“Password Systems in general are not a very good way to authenticate. […] They’re hard to remember unless you pick an easy one to remember, in which case it’s not secure.”
— Mike Pound, CS & infosec researcher, University of Nottingham
Passwords are Hard
Passwords are so hard in fact that there are currently efforts to entirely replace them by the likes of Google, Microsoft and MIT. But until new standards are agreed upon and implemented into the tens of thousands of services which require user authentication, we are stuck with… passwords :(
If you’re anything like 2017 me, you keep a list of passwords that you cleverly thought up such as “GibsonES335” (a guitar I own) or “2010Chablis” (a personal favorite wine). Perhaps you’re extra careful so your passwords look more like “1978GibsonES335” or “2010VintageChablis”. Critically, you do not reuse passwords for multiple accounts so your list grows alongside the ever-growing number of accounts and services you interact with. And if your password game is one notch above that of 2017 me, you only store this list in a secure meatspace location — I shudder to think that I used to store this data in plaintext on a digital notes application.
This system may seem secure if you’re imagining a human attacker attempting to crack your password. “What are the chances he/she would guess the year and model of guitar?” But an attacker does not have to think that hard. An attacker uses sophisticated, freely available software such as HashCat (or worse, software which is not publicly known) to test literally billions of passwords per second.
Password Cracking: 101
There are three main forms of password cracking. The first is, in one sense, the easiest to mitigate: Social Engineering Attacks. These attacks leverage any known personal data about you, whether that data is publicly available or obtained otherwise. In my case, knowing that I play guitar or that I enjoy French wine would greatly reduce the difficulty of cracking my old passwords mentioned above. In theory, the solution is easy: don’t use words, dates or other strings of characters that could be linked to your identity.
The scope of the problem with passwords becomes clearer when we look at Brute Force Attacks. In cryptography, a Brute Force Attack refers to a series of password/key attempts where each step tests a different arrangement of a predefined set characters and rules until either a successful match is found or until all arrangements have been tested. A very simple example would be to test all the arrangements of digits [0,1,2] of length 2. All the possible passwords to test are [[0,0], [0,1], [0,2], [1,0], [1,1], [1,2], [2,0], [2,1], [2,2]]. Here we have a total of 9 possible arrangements because there are 3 total characters to choose from raised to the power of our password length 2, or 3².
A modern personal computer can perform a Brute Force Attack at a rate of roughly 10 Billion iterations per second. That’s 10,000,000,000 tests per 1 second on consumer-grade hardware. Testing for a password of 5 lowercase letters followed by 3 digits such as “hello123” equates to 26⁵*10³ possible arrangements (26 lowercase letters raised to length 5) times (10 digits raised to length 3), or 11,881,376,000 total possible passwords to attempt. This password is cracked in 1.18 seconds or less by a Pure Brute Force Attack (aka a Naive Brute Force Attack) on an typical new PC. Sophisticated attackers (hacker organizations, rogue nation states, the NSA) would employ specialized hardware called Application-Specific Integrated Circuits (ASICs) which are engineered to perform these operations at much higher speeds. And this doesn’t even account for the fact that “hello123” is an objectively easy password to guess!
In practice, why would an attacker test for every possible iteration of characters when they could test for actual words of length 5 followed by 3 digits? Or to hone in even further, 3 consecutive digits? This is a Dictionary Attack, the real meat and potatoes. Instead of naively plugging in every combination of available characters, Dictionary Attacks iterate through datasets (or dictionaries) of known words, dates, or previously leaked passwords. This is a much smarter method of attack against longer passwords. Now, at a rate of 10B/second, the attacker can test for human-generated passwords and skip over hard to guess, randomly-generated passwords such as “ri8dV@8DA%zD&c”. In this way, password crackers are able to quickly capture the vast majority of weak passwords.
This is also why a “good password” is in some sense paradoxical. A password that is good from a security aspect is bad from a human memorability aspect, but a memorable password is likely to be insecure. And there are a tremendous amount of real-world leaked passwords publicly available for a Dictionary Attacker to choose from! Renowned Microsoft Infosec guru Troy Hunt maintains the website haveibeenpwned.com which compiles all known major data leaks into one searchable database. The largest leak in the set is the Collection#1 breach from January 2019, consisting of 2.7 Billion total records and 773 Million unique email/password pairs. The second largest, Verifications.io from February 2019, contains 763 Million unique emails along with names, numbers, SSNs and IP addresses. Feel free to navigate over (from a secure environment) to see if you’ve been pwned!
Finally, combining elements of a Brute Force Attack with a Dictionary Attack completely nullifies any clever alterations or special characters such as ‘pa$sword’ or ‘psswrd’. These techniques have all been thoroughly categorized and implemented into password cracking software, because what’s another 10 Billion tests anyway?
Enter Password Managers
If you haven’t guessed by now, the hero of our story is the Password Manager. A Password Manager makes one important trade-off: you only need to remember one password, but it has to be a very good one. The PWM uses your Master Password to encrypt a database of secure, randomly generated passwords for each of your accounts. A good PWM should:
- Not use novel cryptography. In other words, it should use industry-standard, well-tested cryptographic hashing functions. Services offering new, “ground breaking” crypto should trigger a red flag.
- Perform all encryption and decryption locally on your device. Most PWMs conveniently store your passwords in the cloud so they’re accessible on all your devices. Be sure that the data they are storing server-side and transferring back to you is fully encrypted, should they act in bad faith or be victim to a data breach themselves.
- Fully open-source their codebase. Some may argue this point, but the only way to verify that points 1. and 2. are true and that the system is generally secure is if the code is fully auditable by users, researchers, and hackers alike. A vulnerability in (widely used/audited) open source software is more likely to be discovered, possibly exploited, and patched.
- Make your life easier. Most importantly, a Password Manager should save you time and headache by creating strong passwords for you and keeping them all secure and accessible on your devices. It should look and feel like a normal app that you are comfortable using.
By no means have I tested all the PWMs out there, but I can highly recommend the following two:
- Pros: FOSS, intuitive & modern user experience, built-in syncing, cross-platform compatibility, 2FA support, plenty of features for the average user.
- Cons: freemium version is required for advanced features such as encrypted file storage.
- Pros: FOSS, extremely feature-rich and customizable, cross-platform compatibility, industry standard and battle-tested.
- Cons: not intuitive for the average user, no built-in syncing (can be configured with a 3rd party application).
Choosing a Reasonably Secure Master Password
Congratulations if you made it this far, you’re almost home! The last piece of the puzzle is choosing a strong Master Password. Based on what we concluded earlier about password strength, we know your password should be unique, long, easy for you to remember, and hard for a computer to guess using Password Dictionaries. I personally find this solution to be quite elegant, put forward by Mike Pound, a computer science & infosec professor and researcher at the University of Nottingham:
- Pound builds off of an example by mathematician Randall Monroe who famously joined a list of uncorrelated, lowercase words [“correct”,” horse”, “battery”, “staple”] to form the password “correcthorsebatterystaple”.
- But instead of four real words, Mike suggests you substitute at least one of them for a nonsense word. Here I will use “pazzowerg”, but remember to avoid simple word alterations like “pa$sword”. Now we have “correcthorsebatterypazzowerg”.
- Finally, just to add one extra layer of complexity, we insert at least one special character “%” in the middle of a word (not between words and not replacing any letters). Et voilà! Our example Master Password is “corre%cthorsebatterypazzowerg”.
Of course do not use any of the words used above as you will be sure to find many versions of “correcthorsebatterystaple” inside a password dictionary. The point is, a password similar to this is long, not found in any dictionaries, and easy to remember… at least after some practice.
Using a good Password Manager can change your life. All your accounts will be secured by unique, strong passwords, easily synced across all your devices, while you only have to remember one very good password. An easy choice in my opinion. Some final thoughts…
- You should consider where to back up and store your Master Password. Perhaps in a safe or safety deposit box. Perhaps you encrypt the backup of the password itself (I personally think this creates more problems than it fixes) or you split it into two halves and store each half in a separate location. The implications of your backup process is losing all the stored passwords, should something happen to you or you forget your Master Password.
- Consider using more than one email address. A simple setup would be one dedicated work email, one for your important accounts such as banks and credit cards, and one for other accounts such as shopping and streaming services.
- Finally, keep an eye on the progress of efforts such as the FIDO2 Project and Physical Information Security products such as YubiKey to hopefully make passwords obsolete in the near future.