Security Basics mailing list archives
Re: Choosing unique passwords - how paranoid is too paranoid?
From: "Johann MacDonagh" <johann () macdonaghs com>
Date: Mon, 7 Jul 2008 14:30:42 -0400
I've since moved to a password from passphrase system. I choose an easy to remember passphrase for each system I want to keep secure, and then take the initials and punctuation of each word to create a password. I usually try to choose a passphrase where numbers can be substituted in as well. Seems to be the best way so far. Thanks for all the replies! Johann On 6/26/08, Chris LoVerme <chris.loverme () sl-tech net> wrote:
Great topic... For years I've always struggled with a good password rotation and selection theme. I think everyone has their own methodology about it and there's the issue at heart; someone figures out the method or the routine and cracks away. I've found some good themes and I've tested them against password crackers and dictionaries. The following is on my blog as well (if reading this here is a pain) and hoping not to break any rules here. I want to test against linux too, but haven't done so yet, that will make a good follow up post I suppose :) (http://loverme.net/wordpress/?p=20) Make your passwords more difficult to crack: These days it's actually quite difficult to pick a decent password that's difficult to crack; the future is going to present us more options around biometrics or algorithmic keys. More than likely, passwords will never go away but will continue to be combined with a device (card, key, etc) which is called two-factor authentication (something you know such as a password, and then something you have such as a card or fingerprint). If you've done technical support or network administration, no doubt you've seen all the password combinations from numbers, to letters and numbers, mixes, and so on. You also know that social engineering often gets someone to give up their password, so it is difficult to guard against that as well. Crackers are basically hackers that use toolsets designed to defeat either the password or the method that encrypts the password. There's lots of commercial software available because people forget password, even system administrators, so you'll find a password cracker for just about every system out there. Most of these applications start with what's called a dictionary attack, which means it has a large text files with just words in them and it tests them. Some of these dictionaries are giant, in other languages, and focus on specialty niches like movies, Shakespeare, etc. The other common attack is a brute force attack in which the program will try to logically guess your password in a sequence such as "pasp", "pasq", "pasr", "pass". Brute force can take a long, long time because your password might be 16 characters long, contain symbols (*&^%$#), capital letters, numbers, and so on. Brute force attacks will eventually find your password no matter what, plus the time to find your password decreases as crackers take advantage of powerful hardware like distribution farms (lots of computers) with multiple, multi-core 64 bit processors. A bank of 10 servers with dual 64 bit quad core processors could crack the password "g00dn1gHt3very1″ in less than 10 seconds if encrypted with a 40 bit algorithm. Anyway, let discuss 5 good password techniques that will throw off the dictionary attacks and brute force methods. 1. Use a pass-phrase - Pass-phrases are much better, basically use a sentence rather than your child's first name. Unfortunately, most programs limit your password length. If a program doesn't limit password length pick a pass-phrase because it's easy to remember, won't be in a dictionary, and hard to brute force. An example would be "I love 2 drink sugar free lemonade!". That's a 35 character password with a capital letter, a symbol, spaces, and a number. (I tested this password with 128 bit AES encryption and a cracking tool was unable to crack the password after working on it for 12+ hours on a single dual core 3.2Ghz processor. Example test (I love 2 drink sugar free lemonade!): Works on Windows Vista Works with WinRAR 3.70 Works with WinZIP 11.1 Works with Excel 2007 Does not work with Word 2007 (character limitation) Passed Basic Passware Audit* *Password Audit Notes: Passware 8.0 has a 27 character limit on brute force attacks for the Office Recovery tool. The RAR & Zip Recovery tool has a limit of 12 characters. In all my tests, I used the defaults. This is one of the top password recovery and audit tools on the commercial market and retails for $495. If you're an IT specialist, I suggest a copy. (No, I'm not getting paid for referring them) 2. Math - These are easy to remember, won't be in a dictionary, and hard to brute force. Use a word, symbol, and a number. Here are some examples of passwords: 12*Twelve=144, Ten*10=100!, Eighteen-1=17. Combine this tip with the previous one for a super strong password: "Ted said 2*2=4″. When I spoke with Microsoft consultants a couple of years ago, they fell in love with this method. Example test (Ted said 2*2=4): Works with Windows Vista Works with Word 2007 Works with Excel 2007 Works with WinRAR 3.70 Works with WinZIP 11.1 Passed Basic Passware Audit 3. Extended ASCII (Grpahics) - Some password crackers don't have options for Extended ASCII, in fact, it's rarely used anymore within the Windows world due to fonts and graphics. They aren't preloaded into cracking tools, they aren't well known, and they're not in dictionaries. Someday this might change, but until then, a passphrase like "451°F will burn paper" is a platinum-class passphrase. Easy to remember, is 21 characters, has extended ascii, numbers, and a capital letter. The whole extended ASCII set is 127 through 255, 255 is fantastic because it looks like a blank space but it isn't! Imagine a password that's intertwined with 255's and spaces. Even if a password cracker cracks the password and is able to display it, it's going to show as a bunch of blank spaces looking as if it failed to crack it correctly. It's even better if someone is using a sniffer and not looking at the hex codes. Some web browsers won't be able to display this but here's what it looks like: " " That's two 255's a space, then two more 255's. All the extended ASCII sets make good passwords (for programs that support them) or add one symbol to your current password. Here's a another slightly artistic example: "░▒▓▒░" A poorly written cracking program may not be able to display these characters and may crash or display other symbols in an interpreted font set. For example, ▒ may show up as "_" in another font, but the underlying value is ASCII 177 not "_". Remeber to add words to make it a phrase and make it even stronger. Example test (451°F will burn paper): Works with Windows Vista Works with Word 2007 Works with Excel 2007 (not Mac compatible) Works with WinRAR 3.70 Works with WinZIP 11.1 (not DOS compatible) Passed Basic Passware Audit 4. Common Set (capital letter, longer than 6 characters, and number or a symbol) - Common set passwords involve a pattern and are great to use because they're not in a dictionary, brute force will take some time, but these are not always easy to remember. Examples are: Tropicana9, Battlestar3, !Starbucks!, Goldfrapp$, etc. Bold example: Works with Windows Vista Works with Word 2007 Works with Excel 2007 Works with WinRAR 3.70 Works with WinZIP 11.1 Passed Basic Passware Audit 5. When possible save your documents in a higher encryption such as 128bit AES or RC4 RSA encryption. 128bit AES is set by default in Office 2007. People are now using passwords that they think are secure but really aren't anymore because password crackers have picked up on these ones. Password methods to now avoid: 1. Leet (or Hax0r) - This was clever, but the brute force crackers picked up on it quickly and coded for common substitutes. There's even a dictionary now for it, so avoid these passwords. Examples of these now well used passwords are: l33t, r0xx0rz, n00b, etc. 2. Foreign Language - Language dictionary sets are common now, so forget the Russian password you came up with. A brute force is going to crack this very fast anyway. 3. Qwerty - Keyboard patterns all well known now and in dictionaries as well as some brute force options. Examples include: qwerty, asdfg, poiuy, and zxcvb. Not sure if you password is secure? Try cracking it yourself (elcomsoft, lostpassword.com) provide tools for dictionary and brute force password recovery. -Chris P.S. There's a good interesting article here too: http://www.codinghorror.com/blog/archives/000949.html -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff Sent: Wednesday, June 25, 2008 6:08 PM To: Johann MacDonagh Cc: security-basics () securityfocus com Subject: Re: Choosing unique passwords - how paranoid is too paranoid? On Tue, Jun 24, 2008 at 8:27 PM, Johann MacDonagh <johann () macdonaghs com> wrote:Hi all, I've recently began a full on password change process where I'm increasing the security of passwords I use for various systems I use (computer systems, websites, etc...). In the past I've only used a few different passwords and hoped for the best. I'd like to start working on a new system that allows me to create easy to remember passwords for each unique system. I don't want to create completely random ones and rely on a password manager, because I use these systems at home, at work, and on my iPhone. They need to be something I can easily type. So my first scheme involved coming up with a rather long base password, choosing a 4 character acronym for each system, mixing it up in a certain way, and inputting those jumbled characters in predefined locations. This solved one issue: 1. If someone where to compromise one password, it's unlikely they would be able to deduce the same pattern for other systems. Then, I got paranoid. What if they had two passwords? The differences could be found, and analyzing the 24 different permutations (4!) of the differences could quickly find a pattern. So, I modified it a little. I took the name of each system, padded and mixed in yet *another* master password (this time much shorter), and ran it through this (on OS X): echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc -base64 and took the first few characters. I put that in a certain location of my master password. The reason to use a hash function is pretty obvious, and base64 allows me to add in additional bits to brute force with the same number of keys. This has worked out better. I've started using mnemonics to remember each system's unique part. Muscle memory! Now, I'm up against a wall. I can't possibly remember a different password for *each* system. So I came up with the (final) idea of classifying systems as high or low, depending on the problems a compromise would create. For example, my registration on some random forum is low, whereas my PGP passphrase is high. I know this is looking like there will never be a question, but there is. What does everyone think of this system? Would you classify sites that hold somewhat private information (such as Amazon.com without any saved payment methods) as high or low? Is there another way? Let me close by saying that the day I can use a smarcard for 3 factor authentication (PIN, physical access to card, and biometrics) to access ALL systems (hey, web developers, you can ask for x.509 certs you know!) is the day that I stop worrying about all this. Or should I be worried about that too? :) Thanks!Way too complex Get a USB key or PDA, and put your favorite password manager on it. I like PasswordSafe, but Keepass is derived from it and many like it, though I haven't tried it. I'm sure there are commercial alternatives as well, but these are OSS - and available on sourceforge. I like my passwords to be pass sentences. 20+ characters, with all of the punctuation and other non-alpha characters they deserve. Much easier to remember and to type. Think up a sentence, commit it to your password management application, have it ready. One site, one pass sentence. Very easy. Even if the site/server/application doesn't take passwords that long, having it in your password management database is better than trying to remember it, and your password management software will generate passwords if your brain is non-functional for whatever reason. Back up your password management database, too. Kurt
Current thread:
- Re: Choosing unique passwords - how paranoid is too paranoid? Johann MacDonagh (Jul 07)
- Re: Choosing unique passwords - how paranoid is too paranoid? Anjar Priandoyo (Jul 09)
- Message not available
- Re: Choosing unique passwords - how paranoid is too paranoid? ॐ aditya mukadam ॐ (Jul 10)
- Message not available
- Re: Choosing unique passwords - how paranoid is too paranoid? Anjar Priandoyo (Jul 09)