Secure Passwords (Wiki)

The content of the Security Analogies wiki is now available here, under the GNU Free Documentation License 1.2.


A password is like the lock on your front door. There are all kinds of locks—there's the cheap ones on bedroom doors that you can open with a small screwdriver; on the other end of the spectrum, there are bank vault locks that only open at a certain time with a 10-digit combination and a fingerprint scan. Passwords are much the same; they can be simple (like a 4-digit PIN on an ATM card) or complex (a 17 letter pass phrase with punctuation and special characters.) The difference between both the easy and complicated locks and passwords is that the more complex it is, the longer it will take an intruder to bypass it. The main plus to the passwords is that, unlike locks, getting a bigger, stronger, better one is free.

Take, for example, the ATM card PIN number. There are four digits, which means the range is from 0000-9999. That means that if the bank didn't lock you out after three failed attempts, the absolute maximum number of attempts it would take to break that password is 10,000. This is like the bedroom door lock.

Now, let's make this more like the front door on your house. We'll call it an 8 character password, using only A-Z, a-z. So, the keyspace (number of usable passwords) is 53,459,728,531,456. While that seems like a lot of possible passwords, a good password cracking program on decent hardware can try every combination in a matter of minutes, just like a thief with a good set of lock picks could get into your house in a few minutes.

Lastly, we have the complex passphrase. Let's say you really want to protect your data. Most operating systems these days let you put spaces and special characters into your passwords. Windows will let you have up to 255 characters. For this example, let's say that your system's policy is that you must have a 15 character password, because the data is so sensitive. You choose, "â√˚Shallot=Onion!" (the square root of shallot is onion.) This includes a special character (type Alt+221 to get it), is an easy sentence to remember (so you won't be tempted to write it down on a sticky note and leave it under your keyboard) and (the rest of this sentence is for geeks only) it exceeds the maximum number of characters for Lanman (LM) to break it into two, easily cracked, 7 character hashes. Everything you could want. For a hacker to guess this, it would require up to 479,723,585,630,812,484,077,519,190,956,980,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (that's 479 quattorvigintillion, in case you're curious) attempts. (The keyspace, or number of possibilities for each character, is 95,221 in Unicode, and there's 15 characters, so it's 95,221 to the 15th power.)

Now, let's assume that the data your company has is sensitive enough that, if it gets out, your business will be ruined, and you'll be out of a job. (Be it from lawsuits because of exposed credit card or other personal information, or all of your clients leaving because you can't maintain confidentiality, etc.) Which would you rather have on your door? The bedroom door lock, or the safe vault lock?

Password Rotation

People often begrudge the fact that their security policy requires that they change their password on a regular basis.

Consider something most of us learned or were told when we were growing up—if you get lost, stay put, someone will eventually find you.

The same is true for passwords in that for any given password length or complexity, there is still a finite number of possibilities (granted that number could be in the 'quattorvigintillions') but the reality is if that password stays put, it will eventually be 'found'.

Another way; consider a target shooting sideshow where each letter of your password is a target that needs to be knocked down in succession to win the prize. If I have fewer targets, it will be easier to win the prize. Now, to make our sideshow more like a password cracking problem, we would blindfold the shooter, and they would have to guess the location of the targets to be successful. However, if they remain methodical it can be expected that they will eventually be successful—sure they may have to live with the "carnies" for some time, but they'll get there in the end.

So to make it harder we can do a number of things, but consider these 3:

1) Increase the number of targets i.e. increase the length of your passwords.

2) Move to a bigger booth. This gives you more positions to place the targets i.e. include numbers and special characters not just letters in your passwords.

3) Periodically move the targets so the shooter can no longer rule out unsuccessful shots, and will need to try them all again i.e. periodically change you password.

Sharing Passwords

You go into your apartment and your TV is broken. It was fine when you left, and nothing else is broken. Who do you blame? Anyone with a key: each friend who you gave a copy of the key to. You'll probably lose some friendships in the suspicion, but who else could have done it?

Passwords are keys. You don't give out copies of your keys unless you need to. This protects you and saves you suspecting your closest friends and family if something ever goes missing or gets damaged. Share passwords as often as you give out copies of your keys.

WebSanity Top Secret