Size does matter…

Size does matter (with passwords, at least)…

You know the horror of having to change your password for your email address or some other login…? It is a nightmare to come up with a new password that you’ll remember and that will be strong enough to resist all of the hundreds (thousands?) of different hacks, exploits and attacks happening seemingly every week… So, when you painstakingly choose a new password, it’s only natural that you’ll use the same password (or a minor variant of it) when you later have to reset some other password.

Increasingly, workplace systems that require passwords are set up to force-reset passwords every 30 or 45 days (or whatever). This, of course, means you have to reinvent your password – and it has to be easy to remember yet hard to ‘break’ – every month or two.

Naturally, you don’t write down your passwords. That would be stupid. Instead, you save them in a note or an email, on your phone or on your PC or laptop, maybe synchronised to some public cloud storage provider… After all, who could know that your file call ‘blah.doc‘ contains potentially useful information, and how would they even know where to look…?

Right?

Emmm, no. Keep reading…

It is rarely actual people who harvest passwords – it’s usually computer software and it doesn’t actually ‘look’ anywhere in particular or actively ‘choose’ which files to steal – it just grabs everything it can (or is programmed to). Including that file stuffed full of passwords…

Not too long ago (although it might seem like centuries to today’s instant-forget generation), a problem was discovered that means that about 1 in 3 of ALL so-called ‘secure websites’ were open to attack from the “Heartbleed” bug – and had been for more than 3 years without anyone being aware of the problem (except, presumably, the undesirables that hang around the darker recesses of the Net).

Nobody – no matter WHAT the big name websites might say – can categorically guarantee that their systems were not hacked at some time over that time. If they do, don’t believe them… they simply can’t know. It’s like, if you discovered an underground tunnel that leads inside your house, you wouldn’t assume that nobody else ever knew ab0ut it, or used it…? Right? You’d assume someone did at some time. Even if there’s no evidence. Organizations that discover a security hole, however, always assume that they were never hacked unless there is obvious evidence to show that they were. And even then, we’re usually the last to know.

Nobody knows how long hackers might have been using the Heartbleed ‘exploit’ or what they might have been able to harvest – but it is absolutely certain what they would have been looking for: your usernames & passwords; your real name & address; your credit / debit card, your payment & bank account details; your other identification details; anything that might help to complete a digital picture of you.

Yes, you… well, not ‘you’, specifically, but ‘you’ in the genus of ‘All Internet Users’.

Most of the secure-ish websites that had the problem immediately upgraded their systems. However, the nature of this exploit is that it leaves no evidence of intrusion. There are also hundreds of other attacks, of various types, that leave no evidence of compromise. There is literally no way of knowing how many hundreds of people have your personally identifiable data… Scary, or what?

But, surely these Organisations that store our data have to protect that data… right?

Right…

Just in case you didn’t understand the tone of that, I meant “Right” [sarcastically]

Data breaches are not the only part of the problem. As we have seen over the years, many Organisations, even when they have been subject to an attack that they do know about and where User details (including yours…?) have actually been stolen, still don’t publicly admit it – until they get caught – even though they are required to do so by most Countries’ Laws.

Recently, a data breach was not notified to the victims (Yes, the victims) for a long time to “protect” the companies involved. Not to protect the victims, though (http://nyti.ms/1ooVm77).

Whatever happens, once your data is stolen by the ‘bad’ people, or simply lost/dumped and then found by someone, it is not only theirs forever, it’s shared, sold, merged with other data (e.g. your social media posts & profiles…?) to get a more rounded idea of you, the individual. This can be used to create a whole new person that is essentially you but doesn’t look like you. How simple is this to do? It’s as simple as 1, 2, 3 if you know what you’re doing and move in the right circles…

“Vive la difference!”

Luckily, there’s an easy way to protect yourself (somewhat) from the HeartBleed exploit and most other attacks designed to harvest personally identifiable information: change your passwords [groan…].

Change all your passwords: email accounts, Mobile App logins, iTunes, Facebook, Twitter… The list is almost endless. And growing. Literally ANYTHING that requires a password is potentially vulnerable to attack.

Remember, if someone gets access to ONE of your accounts (e.g. email or whatever) they can usually get access to lots more.

Why?

Because, rather unbelievably (despite the incessant news items about data breaches), most people use the same (or similar) passwords for almost everything, and given that a username can usually be very easily derived from your email address or your name, this could have a major impact on EVERY website and App that you use.

Of course, you don’t use the same (or almost the same) password for lots of different sites and Apps… do you?

In fact, don’t just change one password, change lots and make them different. Change every password immediately after you login to any site. Every time you login. And then when you log out again, change it again.

Actually, the last bit was overkill. The last two bits, to be precise. While it is true that the only way to guarantee the security of a ‘key’, which is what your password acts as, is to use it once and only once and then destroy it (known in Crypto circles as a ‘One Time Pad’), it’s probably counter-productive since none of us would ever remember any password.

How complex is complex?

So, what should ‘normal’ users do to protect themselves? Should you have a complicated password full of random characters that don’t mean anything… so unmemorable that you have to save them in your phone or, worse, your email (because nobody would ever think of looking in THERE, right)…?

And then make an equally unmemorable password for the next website you register with, adding that to the collection saved in your (remotely accessible, without your knowledge) mobile or Net-connected device…?

Actually, the answer is “Kind of, but not quite”. Remembering lots of different passwords, made up of meaningless characters, is a waste of time. worse than that, it is NO more secure than anything else.

So, light at the end of the tunnel…

In order to make it easier to remember hundreds of different passwords for hundreds of different purposes, one suggestion is that you might make a long password that is the same for every website BUT also add something from the website itself in the password. For example, a gmail password could be ‘PassgmailWord1!’ while a Facebook password could be ‘PassfacebookWord1!’.

They’re different but you’ll always know how to regenerate them. Because they are created using a repeated pattern, you will know how to recreate them again if you forget. The same goes for any website you have to login to.

[By the way, they’re not my passwords. I don’t use Facebook! Oh, and in case it needs saying… don’t use the same one I suggested!]

If you create your password using the same pattern every time, you’re essentially creating an Algorithm. An Algorithm can be defined as ‘a series of steps that, when repeated in the same sequence every time, give the same result every time’. If you change the input to an Algorithm it usually affects the result. So, using the above example, lets say you want your password to always be ‘Pass[something]Word1!’. Note that the ‘something’ in the middle varies in size. That’s another useful characteristic because a ‘key’ of unknown length takes a whole lot more time to crack than one with known length (for lots of reasons: for example, if the hacker / software knows how many letters are in the password, it knows when it has tried all possible permutations). Also, the pattern above assumes that you will, at some point, be creating a password where it demands a capital letter, a punctuation symbol or a number – so it includes all 3.

Headache-inducing passwords

Despite what some organisations think, a complex password that has strange characters in it such as ‘c0mp!3x’ is no more secure, really, than any other string of characters the same length.

If some IT Security geek tells you that your Company forces you to use “?@&*^%$?” as your password, because it would be harder to guess, remind him/her that Computers don’t guess – they just check every possible combination of every possible character. In seconds.

A proper tool for hacking passwords (and there are lots) will find the apparently complex password as quickly as it will find ‘abcdefg’ (In both cases, possible combinations = Number of possible characters, to the power of 7 which is lots, for us, but not for a computer).

Besides, if you have to save your complex passwords in your phone or email, then some hacker who gets access to your phone or email will have all your complex passwords as a bonus. Better if you just know your password from memory by knowing how you created it.

Alternatively, try to make a long password that you’ll remember, such as ‘thisismygmailpasswordiwillrememberit’. For this 36-character ‘password’, the number of possible permutations is 26^36 (26 letters to the power of 36 ‘characters’). That’s ridiculously long and we’ll all be dead before a (current?) computer could crack it.

Of course, none of us use 36-character passwords. That would be ridiculous. So, it is worth noting that adding just one extra character to even a short password exponentially increases the number of attempts required to crack it, so adding a character to a reasonable length password is probably more useful overall than adding a ‘character set’ (i.e all those punctuation symbols we are often forced to use to make it harder for someone to ‘guess’ a password).

So, just to finish off this bit, here’s a question. Don’t blurt out the answer(!)… think about it. The answer is down the bottom of the post….

Q: “Regardless of the length of a key (or password), what is the minimum number of ‘guesses’ or ‘attempts’ it might require to get the right one?”

So, to sum up…

We use passwords for more and more things these days and it is only going to get harder to keep them safe. Writing a password down anywhere, or saving it in a file or in your email, is not safe. The only safe (and pragmatic) method of keeping a password relatively safe is to memorise it. Since that’s difficult to do, especially when some Organisations make us use stupid symbols that mean nothing, the alternative is to memorise a pattern you use to create passwords – so the same pattern can be used to recreate them if you forget them. All you have to remember is the pattern (or ‘algorithm’).

I would suggest you experiment with some patterns, using the names of websites you normally visit, before settling on a suitable algorithm. Whatever you do, though, don’t tell anyone what your pattern is!

My passwords used to be 11 characters long. Now they are 12-20, depending on a couple of different things I can ‘figure out’ from the system I am logging into – and they’re now easier to ‘remember’ because I subconsciously recreate them as I need them.

———————————————————————-NOTE for Crypto-security peeps:

I’m well aware that this is a simplified view of the effect that the key-length can have on the number of ‘brute force’ attempts needed to guarantee finding the key and I am also aware that there are an unlimited number of other methods for creating secure password and/or securing passwords in a digital ‘safe’. However, this Post was written for the average Web user so I didn’t want to make it too complicated. Not sure if I succeeded in maintaining simplicity, though!

———————————————————————–

Answer to Q: “Regardless of the length of a key (or password), what is the minimum number of ‘guesses’ or ‘attempts’ it could take to get the right one?”

Answer: Only one, if you get it right first time 😉