So, it seems that a good place to start any IT blog is with a post about Security. The Chief Constable of the Metropolitan Police – Essentially Great Britain’s most Senior Law Enforcement Officer – suggested that victims of bank fraud should not be reimbursed for their losses. Why? Because clearly victims of fraud have been lax with their details, used weak passwords, or written them down for safekeeping. Worse, Users will use the same password for multiple systems.
In reality, the biggest risk is not your password – it is your provider. If you use the same password on SiteX and SiteY, both are potentially compromised if either have their password security defeated. In reality, the compromised site should have used better methods to store password.
This is an all too common problem with Security. Corporate IT Administrators specify Password Policies for their corporate environment. These policies often find their way on to the consumer side of the business; Portal logon password policies are set to mirror the Corporate policy. The Corporate Policies themselves are based upon oft quoted “Industry Standards”. Of course, nobody can point you to a definitive list of these “Industry Standards”.
The most common policy requires the user to use at least 8 characters, with at least one special character (though some special characters are generally excluded to prevent Injection attacks). The widest character set, including standard symbols, on a standard UK keyboard is 96 characters. This means, essentially, that an 8 character password would have
7,213,895,789,838,336 iterations (96^8). The problem? The user!
The most common symbol added to a password, so that it “meets complexity” is an ! – and it is usually placed at the end of the password. In practice, the vast majority of passwords are breakable using a 67 characters (a-z,A-z,1-10,!), reducing the number of permutations to
That is still a pretty big number. That number can be made much much larger, with a password that is much easier to remember. Not only that, it’s easy to change for every site you use and still remember.
To achieve this, set the password policy to be 20 characters long. Make special characters available, but not mandatory. How can you ever remember it? Use a passPHRASE. A line from your favourite book, your 5 favourite words – whatever you like. You think this is less secure? Lets try the mathematics.
Even in it’s least secure form, the user can choose 5 dictionary words and only use lower case to enter them. “my dog is a complete idiot” would be 26 characters long. All the words appear in the dictionary, and it’s all in lower case. Stupid password? Well yes, now that I have put it on the internet it would be. However, it helps prove the concept. Say we know that the password is all in lower case, our attack vector can be calculated as having a minimum of 41^20 iterations (40 characters in the known set, 20 character minimum length. That’s 180,167,782,956,420,929,503,029,846,064,801 iterations. As our passwor dis actually 26 characters, it would require a total of 41^26 iterations to cover all possible combinations. That’s
possible combinations! Or…
118,634,337,789,906,094,138,070,641 times as many combinations available in the 8 character with 1 special (full character set) password.
What is this magic and how does it work? Well, we have to first realise that Random passwords and Dictionary passwords both appear the same to a computer. Unless we tell a computer what a word is, it sees a random string of characters. The key is Entropy. For every character you add in length to your requirement, you create exponentially more combinations each time. The easiest way to explain is to reduce the “character set”. We all know the “trusty” 4 digit numeric pin. Lets describe entropy in that set.
If you have a singe digit PIN, there are 10 possible combinations.
If you have a two digit PIN, there are 100 possible combinations. With twice the complexity, we have introduced 10 times as many combinations.
If you have a three digit PIN, there are 1000 possible combinations (10 times more than the 2 digit PIN, 100 times as many combinations as the 1 digit PIN)
If you have a four digit PIN, there are 10,000 combinations (10 times more than 3 digits, 100 times more than 2 digits, 1000 times more than 1 digit.)
1x10x10 = 100 (10^2)
1x10x10x10 = 1000 (10^3)
1x10x10x10x10 = 10,000 (10^4)
combinations = ((1*character set)^password length).
If I hadn’t put “my dog is an idiot” on the web as a possible password, changing the second letter to upper-case “mY” would defeat a combined dictionary attack. Stop making short passwords that are difficult to remember and start using longer passphrases to secure your accounts!