Greetings to all my fellow techies. Passwords and security in general have been on my mind since last week, when they were constantly discussed during my whirlwind tour of local, government-focused trade shows. The federal government has always been security conscious, but with the approaching June 5 Federal Risk and Authorization Management Program deadline — by which cloud service providers must be certified as secure — it was literally the talk of the town.
I ran into several firms that specialize in intrusion penetration. They get paid to try to crack security measures and then report any vulnerabilities. Many of the firms certify cloud providers as part of FedRAMP, but even those who don’t still provide valuable advice and assessment services. Most of the people I chatted with were big fans of the movie “Sneakers,” which focused on a firm doing the same thing about 20 years ago.
All this security talk coincided with a need in my personal life to create some new passwords. Having added two new online services for reporting and one new massively multiplayer online game, I was faced with creating some new passwords. I have so many now that without writing them all down, I know I would forget half of them. But it’s not my fault. The standard rules for passwords these days with one special character, one capital letter and one number make remembering more than a few almost impossible.
So, I asked the intrusion penetration folks how to create a secure password I could actually remember, and how to do it without any technical wizardry requirements, like a dongle that syncs a password generator with an authorization server. The answer I got was it depends on the tools hackers use.
These days, the same technology used in supercomputers — taking graphical processor units and repurposing them for number crunching — is used to break passwords. A block of high-end graphics cards networked together can attempt to crack a password fairly quickly using brute force. Some are capable of 1,000 or more guesses per second, assuming the host they are trying to crack allows it.
But first, I was told what not to do. Any word found in a dictionary is going to be the first attempt by the brute force crackers. And all those cute techniques where A is turned into @ or S becomes $ don’t work anymore either, because those variations are programmed into the dictionary crackers. Also, using a popular phrase from movies, TV or literature is generally a bad thing, because even the most obscure ones have likely been added to the dictionary attacks. So going back to the “Sneakers” movie, putting a phrase from the movie like, “My voice is my passport. Verify me,” is just about as bad as using “password” as your password. And, no matter how obscure you think that quote or saying is, I was told, it’s likely already inside a dictionary program for cracking.
Instead, the firms recommended a modified phrasing system: A series of words that only have common meaning to the user, but no real connection otherwise. I was given an example where a picture on an office wall depicts a circus scene with bears doing various tasks, including juggling bowling pins. A user could start at the top of the portrait and name the various elements (in this case fez, bowling, bear and unicycle) to create an easy to remember pass phrase — especially if someone was able to glance up at the strange picture — but difficult to hack.
However, if a dictionary program is tuned to look for pass phrases, the game changes. Suddenly, that four-word phrase is a lot less secure — just a four element password. That’s where they recommended adding numbers, or even special characters, into the mix, though not enough to make the password hard to memorize. Again, using the example, a user could assign numbers based on the number of elements in the portrait, like fez01, bowling06, bear12 and unicycle02. It would be nearly impossible for a brute force program to guess “fez01bowling06bear12unicycle02” within the next hundred years using anything short of a quantum computer. However, because that particular password is now published in this column, it will likely be added to some dictionary programs. So don’t use it.
This all reminded me of a similar argument made by the comic site xkcd to explain why pass phrases were better than all those special character rules many sites insist on today.
But one additional, important consideration everyone I talked with mentioned is users really do need a different password for every site or application. Every time a site gets hacked and user names and passwords are stolen — the strong and the weak ones together — another program is loaded that begins trying them with most of the commonly attacked sites. If you use the same password and user name on multiple sites, you can expect when one falls, the others likely will too.
So we are back to having to memorize lots of passwords again. But at least using phrasing, perhaps interspersed with a few numbers, we can have a chance of keeping it all memorized and still have a modicum of security protecting the front gate.