Passwords

[DrPhill]

Below is some advise I put together sometime ago for a group of folks in my village. This may help some on here.

Also check out your email address on https://haveibeenpwned.com/ and your password on https://haveibeenpwned.com/Passwords

Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your security.

Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor. A more powerful processor will take less time.

7 characters will take .29 milliseconds to crack.
8 characters will take 5 hours to crack.
9 characters will take 4 months to crack.
10 characters will take 1 decade to crack.
12 characters will take 2 centuries to crack.

So as you can see, adding a single character to your password can significantly increase the security of your login. A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack.

Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.

For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters.

Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters and common ASCII characters to increase the pool of characters needed to crack the password to 92.

Example:

Password entropy

Password entropy is a measurement of how unpredictable a password is.
The formula for entropy is:


E stands for "entropy," which is the opposite of an ordered pattern. Entropy is good: the bigger the E, the harder a password is to crack.
________________________________________
We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password password would have a possible pool of 26 characters from the English alphabet.
Changing the password to Password would increase your pool to 52 characters. I made a table below to outline the rest.



Type Pool of Characters Possible
Lowercase 26
Lower & Upper Case 52
Alphanumeric 36
Alphanumeric & Upper Case 62
Common ASCII Characters 30
Diceware Words List 7,776
English Dictionary Words 171,000
________________________________________
Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill

While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!
________________________________________
Here is an example:

If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have available.
That's the same as 278.9 -- and the log2 of that is 78.9. In info-security lingo, it's 78.9 bits of entropy. That approaches the "exponential wall," where a password could be nigh on impossible to crack.

Hope this helps.

Obligatory XKCD:
https://xkcd.com/936/

 

[DrPhill]

If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have available.
That's the same as 278.9 -- and the log2 of that is 78.9. In info-security lingo, it's 78.9 bits of entropy. That approaches the "exponential wall," where a password could be nigh on impossible to crack.

If you use a smaller set of characters (upper and lower case plus numbers) you can achieve the same entropy with a longer pass-phrase. The pass phrase may be easier to remember.

 

[Rodpr]

I use fingerprint recognition where possible - very quick, secure and simple (except after I have been doing a lot of sanding when my fingerprints are unrecognisable!)

 

[DRC]

Use a password manager. I use proton pass, which I believe you can get on a free account. This will store all your passwords (secured using a single password). **Other password managers are available.**
Password managers can generate new random passwords for each site, and even auto fill them for you on websites. This way you get:

• A unique 'hard' password for every site.
• Passwords stored safely encrypted in the cloud (on Proton pass at least, and probably on others).
• Passwords inserted for you so you don't have to remember.
• One password to remember (your password manager). Make this a good one.

Whats not to like?

I am now 82 and I have been involved in IT stuff for 30+ years, (not my main employment I was an electrical engineer), but about 3 years ago I bought Roboform a very good password manager costs me about £30 a year. I had tried free ones but did not trust or get on with them very well. Roboform was recommended by the Malwarebytes newsletter. Sometimes free is good but thinking about your security £30 a year is not too much in my view.

 

[AES]

If you use a smaller set of characters (upper and lower case plus numbers) you can achieve the same entropy with a longer pass-phrase. The pass phrase may be easier to remember.
View attachment 182621

Oh, Dr. Phil, YES YES YES! Brilliant (AND, unfortunately not far off the world these IT "people" live in)!

Thanks - best laugh I've had in a long while

 

[Yojevol]

I am now 82 and I have been involved in IT stuff for 30+ years, (not my main employment I was an electrical engineer), but about 3 years ago I bought Roboform a very good password manager costs me about £30 a year. I had tried free ones but did not trust or get on with them very well. Roboform was recommpended by the Malwarebytes newsletter. Sometimes free is good but thinking about your security £30 a year is not too much in my view.

I've used the free basic Roboform on my PC for 20 years or so. The full version allows for multiple devices and and use on the hoof. However, I'm increasingly using Google password manager as it's easy on an Android phone.

 

[niemeyjt]

Obligatory XKCD:
https://xkcd.com/936/
View attachment 182620

Put together by a mathematician, not a security expert with a copy of hashcat or similar.

Let's say you use one of the larger wordlists with 2 million words - the above will generate 1.6 x 10^25 permutations to stick into hashcat or a similar tool.

My 16 character recommendation, just using the characters on a keyboard (no specials) will generate 1.2 x 10^31 permutations - roughly a million times as many.

As for 1000 guesses per second - what are they using - a Commodore 64?

Using Hashcat, on a 8 way 4090 GPU cracking rig - well withing the price reach of serious attackers - you are looking at millions, sometimes billions, per second - depending on the hash type (Obviously, this is on a previously obtained hash - not an interactive login which will lockout after a few failures).

 

[DrPhill]

Put together by a mathematician, not a security expert with a copy of hashcat or similar.

Let's say you use one of the larger wordlists with 2 million words - the above will generate 1.6 x 10^25 permutations to stick into hashcat or a similar tool.

My 16 character recommendation, just using the characters on a keyboard (no specials) will generate 1.2 x 10^31 permutations - roughly a million times as many.

As for 1000 guesses per second - what are they using - a Commodore 64?

Using Hashcat, on a 8 way 4090 GPU cracking rig - well withing the price reach of serious attackers - you are looking at millions, sometimes billions, per second - depending on the hash type (Obviously, this is on a previously obtained hash - not an interactive login which will lockout after a few failures).

Yeah, proton password generator appends a number to the end of each word and recommends four words separated by your choice of spacer ( space, hyphen dot etc). Gives at least 1000 times the entropy. The ease of use (typing into phone keypad) beats the widened character set in my world. I get to use a different safer password on each platform visited.
Since I am not likely to be the target of a five-eyes attack I feel reasonably secure.....

I remember a professional discussion with a security expert.

Me: So you won't be happy until the hard drive with the data is encased in concrete and dropped to the bottom of the Mariana trench
Security Expert: Technically speaking the data is still there and accessible......

 

[Spectric]

Whereas I agree with Spectric an address from 60 years ago is hardly going to be associated with you

Unless you are worth the effort, the bigger the rewards then the more effort that someone will put in to get access. I have heard that gangs have even spent time putting shreded info back together to get what they want.

 

[niemeyjt]

And electron microscopy to read the data off a hard disk that has been encased in concrete and dropped to the bottom of the Mariana trench !

 

[nickds1]

I have all our ex-use SSDs/hard drives/USB sticks etc. shredded in front of us, I.e. the shredder comes to the office and we physically carry the equipment to the shredder and witness the process - we never let the stuff leave our sight. The result is like metallic kitty litter.

I'm responsible for organisations that have extremely sensitive information on disk that under various bits of UK & foreign legislation we are obliged to protect extensively. Being the legally responsible person for the data focusses your mind... I have worked for government agencies in the past.

As a CTO of hedge funds, I've used forensic data recovery services to get data from mobile phones that have been run over by many cars (dropped in a main road etc.) and dropped in deep lakes. Its not cheap, but they'll sweat the BGA memory chips off the boards and extract the silicon from inside them, then probe the physical chip itself & decode it. And that's the cheap stuff. Using magnetic force microscopy to read segments of data off shattered (or supposedly erased) disks and then reassemble the pieces is also possible. SSDs and Flash memory have their own attack vectors.

Everything depends on the value of the data, the time available and the resources that the attacker has. The data I was dealing with was potentially a) extremely valuable, and b) I could have ended up in court if it escaped from my care. So, we always shred disks - its cheap, the disks never leave your premises, and you get a certificate of destruction for each one. You also get a bag of very sharp kitty litter.

Don't believe for a minute that encrypted disks or so-called deniable encryption will get you out of trouble with the larger security agencies (UK, US, Israel, China, Russia etc.). As a basis, you enforce end-point security (no CD/W, USB keys/drives etc.), then use daemons to monitor every bit of h/w looking for changes (someone removing a drive etc.), RFID/GPS tracking, and then a whole bunch of other stuff. Then there's the pen testing (look it up) and a bazillion other things to do...

A big SAN may have 500 or 1000 drives in it - you will get continual failures here or there. Just because the SAN or a PC can't access the data (even after a head crash or fire), doesn't mean a suitably equipped agency couldn't.

You can even extract data from the DRAM in a PC that has been turned off, even if it wasn't in sleep mode...

Data security is a fun challenge...

 

[paulrbarnard]

Interesting how all the examples assume unlimited attempts and knowing the set of valid characters. For example the iPhone will permanently lock if you get the passcode wrong 10 times.
For sure there are sophisticated ways to break in but you need to balance the risk of someone doing that with cost/benefit they would receive for doing it.
Even a relatively weak password is more secure that the experts would have you believe, barring of course the non-passwords like password and 1234. The bigger problem with passwords is phishing and lax security at service providers.

 

[HappyHacker]

Many years ago UNIX had and probably still has a process that increases the time you have to wait after each failed password login attempt up to the limit of password attempts allowed. It did not need many failed attempts to be over 30 minutes wait.

As Paul has pointed out it is much easier to get a password by asking, nicely, or getting a keylogger downloaded by a bit of trickery or a trusted person getting access to your system.

At a security conference the organisers ran a survey with a prize if people gave them their logon password so "they could analysis typical passwords" a large number of people actually gave their passwords and were rather embarrased when told what they had done.

Another issue is what happens if you die or are incapacitated, does anyone need access to your systems, bank accounts etc?

 

[Robbo3]

Another issue is what happens if you die or are incapacitated, does anyone need access to your systems, bank accounts etc?

One solution.

We Expire - https://weexpire.org/
Leave your critical details for loved ones after you die.

 

[nickds1]

One solution.

We Expire - https://weexpire.org/
Leave your critical details for loved ones after you die.

Interesting idea but has some subtle weaknesses. AES is a symmetric block cypher, so to decrypt the message, the original encryption key is required and therefore must be stored. The QR code contains a unique identification code - actually the initialisation vector (IV) used for the AES encryption - that the system uses to identify the correct stored key. A SHA256 hash of the message is also stored which is used to verify that a decrypted message is the same as the original.

They say that even if they're hacked, your message is safe, however if you have the QR code and gain access to the database or a database backup, you can decrypt the message. The site is not especially secure - it's PHP, relies on session data kept in local cookies and uses the notoriously vulnerable OpenSSL library, so the site and the virtual hosting environment are possibly vulnerable to a number of attack vectors.

I would still go for a safety deposit box or an established legal firm.

 

[DrDarren]

The newspaper I read had an article in summer 2022 about password managers and the crackability of most people's online life. It shook me out of my complacency and I signed up for a password manager (Lastpass) that I could use across Mac and Windows platforms. It took me three solid days to change every.single.password but I now have only three passwords I can remember all characterised by being a meaningful sentence that is long. I am glad I did it but cannot persuade wife to do the same so she is now our weakest link.
Widening the topic (hope that's OK), we're trying to work out how to provide emergency access to one another's bank accounts in the case of an unfortunate event. We both maintain our own finances and joint responsibility accounts. I'm thinking of getting a fingerprint usb drive that is registered to her fingerprints and storing the three passwords and key financial details on that so that in the event of my death she access resources as required. This seems the most burglar-proof solution. Any thoughts?

 

[imageel]

The newspaper I read had an article in summer 2022 about password managers and the crackability of most people's online life. It shook me out of my complacency and I signed up for a password manager (Lastpass) that I could use across Mac and Windows platforms. It took me three solid days to change every.single.password but I now have only three passwords I can remember all characterised by being a meaningful sentence that is long. I am glad I did it but cannot persuade wife to do the same so she is now our weakest link.
Widening the topic (hope that's OK), we're trying to work out how to provide emergency access to one another's bank accounts in the case of an unfortunate event. We both maintain our own finances and joint responsibility accounts. I'm thinking of getting a fingerprint usb drive that is registered to her fingerprints and storing the three passwords and key financial details on that so that in the event of my death she access resources as required. This seems the most burglar-proof solution. Any thoughts?

These days with the advances in medical science whilst death is still a risk, one also has to consider incapacity whether mental or physical as a potential outcome so I'd advise registering for Lasting Power of Attorney for both property and financial matters - two separate but similar documents -
https://www.gov.uk/power-of-attorney
It's a bit of a blunderbuss to execute if the event comes to pass but simple to put in place and ensures your chosen person can carry out legal and financial transactions on your behalf and hopefully in accordance with your wishes too.
Having those documents in place means that institutions are legally obliged to take instructions whether financial or property related by your chosen attorney who is acting on your behalf, and thus obviating the need for duplicate access/sharing of account details with a partner etc.
Whilst you might think otherwise it is the correct and legal way under UK Law to allow financial transactions upon a deceased or incapacitated persons accounts.

 

[niemeyjt]

Interesting how all the examples assume unlimited attempts and knowing the set of valid characters. For example the iPhone will permanently lock if you get the passcode wrong 10 times.
For sure there are sophisticated ways to break in but you need to balance the risk of someone doing that with cost/benefit they would receive for doing it.
Even a relatively weak password is more secure that the experts would have you believe, barring of course the non-passwords like password and 1234. The bigger problem with passwords is phishing and lax security at service providers.

I clearly said "Obviously, this is on a previously obtained hash - not an interactive login which will lockout after a few failures".

 

[nickds1]

I used LastPass but it's not "on" by default (see screenshot below). The browser plugin works by injecting several 100 KB of JavaScript (federated-login-content-script.js, inject-credentials.js,onloadwff.js,web-client-content-script.js) into every page you load, searching for username and password fields, then looking up the current URL to see if it has a candidate to auto fill.

The injected JavaScript can (and does) cause issues, e.g. with Chrome/Edge's developer tools (F12). I'm also unhappy with a browser plugin silently doing stuff with every page I load, so only run it when I specifically ask it. Plus, it uses a number of deprecated JavaScript features, e.g. unload event listeners.

One good thing about LastPass (apart from it being cross platform) is that it's a zero-knowledge system, i.e. the company (says it) has no access to your data - it's en/decrypted on your PC/tablet/phone. However that again opens up an attack vector, e.g. compromising another brower plugin so it can access LastPass' data in clear text. Another concern is that it's not open source, so is not subject to the scrutiny of the cryptographic community. Anyway, cryptography is as much about process, how the technology is implemented and used end to end, as it is about the encryption algorithm itself.

Two passwords that should never be in the password manager: the password manager password and your email password (they should only be in your head). Three un-obviously-related words with a punctuation mark or two and some digits and mixed case, e.g G0bl1n!Rab3itfish? - that has an entropy of 118 bits which qualifies as "Excellent" or "Very Strong"...

Note that blindly changing o => 0, i => 1 etc. is a well established mechanism and as such adds little to the real-world strength/entropy of a password.

Oh, and use multi-factor authentication (MFA) for ALL key sites that access financial or personal data, e.g. HMRC, banks, PayPal, eBay, email (webmail) etc. MFA requires two or more from these areas: something you know (e.g. password), something you have (e.g. a time-based code from an authenticator app) and/or something you are (fingerprint, facial recognition, retina scan...).

 

[stuart little]

I use fingerprint recognition where possible - very quick, secure and simple (except after I have been doing a lot of sanding when my fingerprints are unrecognisable!)

--or using CA glue!