Passwords are like housekeys for computer services. They are intended to be secrets that allow you to access resources, but deny access to others.
Here are some questions to ask yourself about passwords:
- What are the passwords protecting?
- If one password is breached how many other computer services become vulnerable?
- Who else knows your passwords? How much do you trust them?
- What services have your passwords? How much do you trust them?
- How many passwords do you have to manage?
- How do you manage your computer passwords?
Password Vulnerabilities and Cracking
How can passwords be compromised?
Someone can try all passwords against a password database, using either a “brute-force” method or by being smarter.
Commercially available software can guess passwords more effectively by looking for common passwords first. For an example, see http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
These kinds of brute-force attacks are the ones people talk about, but there are much easier ways.
You can be fooled or coerced into giving up your password. (See, for example, http://xkcd.com/538/) . Fooling people into giving up their passwords (“Your account will be suspended unless you reregister with our service”) is a form of social engineering .
Someone who knows you can use information they know about you to get your password reset.
Somebody could find where you wrote down your passwords.
Somebody (maybe a virus) could install a keylogger on your computer that records your keystrokes and sends it to another location. Once a keylogger is on your system you are in trouble.
Why would anybody want your password?
- Maybe they want to use your identity for fraud purposes. e.g. “Help! I’m trapped overseas! Please send me money!” Here is one scary story: http://www.cbc.ca/spark/2010/02/spark-103-february-21-23-2010/
- Maybe they want access to your resources without caring about you in particular. For example, they might want access to a bank account without caring whose they get.
- Maybe they want particular information from a resource you have. For example, governments might want to break into the email accounts of activists and dissidents.
- Maybe they are trying to illustrate points about the weakness of online services.
The best passwords are long, strong, and difficult to guess. Many people choose fairly weak passwords, which can get them into trouble:
Some websites have had their password databases compromised, and people have analysed the results:
: singles.org, phpBB, MySpace
http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List : Strategic Forecasting database, including lots of examples
There are different ways people model password attacks. Here are some common assumptions:
- In the worst case, an attacker has direct access to the password database (and so can test as many passwords as they want)
- Guessing part of a password gives you no information which helps you guess the full password (if this assumption is broken then password guessing becomes much easier)
- The attacker may know something about the structure of the password.
- The attacker knows the algorithm (set of steps) used to convert the password into a form stored in the password database.
Attackers that do not know about the structure of the passwords might have to resort to brute-force attacks, which depend on the number of possible passwords that can be used.
For a (potentially misleading) discussion of password strengths, see http://xkcd.com/936
In general, password length matters more than complexity, but both are helpful:
A 6 character password that is made of random numbers, letters, and symbols has (26 + 26 + 10 + 32)^6 possibilities, which is about 690 billion. A 25 character password made of a random combination of 3 letters has 3^25 possibilities, which is about 847 billion.
Generating and Managing Passwords
One problem with passwords is that there are too many of them!
- If you keep the number of passwords small by reusing them then one leaked password can jeopardize other things you care about. For example, here is a comic that shows one possible danger: http://xkcd.com/792
- If you keep the number of passwords large you need to remember or manage them somehow.
Different passwords have different importance, and are used in different ways:
- Some passwords are critical, and if you lose them then there are important consequences.
- Passwords that you use every day are better candidates for memorization than passwords you use infrequently.
- Some passwords need to be typed in manually. Others can be copy-and-pasted from a file.
- Some passwords must be typed in manually, and are used on devices where you might not have access to electronic files. These passwords can be memorized or written down.
- Infrequently-entered passwords (e.g. wifi passwords) can be more complicated than those you need to enter in often.
In general, you want the strongest passwords that are managable for you:
The most important passwords you use should all be different from each other.
Whenever possible, passwords should be both long and complicated. If
there is a conflict, long matters more than complicated.
If you will be using passwords from a small set of known computers, then a password manager such as KeePass (http://keepass.info) or Password Safe (http://passwordsafe.sourceforge.net/) might make sense. These can store completely-random passwords for your services.
Alternatives to proper password managers are encrypted files (e.g. Office 2007 Excel files with encryption), Truecrypt shares, and maybe the password managers built into web browsers.
If passwords need to be typeable then there are lots of techniques people use. Here are a few that are hopefully less dumb than the usual advice:
Combining random dictionary words, maybe including numbers and symbols.
Choosing two unrelated phrases and concatenating them together, perhaps with numbers and symbols: “Mary had a little lamb” + “A stitch in time saves nine” –>
“Mary had a little stitch in time saves nine” –> “Mary had 729 a little stitch in ^^ time saves nine”
Taking pronouncable fragments of words and concatenating them
together, perhaps with numbers and symbols: slacker + elephant + spread –> slacker + elephant + spread –> Acker-epha,Prea
Taking the first letters of phrases or song lyrics (but make sure these passwords are not too short!): “We hung around every single moment, because that’s what we thought married people do” –> “We hung around every single moment , because that’s what we thought married people do” –> “Whaesm,btwwtmpd”
Don’t forget that you can combine these techniques or use others.
If you will have to use passwords on a variety of computers where you cannot run your own software, then memorizing passwords might be necessary. You can also write down passwords in a secure location that you are unlikely to lose (e.g. your wallet, your day planner).
If you are writing passwords down it is best NOT to write down the usernames and purposes of the passwords in the same place.
Thinking About Security
Thinking about security starts with thinking about your computing resources, and what you want to protect.
- Your online identity or reputation
- Computing power
- Assets like your bank account or World of Warcraft character
- Access to your social networks
- Your personal data
- Bandwidth on your Internet connection
Once you know what resources are involved, you can think about how to protect those resources:
Who has access to the resources? You? Family members? Friends? Your workplace? The entire internet?
Who do you trust? Who is trustworthy?
How much time and effort are you willing to put into protecting these resources? (Don’t underestimate how much you want to protect your data.)
Rules of Thumb
Here are a few common principles you might encounter:
The Principle of Least Privilege states that you should carry out tasks with as few privileges as possible, which makes it less likely to do damage.
Reducing the Attack Surface of an application/service means reducing the number of ways that service communicates (and thus the number of ways that people could break into that service)
Defence in Depth states that it is better to have several independent types of protection for a resource than depending on only one form of protection.
Thinking about security quickly gets overwhelming. It is easy to throw your hands up in despair. How can you avoid this?
Avoid black and white thinking. Security experts spend a lot of attention thinking about worst case scenarios, and are dismissive of half-measures. But security is always a tradeoff.
Learn enough about technology to understand the threats and risks involved.
Evaluate your use of technology. Avoiding technology entirely is difficult and ill-advised, but you can resist the pressure to follow every technological trend.
Figure out the resources that are most important to you, and focus your attention in improving those areas.
Figure out the more common security compromises, and focus on those. For example, fake antivirus programs and e-mail hacking are popular these days, but people breaking into your house and taking your computer is less popular (hopefully).
Don’t fall into the trap of thinking that your data is not important enough to steal. Often attackers are looking for easy targets, not particular people.
Make sure you have the easy stuff covered. Is your software legal? Is it up to date? Are your most important passwords long and strong?
Turn to friends and other “computer people” to help you evaluate security threats (but beware bad advice — there is a lot out there).
Don’t forget that you need to be able to access the resources you care about! You can make security so cumbersome that actually using the resources is difficult.
Audit your password practices according to the questions in the first section of the “Passwords” section. What improvements do need to make?
What resources related to computers do you value? What would happen if you were to lose access to these resources? How are you currently protecting these resources?
This work by KW Freeskool is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.