✦ Choose a password that Eve cannot break with standard password-breaking tricks… ✦ (some of which we’ve seen, some of which I’ll talk about in a bit) ✦ … keeping in mind that you can’t always trust systems to manage and store passwords correctly. ✦ Do this not just once, but over and over again… ✦ because you typically need a lot of passwords, right? ✦ … without breaking your brain.
through the glass tubes ✦ so she can try to crack it at her leisure ✦ Cracking a system to grab all its password hashes ✦ which she can then try to crack at her leisure ✦ Hashing a whole bunch of words in advance, to compare captured password hashes against ✦ “dictionary attack” using “rainbow tables” of hashes ✦ Trying a whole bunch of password guesses ✦ “brute-force attack” ✦ Using people’s known password habits to refine her attempts ✦ So we need to talk about those!
on the open Internet. Yet ANOTHER thing she can do on some systems is try default passwords. We’ll get to these later, but I did want to mention them, because they may turn up in your incident report.)
Frustration-caused, not-even-trying bad passwords ✦ e.g. “password” or “ihateu” or similar ✦ Personal information ✦ family or pet names, dates, addresses, life milestones, sportsball team names… ✦ Keyboard/number-pad patterns (“qwerty”) ✦ “Leetspeak” ✦ replacing letters with numbers or symbols that resemble them: 13375p34k (and now you know how L3-37 “Elthree” in Solo got her name) ✦ Incremented number at password end ✦ that is, “password1” then “password2” then “password3” ✦ Super-common in systems that make users change passwords often ✦ Capital letter at password start
or brute-force attacks, try common bad passwords first! ✦ If they don’t work, go on to the rest of the dictionary… but if Eve has a lot of hashes to work with, chances are good ONE will work. ✦ Then try already-leaked/cracked passwords. ✦ Find out personal information that might be (part of) a target’s password. ✦ No luck yet? Try leetspeak word variations, appending numbers, capitalizing words, etc. ✦ There are tools to automate this process. We’ll see one in lab!
guidance back in 2003 freely admitted in 2016 that he didn’t really know what he was doing. So yeah. ✦ This guidance is still in widespread use. Unfortunately. ✦ “Complexity” rules ✦ those tiresome “must contain one number, one capital letter, one lowercase letter, one symbol, and a partridge in a pear tree” things ✦ Length rules ✦ “at least X characters” ✦ You will sometimes see “but no more than Y characters” where Y is a pretty low number (I’ve seen “16” or even “10” or “8”). Any system that does this is not doing passwords right! ✦ Change-passwords-early-and-often rules
fall into patterns. ✦ Like the password1, password2, password3 thing. ✦ Length rules are sensible, and weren’t too onerous… until mobile happened. ✦ Have fun typing that 20-letter password on your phone. ✦ Length plus complexity (numbers, symbols) is even worse on mobile. ✦ Change-early-and-often is a major pain in the rear. People HATE it, and it is a direct cause of poor password choices. ✦ Human memory limitations strike again. ✦ Also human rationality: if you’ll have to change a password shortly, why even bother making it strong?
see that list of Famous People Passwords in your readings? Yyyyyyyyyyyyyyyeah. ✦ Some people think they’re too important to observe proper security. ✦ That’s exactly backwards. The more important they are, the bigger a target they are. They need to be MORE security-conscious, not less. ✦ But who can tell them that and make it stick?
on websites: they supposedly tell you how strong the password you’re choosing is. ✦ Most of them are bogus. They let bad passwords through, and call good passwords weak. ✦ Some of them are just plain poorly programmed. ✦ Rule of thumb: LONG is better than WEIRD. ✦ Most of these meters don’t use this rule, often because they were programmed against the (now known-bad) old guidelines.
we want to keep Eve guessing— make her burn through a lot of time and computer effort brute-forcing password hashes. ✦ I’ll bypass the math, but the basic idea is: adding one additional character to a password adds many, many more possibilities that Eve must try than does changing (say) a letter to a symbol. ✦ If you’re interested in this and/or the mathy bits of it, “password strength” and “password entropy” are good phrases to search on.
✦ Forget about change-early-and-often. (YAY!!!!) ✦ Force password change only when a password or its hash has been cracked or leaked, or when a (verified!!!!!!) user has forgotten their password. ✦ Forget about complexity rules. ✦ Minimum 8 characters. Try not to set a max. ✦ Don’t allow known-bad, known-cracked passwords. The user should pick again. ✦ Don’t use password hints. Don’t use supposedly- secret questions. ✦ Password hints help Eve as well as Alice. The answers to supposedly-secret questions are often easy to ferret out on social media or whatever.
✦ We can check rainbow tables for bad passwords… but sometimes GOOD passwords get leaked. ✦ If you weren’t angry enough at online services with bad password- security practices, here’s another reason to be angry. A leaked password is a burned password—you shouldn’t use it any more. ✦ We could lurk on the darkweb and buy stolen credentials, but that’s ethically dubious (paying criminals?!) and could get expensive. ✦ Troy Hunt to the rescue, with the Pwned Passwords database!
from mass password breaches as he can. ✦ He makes the entire file available for download. ✦ He ALSO has a query service where systems can find out “has this password/hash been cracked?” ✦ It’s cleverly implemented so that Eve can’t use it as a brute-force tool. ✦ Several systems and at least one password manager are using this service to help people avoid already-cracked passwords, and to check systems for already-set cracked passwords.
you can avoid it, DON’T. Let your PASSWORD MANAGER pick it. ✦ 1Password, LastPass, KeePass Password Safe ✦ cross-platform, including mobile ✦ I love these things! Install one for all your friends and family! ✦ When you must: ✦ Passphrase: 4 to 6 words, ideally randomly-chosen (not biblical or Shakespeare phrases!) For extra credit, put a symbol between words. ✦ The first-letter-of-sentence method (“Tflosm”): I hate this, but if you like it, go for it. Better be a long sentence. ✦ For uniqueness across systems: to either of these, add something from the system you’re using (e.g. for Yahoo, add “yahoo” or “yah”).
passphrase) ✦ We’re looking for words that won’t be in lists and that Eve can’t easily figure out (or con Alice into revealing). ✦ Nonsense words ✦ Do you remember the name of your childhood imaginary friend? ✦ If you know more than one language, making up a multilingual portmanteau can work (e.g. Spanglish verb “pasuordear”). ✦ Obscure languages, dead languages, conlangs ✦ Anglo-Saxon? Dead as a doornail. Go for it. ✦ Sindarin, Shyriiwook, or Klingon? Avoid names and words that many fans know (“mellon” “Chewbacca” “Qapla’!”) but otherwise, sure.
dsalo
danielbryantuk
blue_goheimochi
nakamuuu
kaonavi
trycycle
miyakemito
yajihum
meihei3
yasumuusan
maroon1st
ks91
andpad
destraynor
kastner
shlominoach
searls
jmmastey
mthomps
bkeepers
trishagee
brad_frost
jonrohan
rocio
lemiorhan
