Password Security Hints and Suggestions

Contents

 

What does everyone need to know about passwords?

This document was updated on Sunday, October 14, 2018. Please keep in mind that, while the principled thinking is believed to be reasonably applicable at the time of writing, any analysis about tactics and technology is likely to be vulnerable to changes over time, so if it's been "a long time" since the document was updated, you'll probably want to do some google searches and see what other suggestions and thinking is out there to make sure the approaches still make sense.

The unfortunate reality is that passwords are pretty terrible for protecting security.

Anyone who's active on the Internet is going to have a lot of passwords. The thing to remember is, system operators and services use passwords because passwords are inexpensive to deploy, and pretty convenient. It's not because passwords provide good quality protection. Remember, a password is just a piece of information -- "some secret you know." If someone else knows it, it's not really all that safe. In fact, a password can only be as an idea can be. Once anyone uses it, shares it, or even write it down, there's a potential for the password to be copied in an unauthorized manner and misused -- the hard, cold reality is that any secret can leak.

 

The underlying weakness of passwords isn't limited to leakage by malice or mistake: passwords can also be guessed by attackers. One way attackers guess passwords is to use really big dictionaries and special software to handle easily guessed variations on those dictionaries. Even well-trained, smart people are likely to end up choosing really bad passwords when they create passwords by hand. In some security-conscious environments, I've still seen "password1", "abcdef", or "summer2018". Password attackers have figured out that password selection is really weak, and have built a lot of good mathematic models to predict those weaker passwords.

 

Another method is to use "brute force" or "rainbow" style attacks -- where an attacker iterates across every possible combination of characters within a certain length. Computers can easily guess 15,000,000 keys per second right using a consumer grade, "gaming ready" computer one might find at the local electronics store (the kind of computer that parents might buy their kids today). Password cracking computers don't take the budget of the NSA or a nation-state anymore -- and, when they need a lot of computing power, criminals steal computing time by infecting computers with malware, and have even been known to rent high speed computing by the hour with a (stolen) credit card and a working email address.

 

But attacks aren't the only threat we have to address. People still have to be able to type and access (and in many cases remember) any passwords they need to use.

 

Making passwords have the "right amount" of complexity is kind of a big deal.

High quality passwords are quite difficult to create, manage, remember, and protect. And even if somone does it well today, password assignment still needs to be revisited periodically because the situation and assumptions that underlying those assignments change. Remember that hacking dictionaries and techniques get better over time, and the technology (such as that being used for attacking passwords) improves pretty substantially (capabilities might actually double approximately every 18 months, following Moore's Law).

 

What makes it worse is that we're always going to be balancing trade-offs between USABILITY and SECURITY-ASSURANCE. The harder a password is to break/steal, the more likely it is to be forgotten unless precautions are taken, and the more likely it is to have errors when used. And the easier it is to remember and type, the more likely it is to be vulnerable to even relatively unsophisticated attackers who are able to arm themselves with a rapidly expanding array of technological capabilities and have weaponized statistically informed models that can predict how people choose passwords. This is why real randomness, with a wide statistical aggregate distribution, is the best solution. Sadly, this becomes pretty complex and difficult to think about... but explains why passwods aren't very good for protecting security.

 

Most people don't choose fully random passwords -- they usually have some kind of logical pattern to it, which can end up giving a big shortcut to a password attacker.

 

Magic Wands and Silver Bullets for this password connundrum: how can anyone be safe?

Anyone who tells you they have a complete, usable, useful answer to the password problem probably also has a bridge to sell you.

 

In reality, passwords can only function as part of a mature, intellgent approach to protect authentication. There are almost certainly other elements that are going to be required. It seems like there are going to be non-technology protections that are required. For instance, user and administrator training can maintain awareness of how our practices put ourselves and others at risk. Good passwords don't do any good without having an audit/logging/review and response capability, to deal with problems when mistakes are made. But beyond that, we probably need to be looking at how to use "Multi factor" authentication -- a password PLUS something else. This combination, offhand, seems to be the best path forward, but it's inconvenient and still has significant implementation challenges that need to be understood and addressed.

 

Most security problems can be considered across a handfull of stages of problem resolution:

  • Identify the threat landscape, the nature of the vulnerabilities you're facing, the degree of risk that environment poses, and your readiness and willingness to accept the probability and impact of an adverse event occurring.
  • Protect yourself from the vulnerabilites and threats by implementing protections in technology, process/procedure, and awareness. Invest in as much protection as you're willing to spend on, based on a recognition of diminishing returns and the reality that the overall risk will never get down to zero.
  • Detect problems by monitoring behaviors. There has been a shift in the strategic thinking for information security. Given the speed of change and the complexity of systems, there's a very high probability that -- regardless of how well we work on protection, we're still going to have occasional security problems despite our best efforts. By instrumenting and working on detection, we have the capability to limit the overall impact and damage of a security breach.
  • Respond to detected problems with a well-considered plan to address the hazards in a manner that will contain or mitigate damage down to an acceptable level.
  • Recover by knowing how to approach fixing whatever ends up broken as a result of the adverse event. Learn from what happend and work to improve your identification, protection, detection, responses, and recovery for next time... because there will be a next time.

Ultimately, it's not just the IT department or your service provider that needs to be involved in finding solutions: there are too many behaviors outside their control (including a bunch of behaviors that are ultimately user behaviors). By taking on this "Identify-Protect-Detect-Respond-Recover" mentality, and learning how to ensure what role you as an indvidual play in this process, we can build more successful solutions. Ultimately, achieving a state of well-managed security will have to include you and the collaboration and cooperation of others.

 

BONUS: are passwords the only thing I have to worry about?

Any information or data you care about -- and that list of data is probably a lot bigger than just your passwords, bank account numbers, and baby/wedding photos -- will probably benefit from periodically undergoing some real, deliberative scrutiny. The process of thinking about the security of your data (which reflects the degree to which confidentiality, integrity, and avaialabiilty is being protected from adverse impacts) doesn't change, though some of the questions we detail below might need a little tweaking to hit your exact use cases. Just a little something else to think about.

 

Back to the top of this article

 

What is WDY Enterprises doing to support its users?

WDY Enterprises, LLC does have a series of security controls in place that help to protect your hosted accounts. While we don't document the extent of our security implementation on public web pages (and don't disclose all of the details, even in private to customers), we do have a number of things which are pretty clear and evident:

  • All authentication channels offer encryption so that your credentials can have some protection in transit. HOWEVER, users do have the option to use unencrypted POP3, unencrypted IMAP, or unencrypted SMTP/Submit (which is provided for backward compatibility for older computers). Webmail is not offered without encryption.
  • Even so, WDY Enterprises authentication still has several technical limitations stemming from how we interface with users. For instance, passwords have both maximum and minimun lengths (customers can contact our support apparatus to discuss current limits, because we do update things occasionally). And we explicitly and deliberately won't stop you from picking a bad password, if that's what you want to do (if your choices are likely to affect the security or stability of our services, we'll step in, but not before).
  • We do monitor open intelligence sources to look for evidence of compromised user accounts that can link to users' email addresses. On a best-effort basis, we will check and will notify you of any such discovery by an automated email message. As of this writing, we limit users to no more than one email alert per week.
  • The system has a number of techniques to limit the effectiveness and speed of brute force attacks, but we recognize (and so should you) that this is just a delaying tactic. No general defense can be 100% effective against well-resourced, well-planned, and well-executed attacks -- especially when the underlying asset and strength of protection is ultimately controlled by the user and when, unfortunately, the most common attacks are based on leveraging users' inattention or misunderstanding.
  • We do provide awarenesss materials online, like you're reading now, and our support capability can help educate our customers when opportunities arise and circumstances permit.
  • WDY Enterprises, LLC believes in self-determination and user empowerment. Ultimately, we think customers will be dissatisfied if we become unnecessarily heavy-handed with security requirements. Adding additional technical security implementations comes at a cost and the degree of net positive return is very unclear. Fundamentally, password management is a user "security hygiene" problem. Behaviors need to be regulated and evaluated by you, the user, to really be effective.
 

Back to the top of this article

 
 

Password practices we try to follow, when passwords are necessary

  • What are the alternatives to using passwords in a given context? Sometimes, you need a password because it's the only kind of mechanism you can apply... other times, it's too expensive or complex to do something else. If there aren't alternatives, is this a risk that you either need--or ultimately want--to accept? If there are alternatives, what are the costs and benefits? What are the advantages and disadvantages? What choice is right for you?
  • Use a unique, high entropy password for every single service you access online, based on pushing up toward the technical limits of what you can use. Re-use of any password--even a great one--at multiple sites or services significantly increases the risk that it will be captured or lost and find its way into the hands of nefarious elements.
  • Use strong passwords that mix combinations of both upper and lower case letters, numbers, symbols, and shift across both cases. The full ASCII alphabet of printable characters has only 95 possible values, so the number of password cmbinations is 95 raised to the power of the length of the password you choose. At the time of this writing, Internet-facing passwords probably need to be at least 14 characters long to avoid being "completely trivial."
  • In our view, the current best practice is to use high quality, password generating software and to store the password in a software-based password vault that allows you to not have to type in every password every time you need it. This generates long, complex, random strings and helps to facilitate understanding exactly how strong a password is before it gets relied upon to protect anything.
  • No matter how you choose passwords, it's really a good idea to use and manage some kind of "password vault," in a manner consistent with your level of risk tolerance to losing control or access to everything the vault references. The key characteristics of a good vault are its safety from loss or destruction, the ability to control access to the vault, and the accuracy and completeness of the password data you maintain.
    • It's okay to use a notebook as a password vault, for instance. It's low tech, but that's not fundamentally a problem... just look at the characteristics of a good vault and make sure you're addressing those three characteristics sufficiently for your personal appetite for risk. Just be aware that you still have to manage the complexity problem of how you enter, manage, and make backups of your passwords, if you keep them on paper.
    • It's also okay to use a digital password vault program (the question is whether it mitigates the right risks for you, though, and whether it introduces new risks that require additional effort to control). There are some instant gotchas you need to work to avoid with a software based password vault -- because it's electronic, it's much easier to lose a copy somehow, so we do recommend that you ensure it's an encrypted password vault, using a mathmatically strong form of software-based cryptography... which will almost certainly exclude office suite programs (word processors, text editors, and spreadsheets).
    • It's probably even okay to use a digital password vault service, where your passwords are stored in an online "cloud-based" service, at least as long as you understand the risks and the rewards and are comfortable with how it works and how it might fail. A password vault service needs to be reviewed in terms of all of the same ways that a password vault program, and in addition must consider the degree of security within the service and how the service is designed and implemented to ensure your stuff doesn't end up in someone else's hands. The cryptographic issues are more complex and will require further work to understand fully. That doesn't mean that a service can't work... but it does mean you have due dilligence to do.
  • Ask yourself the following questions about passwords and password vaults, and be sure you're comfortable with your answers and the consequences of those answers. Keep in mind that, ultimately, you're probably going to end up having to extend some degree of trust. It's up to you to decide how much trust you're willing to extend, what the advantages and disadvantages are, how might things go awry, how likely is that, and what will the results look like.
    • What are the ways I might lose access to or control of my password or password vault? Are there particular kinds of risks I need to think about being able to recover from, or special forms of vulnerability I need to address, e.g. "forgetting" or "misplacing" or "destruction due to fire/water damage"?
    • Who and what will have access to my passwords? What assurances do I have that any of those people or things are not going to introduce confidentiality, integrity, or availability problems with my password data?
    • What happens if I lose a password or password vault? How hard will it be to recover (can I recover?) to a known good state if it gets lost? Can it be misused if someone gets their hands on it (or a copy of it)?
    • What happens if I'm incapacitated and someone needs access my stuff? Getting technical, it's important to think about someone who might have to act on your behalf, which I'll call your agent -- it might be your successor, attorney, trusteee or, yes, even executor. Will they need to be able to access to the vault? Can they? How do you ensure that they can GET access, but don't necessarily already HAVE access?
    • How much change will occur to your password vault? How will you ensure that whatever you do to address the "what if I lose it" question doens't lose "too much" data when getting to an acceptable state? How will you ensure that your agent has access to complete and accurate information, or that the agent can recover from the vault being lost? How long will it take to recover? Are all of these limitations okay?
 

Back to the top of this article

 
 

Password mistakes to avoid

  • Never (ever!) re-use your GCFN.ORG password (or the password to any email account). If you do, you're really increasing the likelihood that you'll experience some kind of identity theft online. Many (maybe even most) online services use or offer email based resets and confirm all sorts of stuff by email -- so once they get your email, they can look for the receipts of where you've been doing business and reset your passwords, giving them access to huge amounts of your online life.
  • A generalization of the above: don't re-use the same password at multiple sites. If site A has a security problem and leaks their credentials, it really shouldn't give them credentials to site B. Even more generally speaking, password re-use across any context is a bad security practice.
  • Do not use words that can be directly found in any known dictionary or published book. Pretty much every dictionary of words can be (and probably have been) plugged into password cracking software.
  • Do not choose a password that in any way resembles the username or account identifier it's linked to, as that's part of the guessing strategy most password cracking software uses.
  • Do not use simple, adjacent keyboard combinations. Phrases like "qwerty" and "asdzxc" and "123456" are trivial to crack and are well-understood in attacker tools today.
  • Do not choose passwords based on details that may not be as confidential as you might expect, such as your birthdate, social security number, phone number, names of family members, pets, home address, zip code, housing history, income history, current and past employers, etc. Based on the highly publicized credit bureau data breaches at Experian and Equifax and the Federal and state government data breaches that have made it into the news, one should expect that highly detailed profiles including most imaginable personal data about you are readily and easily available..
  • Don't let youself be convinced that the simple transformations of data you do in your head are protecting you.
    • First off, many forms of simple transformation will not stop an attacker. The various ways you can substitute symbols or numbers for letters ("p@$$w0rd") are finite in number and are well understood, as are common misspellings and can be expressed in automated rules to follow: password attackers use these "rules based" transformations as part of their dictionary attacks. Any transformation that's not based on cryptographic principles and which has not undergone strict scrutiny (either in the academic community or in the non-classified government space) should be considered suspect. Transformations are not always entirely worthless, but they have far less security value than most people seem to think.
    • While it's true that pass phrases based on some transformation of memorable phrases can generate reasonable passwords, the approach isn't guaranteed to work. It's unpopular to say this, but most people aren't as smart as they think they are about security issues (and that includes security professionals!). Leveraging a wide amount of research and my review of the literature has led at least me to conclude that phrase generation is inconsistent at best, and that with almost no exceptions, you're better off doing something more predictably effective.
    • At the same time, simple transformations are likely to make it MUCH harder to remember and recover passwords if you need to. You're much more likely to be protecting your password against yourself (that is, making it harder to use without gaining security value) when you use simple transformations.
  • If you keep an electronic copy of your passwords on your computer, make sure it's got some reasonably strong encryption on it. Unfortunately, most people don't have the right training to recognize what makes encryption strong or weak. While this is certainly not sufficient for a complete assessment, a good start is to look for documentation that identifies the product as storing data in an encrypted form, using an encryption algorithm like the Advanced Encryption Standard ("AES" also known as "Rijndael"). Appropriate "key lengths" vary by application, but looking at today's technology for this application I would be skeptical of anything that doens't use AES-256 (256-bit key length). Don't use basic productivity tools (word processor, text editor, spreadsheet or the like) to retain electronic copies of passwords because they don't store data in encrypted form: you really want your passwords to be stored in a purpose-built password manager... and not all of those programs or services are of equal strength and quality. For service-oriented password vaults, ensure that the access mechanisms are also encrypted using the strongest possible encryption methods.
  • Don't forget to keep a backup of your password vault whenever it changes, and periodically in addition to whenever it changes (just in case). Further, make sure that backup is stored safely in a manner to mitigate the possibility of loss or damage.
 

Back to the top of this article