at least 4 words – length is critical.
  3. Don’t reuse a password, no matter how tempted you might be!

This approach gives you a big step forward in password strength, with minimal downsides.

Add another factor

This is the most important thing we can do, as it mitigates the biggest problem with passwords – which is that once you’ve set them, someone else can use them.

The easiest way to think about this is that you add something that only YOU can do on top of the password. This approach is becoming much more commonplace, as it’s simple to implement, and stops password based breaches at the door.

Some common examples are:

  1. An email or SMS confirming that it’s actually you logging onto a system. Note that SMS is probably the weakest option, as SIMs can be hijacked more easily than the other methods.
  2. A One Time Passcode (OTP) generated on an app (e.g. Google Authenticator)
  3. A dedicated application (Google also offers this.)
  4. A hardware token like a Yubikey

Adding a second authentication factor is the best single thing you can do to enhance the effectiveness of your password security.

Finishing up

In a nutshell, this article gives you three practical, achievable actions any individual or organisation can take to dramatically improve their resilience to leaked passwords or hashes. These are all things we do by default in Propellent.

We’d love to know what you thought of this article, and whether you’ve implemented any of these password security measures! Please let us know your thoughts in the comments.

Wishing you a safe and secure day.

Matt Wanless
Chief Blogging Wizard & Tea Enthusiast
Propellent

Leave a Reply

Your email address will not be published. Required fields are marked *