Sadly, major websites get hacked often enough to warrant repeated coverage on mainstream news. Wondering if you’re listed in the Ashley Madison data dump? Has your Gmail password been leaked without your knowledge? Did you notice when 145 million details were stolen from Ebay? Curious? I am…
The internet has lead to almost every website asking for passwords to carry out basic actions, such as complete a purchase or get support. As a result most internet users rely on either one password, or one main password with derivations thereof. As a security researcher I can understand the propensity towards a single password system. It’s quick and easy to remember, but it could be better.
I have a tip that could make even the weakest password infinitely more secure. For most people following the simple rule below is enough to exponentially increase password entropy, without the effort of remembering random strings of junk that some mistakenly call a secure password. What is this magic rule? Simple…
The top tip is: Don’t be predictable!
Entropy is synonymous with randomness, or the “lack of order or predictability“. There is a very easy way to increase the entropy of any password: make it longer. Password checks are binary. That is to say there are two answers. Yes or no &mdashl correct or not. When entering a password the computer (almost) never says “Nearly. Try adding a number near the end.”. The response is usually something along the lines of: “Password incorrect.”
Making a password longer doesn’t mean it has to be more difficult to remember. I often cite this example, because it’s weird and wonderful:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
Of course this is a trick question. The former (first) password is, contrary to common sense, the stronger of the two because of interpreted entropy enforced by cracking algorithms. Making a password longer helps and it doesn’t need to be random noise to be more secure than your dog’s real name.
You just need to find a mnemonic that works for you.
I deal with passwords every day, as a freelance programmer and website marketer. A few days ago I had to change a password from the name of the town in which the company resides. Below is a list of issues is often see with password creation techniques.
- Commonly used passwords
- Dates, of any kind
- Details about family
- Business details
- Any dictionary word
I always suggest avoiding anything in the list above for obvious reasons. Again, the magic word is predictability.
Long-term Password Security
If you manage a lot of login details and want a better solution then there is help. Several password managers are available for all popular browsers. If you consider a password manager as an option, I always recommend checking for yourself to see if it’s been audited and exactly how secure it is. Your password manager password really is the one ring to rule them all. Get access to that and you can reset access to any associated account.
I have always used and recommended LastPass. It’s been audited, appears to be secure, and was recently hacked. Yep, that’s right. I’m recommending a password manager that was hacked recently. They implement pre-egress encryption which uses uses 10,000 iterations of a PBKD to individually salt passwords. If you read the rest of this article you may see where this is going — if your LastPass password was unpredictable, then your data was safe.
There are many alternatives to LastPass, but I have not personally audited them. Some are great and some are terrible. A little research is required before trusting them with the keys to your kingdom.
So, passwords aside, where are we headed? There is a technology in development called SQRL — Secure Quick Reliable Login. The idea is simply to replace passwords with a QR code that creates a unique, but anonymous, identifier which can be used to login. The QR code can be scanned using a mobile device or clicked in the browser.
The cryptographic security has been scrutinised. Hackers and coders alike have trawled the code, and it looks good. I predict it will start fairly small but gain traction as a viable alternative to 3rd party logins, such as Facebook and Twitter. Steve Gibson gained notoriety for coining the term spyware and subsequently creating the first anti-spyware program, called OptOut.
Have I been “PWND”?
Until SQRL is ready we have to be diligent. You can check the Breach Or Clear website to see if your details have been leaked. It’s an easy way to search 53 major breaches containing 220,209,727 compromised accounts.