Tuesday, November 17, 2009

Password Security: White Belt Education

Identification, Authentication, and Authorization are important words to consider when contemplating cyber-jutsu.

While one of the least secure methods of authentication available today, passwords are nearly ubiquitous on information systems as a means to verify the identity of an authorized user.

Words have meaning. You will find your cyber-jutsu training most illuminating if you keep a dictionary and thesaurus handy. I have physical versions of these books, as well as computerized and on-line versions. To get you started, you can investigate Merriam-Webster online. Here is a good tip: you can easily remember "m-w" for Merriam-Webster. You can reach their site by typing in m-w.com for the address. I find this faster than navigating through bookmarks.

The human brain is better than a bookmark list, but, using both is best.

What is your identity? Who are you? For the skilled cyber-jutsu practitioner, hiding ones identity may be important. For the white-belt, being able to understand "identity" is most important.

Leaving behind the philosophical question of who you are, let us consider who you are to a computer system. To a computer system, you are, in most cases, a "user". The computer system maintains a unique "user name" for each person wanting access. Some computer systems allow a special user named "guest" to log in, but we are considering only your unique identity here.

Since computer systems have become wide-spread in our lives, a new problem of identity has arisen. Many of us have too many identities to easily remember. There have been and will continue to be interesting proposals for the solution to this problem. Some current technologies include: Single Sign On (SSO), and OpenID.

Regardless of the technologies we use to help ease the problem of recalling multiple identities (i.e. user names) and authentication mechanisms (i.e. passwords), if the system uses a password to validate your identity, you need to choose and recall a lengthy and complex password.

This can be difficult if you want it to be. I, however, choose to make it a fun and/or meaningful process. The choice to suffer or rejoice is yours alone. I will share with you one method to create a password that I find rewarding.

Before I go into my technique, let us discuss what we mean by a secure password. A secure password is one that is changed before an attacker can "crack" it (i.e. reveal, or guess it). Because of the progress of technology, that time grows shorter every year. Therefore, we could say that the time of the user generated password grows short. Some replacements for the password, or enhancements to the password include bio-metrics (i.e. a human number) and tokens (i.e. something you have, like a physical key or card). If you hear someone say two-factor authentication, they are referring to two mechanisms working in concert to verify your identity. We can think about a password as "something you know". We can think about bio-metrics as "something you are". Lastly, we consider a token "something you have". By mixing and matching these "factors", we can create secure authentication.

An example of a bio-metric authentication device would be a finger-print scanner/reader. Other bio-metric authentication devices in use today include iris scanners as well as the more intrusive retinal scanners. Future bio-metric authentication devices may include genetic material "finger-printing". Such devices could work off of dead skin cells, hair, mouth-swabs or blood. A device that could quickly determine the identity of a person based upon a unique number generated by their unique DNA would be the ultimate authentication mechanism. It could also be thought of as "the number of the beast" from Revelations. For better or worse, we will most likely see such a device in our time.

A good example of a token, or "something you have" would be the device you can get from PayPal to enable two-factor authentication to their site. Remember that two-factor authentication uses two of the above factors we described. In this case, PayPal uses something you know, a password, and something you have, their token. The PayPal token can be kept on your key-ring and provides a new six digit number every minute. When I log into my PayPal account, I first enter my username, or identity. I then enter a password as the first factor that they will consider towards verification of my identity. After successfully entering my password, I am then prompted to press a small button on my token. When I press the button I am given a six digit number to enter into the website. Because they know the serial number of the token they sent me, they know what that number is going to be. They validate that the number I enter is correct, and then authorize me to use their website and conduct my online financial affairs.

Now let us consider the password generation technique. Sit quietly for a moment. Sit with your back straight. Relax your muscles, but maintain proper posture. Take a deep breath. Let your belly expand as you breathe in, rather than your chest. Take another deep belly breath. As you exhale, feel the pressures of the day leaving your body like morning mist melting off a mountain lake. Take another deep breath and feel the essential joy filling your body. As your belly fills with your breath, feel the life energy filling every molecule of your body. It is a renewing energy. Each deep breath pulls in new energy and each deep exhale releases those things you do not need in your life. Breath deep again. Allow your mind to drift toward a happy time in your youth. Capture that moment with words. Bring those words back with you as you continue to breathe. Breath deep and reflect on the phrase you have brought back with you. Breath deep and feel the healing, cleansing breath become a part of you. Come back to the present time, and create your password.

I did this exercise, just now, with you (I hope). This is what I brought back this time. Because I'm sharing it with you, I can't use it as a password. I'll find more though, don't worry.

The phrase I brought back was:
"We battled for hours with water-pistols. We painted the walls like two children."
I can use some of this or all of this. I can use whole words if the system I'm creating the password for doesn't limit the length, or I can use just the first letter of each word. If you are a brain, perhaps you can quickly recall the last letter of each word, or the second letter of each word. Let us start by using the first letter of each word.

  • wbfhwwpwptwltc

This is certainly unique, but let us consider for a moment our attacker. Without going into the details of how passwords are cracked (we can do that another time), let me say that we want to make the password more "complex". By complex I mean that we want to create a password that isn't all lower-case letters. In fact, we could like it to be upper-case, and lower-case, and use also numbers and/or special characters. We also want the length to vary, but never be less than eight characters. Having all passwords exactly eight characters long gives the attacker something standardized that he can use against us.

Here are some alternatives that I feel would make a good password:

  • Wb4hwW-P.
  • wB4hw/w-p.
  • Wbfhw/w-p!
  • wPtwl2c.
  • Wb4hw/w-p. Wptwl2children.

Some password security analysts will say that you should never have any word that can be found in any dictionary as any part of the password. If you follow that advice, then the last password given above would not be a valid choice. But let us look at what is good in these passwords. I am using upper and lower case letters in all of them. In the second example, I have chosen not to use an upper case letter to start the password, because I don't want to be predictable. In this second case, I chose to emphasize the "Battle" that took place. In this example I also chose to use the "/" special character that is often seen in text regarding the word "with". In the third example, I chose to replace the period with an exclamation point. In most of the examples I chose to replace the word "for" with the number "4". Some people will sometimes replace the letter "A" with the number "4", or the letter "B" with the number "8", and the letter "O" with the number "0" (zero). The only rule here - is that you need to remember what it is you are going to do. Don't over-complicate this process. Keep it fun. If it gets boring, then maybe you can add something more to it.

Try a simple phrase, and stick to the basics I've outlined, and your passwords will be much more secure until you change them. I recommend changing all of your passwords at least once per month. Choose a time of the month that will be the same every month. Then sit down, relax, and breath! :)

Sensei Metajunkie

PS -
here are a few examples that are BAD CHOICES and should NOT be used:

  • painted this is a dictionary word
  • Painted this is still a dictionary word
  • p41nt3d
    even though the last one doesn't look like it on the surface, there are dictionaries for cracking passwords that replace the common numbers for letters - don't use this type of obfuscation for a dictionary word-based password.

No comments:

Post a Comment