2017 December Lifestyle Tech Matters

Password Complexity: The Simple Truth

Passwords have been around since time immemorial as a way of user identification, identity authentication and as a way of gaining access to a restricted resource. The Greek historian Polybius has discussed in detail how passwords, or quite specifically, “watchwords” were used by the Roman military in the changing of the guards, thus protecting from impostors who may attempt to infiltrate and gain access to watch towers, entrance gates or supply rooms and thus endangering critical infrastructure and the chain of command. As with any chain, the password may just as well be the weakest link that would cause the house of cards to fall down and critical resources made to crawl to its knees.

Perhaps the best known attribution to this chain or link that may probably pass the category of being an urban legend for its preposterousness was the story about no less than Facebook’s CEO’s account getting hacked. Perhaps Mark Zuckerberg was trying out the features of Linked-in by creating an account protected by a password set simply as “dadada”. But what made it worse was that the password appeared to have worked on his other accounts on Twitter, Instagram and Pinterest. A hacker group reportedly hijacked the billionaire’s accounts which were otherwise rarely used. However, being the head honcho of the most widely-used social media platform in the world, the break-in, which proved friendly in nature, could best be described as an embarassment with a potential for damage to reputation not just personally, but enterprise-wide, with him being responsible for securing the identities and related information of millions of Facebook users.

How secure must a password be? In this day and age, a password being a secret may not be enough, as all secrets are susceptible to guessing or “phishing” — a social engineering technique used to deceive users to disclose personally identifiable information by exploiting a compromised security layer. Passwords must be able to withstand a brute-force attack in the longest possible time, long enough for the password owner to realize what is going on and conduct emergency counter-measures to prevent any breach of trust and information.

In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing it correctly.

Let’s put this clearly in perspective: some people are naive in thinking that the manner by which passwords are guessed is done manually. There are algorithms already in place to have a machine do the guessing/hacking job instead. Purely human-generated passwords should never be trusted as people are notoriously poor at achieving sufficient entropy to produce secure codes. Human-readable codes on average could be cracked within 4 weeks. Why? This is due to a confluence of complexity and length. The more lengthy and complex a password is, the less likely a person would remember it, so most people settle for the easiest to remember.

When it comes to passwords, size matters. Adding a single character length to a password boosts its security exponentially. In a so-called dictionary attack, a password cracker will utilize a list of common words to discern the right one. So merely adding characters can boost the password’s shelf life. For instance, forgetting about complexity for a moment, the amount of time it takes to crack the average password based solely on the number of characters, using a computer-based algorithm running on a single core machine are as follows:

7 characters = .29 milliseconds
8 characters = 5 hours
9 characters = 5 days
10 characters = 4 months
11 characters = 1 decade
12 characters = 2 centuries

Lesson #1: Make your passwords longer than 10 characters. Ideal is a minimum of 12 characters.

Combining numbers, letters and symbols rather than sticking with one type dramatically enhances password security. A string of purely alphabetic or purely numeric code takes mere milliseconds to crack. Combining characters and numbers with symbols basically removes the human component, but steps up protection against guess-validation logic that may be available in the market. In comparison, below are the average time it takes to break a password based on type (again forgetting about complexity for a moment):

Purely numeric password – “1234567890” = .23 milliseconds
Purely alphabetic password – “abcdefghij” = 3 months
Alphanumeric password – “12345abcde” = 8 years
Alphanumeric password with symbols = “1234%abcd#” = 5 centuries

Lesson #2: Combine alphanumeric codes with symbols and make them non-readable.

Now, making a password complex enough to withstand a brute-force attack involves taking the human components totally out of the equation. Your password must not have any connection with you whatsoever, it should not bear the numeric values of your date of birth, telephone number, zipcode, etc. Passwords must be as random as possible. Part of this random selection is that a password must not be used twice across multiple user accounts or systems. It should also avoid any character or numeric repetition.

Some examples of weak passwords are:
1. Default passwords supplied by the system vendor at installation (password, default, admin, user, guest, 1234)
2. Dictionary words, including words in non-English dictionaries (chameleon, RedSox, sandbox, zeitgeist)
3. Readable words with numbers appended (john1234, password1, dear2017)
4. Words with simple obfuscation ([email protected], g0ldf1$h, l3xluth0r)
5. Double words (crabcrab, stopstop, passpass, dada)
5. Common sequences (12345, qwerty, asdfgh)

Lastly, avoid writing down any of the passwords you use whether currently or in the past. It’s basically a matter of locking it up and throwing away the key.

Lesson #3: Never write down a password anywhere and never use the same password for more than one account.

One problem however with removing the human component out of the password selection process is remembering what the password is. But I guess, the human component is what makes the password less secure to begin with. If you yourself can hardly remember your own password, then you can trust that it would be the same case for a would-be hacker. But what use is a password if you can hardly recall it? Again, we have to remember the fact that we are dealing with a non-human resource capable of breaking a code at the rate of  minimum 10 million attempts per second. With the advent of modern GPU’s and quantum computing, the threat capability increases to 7 billion attempts per second. So your next best defense is automation; fighting fire with fire and elevating the playing field by matching your defense with the very technology that is used against you.

A reasonable compromise in using and remembering a large number of unique passwords is to use a password manager software. Most password managers can automatically create strong passwords based on complexity guidelines you set, using a cryptographically secure hashing algorithm that uses a combination of public key infrastructure and personal key salts that store an encrypted copy of the password equivalent that can only be unlocked with a personalized unique key. The password manager itself is protected by a master passphrase ideally seconded by a multi-factor authentication tool. To illustrate here are the steps to secure, let’s say a Facebook account:

  • You install a password manager in the device you normally use. The device then stores the security certificate used to authenticate with the data store.
  • You setup a passphrase used to unlock the password manager. The passphrase is required when creating, storing and retrieving passwords.
  • Attach a two-factor authentication to work with the password manager that requires an RSA key to be entered within 2 minutes prior to unlocking the password manager or decrypting a password.
  • The password manager, once properly authenticated, navigates to the valid URL of the site and automatically fills in the username and password fields. This protects against phishing, keystroke logging and man-in-the-middle attacks.
  • Change your Facebook password to a secure one using the password generator of the software; this is then automatically saved, but not before being hashed then cryptically stored in the site password vault.

There are some parameters however that must be met:

  • Avoid locally-installed software. Some password managers operate as a browser agent or extension.  No data is saved in the machine.  Decryption happens at the browser layer once proper authentication has been made.
  • Avoid saving both database and cryptographic hash in the same device. Use the cloud to store encrypted data that are totally useless without your certificate and cryptographic salt. This adds the benefit of making the facility available on-demand where ever you are.
  • Never log in using a public computer.
  • Use multifactor authentication, typically one that requires an RSA key to be entered coupled by an unlock PIN that is either emailed or texted to you on-demand.

Does such technology exist and is it freely available? Luckily there is and it is freely available, with some learning curve of course. One such tool with a high trust rating and usability score that I could recommend is LastPass. Personally the tool allowed me to use totally unique passwords for each of my 500-plus login profiles. As added security feature, the tool lets you set recovery parameters (should you lose your device). It also lets you set country restrictions where logins would only be allowed for specific countries; this is useful when traveling and removes the danger of having the tool be used to login to your accounts from random location other than where you are located. The tool also provides a panic button where all known sessions are destroyed if you suspect an anomaly. The only requirement that LastPass requires is: never forget your master passphrase since absolutely nobody can recreate your account and retrieve your individual passwords from the tool if you forget your master passphrase. It is a necessary evil.

Maintaining password complexity is generally dependent on the layer of abstraction that you employ; i.e., the dichotomy between your cryptographic salt and the individual password hash, and protected through your password manager tool by way of master passphrase, authentication certificates and multifactor identity keys with PIN.

Just for trivia, a good password that is at least 12 characters, a combination of alphanumeric with symbols, totally random and non-readable such as “j65!c7UnAfN%” will take a multi-core machine exactly 827,090 millenia, 1 decade, 4 years, 10 months, 3 days, 2 hours, 12 minutes and 21 seconds to decode. It may be enough to last a lifetime, but remember to always account for the human equation — so make sure that as a matter of policy, change your password every 60 days; that ensures you start from a clean slate each time, thus resetting the cracker code clock regularly, giving you a new lease in life towards keeping your identity and information safe.

Joel Gabriel
"Fray Joel" entered the Dominican formation in 1990 straight out of high school. In 1993 he received the habit of the Order of Preachers while being admitted to the novitiate. He obtained his A.B. Philosophy degree in 1996 at the same time that he decided to take a leave from seminary life. In the secular world, he trained as a mainframe programmer with Citibank which started his career in Information Technology, and the rest as they say is history. Joel has been an IT practitioner all his professional life gaining experience and expertise with global companies such as Citibank Asia-Pacific, RCG-IT, IBM Solutions, Accenture and James-Martin/Headstrong. Based in the New York metro area since 2012, Joel is currently an IT Support Operations Manager with Genpact possessing over 15 years of success leading diverse technology projects within the Capital Markets and Financial Services industry and domain. Joel is happily married to Nancy Aquino-Gabriel.

Leave a Reply

Your email address will not be published. Required fields are marked *