Thursday, September 05, 2013

Password, please.

I've been working in IT for 14 years. During my time in IT, I've encountered an interesting array of passwords. I've developed a certain philosophy about passwords through the years that works well for me. As admin, I've reset the password for users many times when they forget their passwords. I've also been given passwords used by owners and other management staff so that I can work on their computers when they're away from work. This experience has given me a sense of choices people make for passwords they want to remember.

I'm on the subject of passwords this morning because someone caught my attention with a link to an article by Bruce Schneier. In the article, Schneier delineates the problems associated with easy passwords. Passwords are getting easier to crack with time. This is because people who crack passwords for fun and profit are also sharing their insights with each other.

For example, there are now huge collections of passwords that have been found on the internet. Using one of these password dictionaries, a black hat can quickly run through a billion possibilities for a password. If you're using an easy password like "fatcat8" or candycrush4163", it's probably already in the dictionary. Words are the first thing to go in it.

As Schneier notes, even character replacements are bountiful in the password dictionaries. "Pa$$word", for example, has already been taken. There are many other examples, but you get the idea.

XKCD has a famous comic (cited Schneier's article) regarding the re-use of passwords and how that is making life easier for black hats. If you're using the same password on multiple sites, it only takes one breach to allow someone to ruin your life. At best, that will cost you an afternoon of replacing your passwords on all of your favorite websites. Whatever you do, don't think about reusing a password for your online banking accounts.

As a system admin, I have been given passwords by other people who trust me to work on their computers. As a general rule, I avoid this and simply change the password of the user I'm going to work on so that I don't need to learn the password. I follow a principle I call"irrefutability". As an example, when other people enter their credentials and they have not shared that information with me, I avert my gaze. In 99% of the cases I work with, I don't want to know someone else's password. So when they enter their password, I look away to make sure that I don't know it.

I like password managers like Keepass and PasswordSafe. I especially like the open source password managers because other programmers can look at the source code to see what the program is doing, make improvements if they have the skill and to alert the community if a bug is found. Bugs are fixed faster, as a general rule, in open source software than in closed source software.

While it is possible to try and crack the files created by password managers such as Keepass, brute force attacks on the encryption are simply not physically possible within a lifetime. There are two reasons for this. One is that as key length increases, so does the time required to run through every possible combination for the key.

Schneier also notes that the energy required to flip through every combination is discrete and definite. For example, a brute force attack on a 256-bit AES key requires the energy of stars. He uses our sun as an example to show that if we captured *all* of the energy of our sun for 32 years, we might be able to flip through 192 bits. If we captured a supernova we could power through 219 bits of a key.

In terms of energy, humans simply don't have the energy required to count through every combination of an encryption key. So while there might be reason to fear letting a password database from Keepass escape, it's going to be awhile, perhaps before the sun goes nova, before the password for that database is cracked. Unless an easy password is used.

While password cracking is a problem, the bigger problem is often the gray matter choosing a password. Choose an easy password and you are just asking for trouble. Using a password manager to generate a password for you is better. A password generator is going to be completely random in choosing characters. With a password manager, you can easily save a different, completely random password for every site you visit.

So be safe with your passwords. Don't use easy passwords. Use a good password manager. Don't share passwords with anyone unless you have complete trust in them. Change your passwords from time to time. Now git along and enjoy the web.
Post a Comment