As we have discussed previously, a little knowledge about technology & security can go a long way to mitigating risk. That is especially true of one very important and fundamental topic: passwords. There are three basic methods to authenticate yourself to a 3rd party (e.g. a website, an application, or your network):
- What you have refers to something in your physical possession - a key, a phone, an access card.
- What you are usually refers to biometrics. Items like your fingerprint, your retina, voiceprint, DNA etc.
- What you know typically means a password but could also refer to security questions like, "What is your mother's maiden name?"
This article considers two important aspects related to the use of passwords in the modern day:
1. How secure is your password?
2. What can you do to improve your digital security?
Most corporate systems today still ignore the first two authentication methods. They are protected by the venerable password - a combination of letters, digits and symbols that act as the key to unlock some digital asset.
The strength of the password system relies on the assumption that you have chosen some combination of characters that can be easily remembered by you, but not easily guessed by a bad guy trying to access your asset. We use the term “asset” since passwords are used to protect various different things such as online banking and email accounts, social media accounts, the login to your office PC, documents that are password protected, the PIN on your bank card and so on.
How secure is your password?
Stop and think about the password you used to log in to your own computer today. Most systems have some basic rules like "At least 8 characters long with at least one upper case letter, at least one lower case letter, and at least one number." Your password might look a lot like "passw0rd". (Don't be embarrassed, it's a very common password.)
If I wanted to break into your computer, how could I guess that password? There are several ways to approach this problem. Let’s consider just one approach: a brute force attack.
The computer program we will use starts based on a specific character set. Let's simplify and assume the character set consists of all lowercase and uppercase letters and digits. So we have a-z, A-Z and 0-9.
- The program will start its first guess by trying “a” as your password. It will fail and the computer will try “b” and so on until it gets to “z”.
- It will then try “A”, “B”, …”Z”, “0”, “1”, … “9”.
- It will then move on to “aa”, “ab”, “ac” and so on until it gets to “99999999”. A simple calculation shows that the program has to guess (26 + 26 + 10)8 = 218,340,105,584,896 combinations of characters to try all of the possible 8-character passwords.
218 trillion combinations! It sounds so large as to be impenetrable. An average office PC from 2005 would take about 170 years to break this password. But on a high-end desktop computer of today, such a password can be cracked within an hour.
You may be wondering how bad guys can make so many guesses in an hour without getting detected? The trick is that bad guys rarely directly try to log in as you. Instead, they exploit system vulnerabilities and download large lists of scrambled passwords for thousands/millions of accounts. Once they have the list on their local system, they can try to guess the passwords (using brute force and other methods) at their leisure. Once they have worked out what the passwords are, they then try to log in using the compromised credentials.
In real life, bad guys very rarely revert to brute force attacks for longer passwords. Instead, they build up huge word lists consisting of previously cracked passwords from breaches such as Yahoo, LinkedIn, DropBox, Ashley Madison and so on. Since many people reuse passwords across sites, these lists allow bad guys to quickly crack passwords on many sites.
What can you do to improve your digital security?
Security is hard to get right. The best we can do at this time is to make use of something called defense in depth. The general idea is to not rely on one single measure to protect you but to add multiple layers that in combination dramatically mitigate overall risk. Here are 7 recommendations designed to do just that:
- Use better passwords - Never use the names of your children, birth dates or anything personal in your passwords. Pick a random 12 character or longer password which mixes lower case, upper case, and digits. Doing this one step would increase the time to crack the password from under an hour for a random 8 character password, to nearly 41,000 YEARS for a 12 character password! Add special characters (%,$,# ) to increase it even more.
- Be unique, do not share & do not write - Furthermore, do not share your passwords. Never reuse passwords between accounts because cracking one password gives access to many other assets. Do not write your passwords down unless you can store them where they you can guarantee their physical security.
- Increase the length of your passwords every 3 years - Make sure to revisit your passwords every two to three years. Remember, as long as Moore’s law* holds, passwords that are considered secure today will become weaker in the future. A general rule is to increase the length of your password by 1 character every 3 years
- Use password management software - Most of us have dozens of accounts, and remembering dozens of different, random passwords is near impossible. Fortunately, there is a solution to this dilemma. Password Managers are applications that you install on your computer/phone, that will remember and manage your passwords for all the various sites you frequent. Your passwords are stored in a secure, encrypted vault which you protect with a single master password (one that is long and hard to guess but easy for you to remember). This one master password protects all the other random passwords. Examples of good password managers are 1Password and LastPass.
- Two Factor Authentication - Fortunately, many sites & software today allow you to set up something called 2FA (Two Factor Authentication). In addition to providing your password when you try to log on to a service, a short number is sent to your phone by the site as a challenge for you to repeat. By typing in the correct code, you verify what you know (password) as well as what you have (ownership of your phone). It is much harder in general for a bad guy to both know your password and have control over your phone. If your service provides this feature - enable it. It usually costs nothing extra to enable
- Use fake answers to security questions - Many sites require you to provide one or more security answers in case you lost your password and have to reset it. Providing real answers significantly weakens the security of the account, as it is trivial in today's connected world for a bad guy to scour Facebook / Twitter / Google and find out what your mother's maiden name is or the name of your high school. Best is to use pronounceable but obscure, false answers and store them in your password manager.
- Restrict remote logins - If practical, have IT prevent remote logins by default for all users. In other words, all users must be in one of your offices to access your systems. As most folks won't want to risk sauntering into your office and sitting at your computer, this improves your security considerably. For those users that do work remotely, have IT limit access for those users to specific authorized locations (IP addresses), or make use of a VPN.
*Back in 1975, a guy by the name of Gordon Moore (working at Intel), predicted that the number of transistors in an integrated circuit would double every two years. This translates loosely to a doubling of processing power once every two years, also known as exponential growth. This prediction has held true for four decades, and the implication on our digital security is significant. The computer you buy in two years can crack longer passwords in less time than the one you have today.