Blog: How Tos

Passwords, passwords, passwords (repeat)

David Lodge 24 Jan 2014

“My password’s been hacked” is a common cry that us in the security industry get from friends and relatives; or the counter utterance of “how do I get somebody’s password” for which explaining about the Computer Misuse Act doesn’t seem to dissuade. Then we hear news reports of a computer that can crack “every known” password within hours. So what does this mean and why is the world still dependant on this tiny form of identification?

Authentication of an individual is a process that has existed ever since the first Homo Neanderthalensis decided to pop over to the next family unit as the hunting was better there. How can we identify that someone is who they say they are? Modern risk management divides this into 3 mechanisms:

  • What you are; e.g. biometrics.
  • What you know; e.g. a password
  • What you have; e.g. a security token or a key

A good authentication scheme will use at least two of the three mechanisms: my bank uses a password scheme and a physical token, satisfying what you know and what you have [1]. If either of these techniques fail then your authentication is rejected.

But, we can’t use this everywhere: use of a standard, secure token for everyone has logistics problems and biometrics, unlike in the world of the salesman or Hollywood, have too large a false negative or false positive rate. So we end up with using just what you know: a password or a pin.

This is how most of us live: everything in our lives is now protected by a single mechanism: our work email, our personal email, our social media accounts, our bank accounts, our credit cards, even our tax returns!

This may not be as bad as you think, there is quite a bit of randomness (or, as we like to say “entropy” ‘cos it makes us sound cleverer than what we are) in your average password; we can work this out mathematically using the simple formula for combinations:
n <sup>r</sup>

Where:
n = number of characters in the set to choose from (e.g. 26 if we have lower case)
r = length of password

So if we look at an 8 character password which could have upper case, lower case and numbers in it; this gives 218340105584896 possible combinations. That is a lot of possibilities. To steal a media trick: if our Neanderthal friend up there started at aaaaaaaa and ended at 00000000, entering one guess a second he would still be nowhere close to finishing about now, long after his species has been made extinct (i.e. a little over 6,918,780 years).

“But Dave, surely that’s good enough!” I hear you cry. Oh, I wish it were! Unfortunately we aren’t computers who can pull a random extract of letters and numbers out of the air and remember them for ever more. Oh no, our minds are much too small for that; we, as a species, suck at being able to think of stuff for passwords and then remembering them, so we take a shortcut, we make something that’s easy to remember, like the name of our dog and because we’ve been told that we should use capital letters and numbers we capitalise the first letter (because that’s the rules of a proper noun) and we put our house number on the end, because we can always remember that. So we end up with “Rover72” which looks secure until somebody does a bit of research and discovers your pictures of Rover on Facebook and pulls your address from the electoral roll and, and to quote Hudson from Aliens, “Game over man”.

Alternatively we chose a secure password, but then we use it everywhere a password is required: for our work, for social media, for our email, for that forum about the care of donkeys you joined three years ago and never went back to. That’s a lot of places, and if one gets hacked, your “secure” password may become known to the hacker, or if you’re really unlucky it may be sent around the web as part of a list of known passwords, or sold on to a marketer (and who would want that?).

Finally we could have a decent password, and use it securely, but we tell the truth on those “password reset” questions, meaning that most of our friends and relatives – or anybody with access to view your Facebook posts – can complete the process and reset your password.

[1] A bank card is a strange state, this was originally quite secure: it required to be something you have (the card) and something you know (the PIN). Changes to make this easier to use on the Internet have reduced this to just being what you know for cardholder not present transactions, i.e. the card number and CCV number.