Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Design Passwords

193 views

Published on

The majority of cyber attacks against organisations and peoples start with general data about their targets, or very specific data, about one individual who can be used as an access portal to everyone, and everything! Sadly, the majority of attacks appear to be founded on known and published, or simple/very weak passwords that here easy to guess or crack with modest tools.

“I think we can safely assume; ‘Joe Public’ has little knowledge of cyber-security and even less inclination to engage in good security practices. And so, we have a ubiquitous security risk at every level of society with no hope of curing the problem through education and training”

This is compounded by vast libraries of professional papers, web sites, and industry studies that proffer a somewhat confusing range of guidelines and advice largely invisible to, and unhelpful for, the lay population. Probably the ultimate long term solution, in the face of an enemy that is becoming more sophisticated, powerful, and determined by the day, is the full automation through built in biometrics based on face, hand, finger, voice, typing patterns et al. plus a PIN and simple password/’n' factor authentication.

For sure we need an industry based fix; and probably in the form of ‘security as a service’. In the meantime, this presentation addresses what it takes to create ‘fit-for-purpose’ passwords at a device level and on up through Cloud Working. The techniques and guidelines give an assured security spanning trivial documentation through to financial services and state secrets applicable for 2019/20/21. For 2021/22/23 it would be prudent to reassess the advance in attack technologies and techniques, and the change in the success statistics of the Dark Side. It is quite likely that passwords may need strengthening by the addition of additional characters in some cases.

Links to associated/related/earlier slide sets are also provided.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to Design Passwords

  1. 1. H o w To D e s i g n pA55w0rDs:-)petercochrane.com ABC12345def Prof Peter Cochrane OBE Sentient Systems
  2. 2. THE nIGHTMARE! *A different password for each account *Change your passwords regularly *Don’t keep a documented record *Don’t embed them in a browser *Don’t write them down *Don’t tell anyone *Don’t share Guidelines and lots of useful advice that is often impractical and/or impossible:- Make them > 11 characters that include a mix of alpha numerics - upper & lower case plus punctuation marks and special characters…
  3. 3. Public Reality! A fundamental incapability to deal & cope with the complexities and many challenges of IT… Industry needs to produce, deliver and maintain inherently secure products - to get the users out of the Realm of Risk management, including password hell!
  4. 4. OMG - Really ! YES, people are indeed silly We need to do much better than this!
  5. 5. THE Threat Omnipresent Highly motivated Growing by the day Smart Adaptive Resourceful Well organised Global 24 x 7 People Machines Networks AI, Apps, Clouds +++ “Never underestimate the enemy - and never . assume you are smarter than they are”
  6. 6. Passwords in ‘diaries’ Passwords in ‘eMails’ Passwords on ‘post its’ Passwords in ‘open docs’ Passwords on ‘white boards’ Passwords shared ‘between apps’ Passwords shared ‘between peoples’ Passwords shared ‘between web sites’ Passwords used on spoof web sites/services +++++ The Gullibility Threat Social engineering - persuasion - observation - bribes ++ Passwords extracted by ‘smart’ conversationalists, friends, family, associates, colleagues, co-workers ++++
  7. 7. Welcome to password & two factor hell! We need to do much better than this! What do you do when there is no mobile signal or there’s a loooong delay or network fault? You need at least: a net sync’d app embedded on your machine, but ensure it does it imply more risk?
  8. 8. 12 Characters, Minimum: There’s no minimum or standardised password length; but in general go for >12 to 14 characters Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types makes passwords harder to crack Dictionary Words/Combination: To be avoided as much as possible - any isolated word is bad, and word combinations are also high risk Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al Number Strings: at the end, beginning or in the middle are also ‘obvious’ Industry Advice For a strong password you ‘at least’ need..
  9. 9. 12 Characters, Minimum: There’s no minimum or standardised password length; but in general go for >12 to 14 characters Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types makes passwords harder to crack Dictionary Words/Combination: To be avoided as much as possible - any isolated word is bad, and word combinations are also high risk Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al Number Strings: at the end, beginning or in the middle are also ‘obvious’ Industry Advice For a strong password you ‘at least’ need.. Machines are fast intelligent exhaustive with extensive libraries One size does not fit all people and machines present different risks people are slow and get exhausted and use different methods
  10. 10. For a strong password you ‘at least’ need.. The snag is you are one click away from losing everything! And so another much bigger security fail/fail pops up and kills you stone dead! “The secret to good security is to design (in) ‘fail-safe’ and ‘fail-gracefully’ with ‘layered’ protection and multiple routes to recovery “All your ‘eggs’ in one basket is the dumbest and riskiest solution of all “ Strong Advice A password generator and management system
  11. 11. Password Managers D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s Mostly Software embedded in browser plugins/web services to automatically manage user credentials They auto-paste (names/ID/email addresses) passwords into login forms, or simulate typing them, and generally support: •Printable characters •Passwords >64 characters •Pasting username and password
  12. 12. Password Managers D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s Mostly Software embedded in browser plugins/web services to automatically manage user credentials They auto-paste (names/ID/email addresses) passwords into login forms, or simulate typing them, and generally support: •Printable characters •Passwords >64 characters •Pasting username and password don’t rely on one app alone m ake sure you engage a degree of diversity
  13. 13. Password Managers D e l e g a t i n g t h e c o m p l e x i t y t o m a c h i n e s Also, choose embedded password generators with many user choices:- Length Upper Case Lower Case Numbers Symbols Special Characters Similar Characters Generate on Device Generate on Server Auto-Select New Password https://digital.com/blog/best-strong-password-generators/
  14. 14. Password Managers W h y y o u n e e d / s h o u l d a l w a y s u s e o n e ! W h a t c o u l d p o s s i b l y g o w r o n g ? •Yo u r d e v i c e / m a c h i n e i s s t o l e n / b r o k e n / f a i l s / d i e s •A s o f t w a r e u p g r a d e s c r a m b l e s e v e r y t h i n g •Yo u r b a c k u p / r e c o v e r y p r o c e s s f a i l s •M a l w a r e f r e e z e s e v e r y t h i n g •T h e A p p / B r o w s e r f a i l s ………………..
  15. 15. REALITY CHECK Diversity-essential to survival Confounding the enemy by the reduction of habituality - and the introduction of the new, unexpected, surprises, and a reduction of discernible patterns… At best you will prevent a break in, and at worst you should slow and impede the Dark Side to cost them time and $$$$ Vary your methods and measures as much/frequently as is reasonably possible. Maximise the total Entropy of your defences
  16. 16. REALITY CHECK Diversity-essential to survival Beware of ‘Common Mode Failures’ due to an over reliance on one technology choice/route, or by being blind sided and/or overconfident in you choices, products, and engineering solutions. “Fortresses tend to remain relatively static whilst methods of attack always evolve” Get someone to attack and test your defences and solution(s)…never be so sure that you got it all right first time around…or indeed that it all exhibits longevity!
  17. 17. Use a password and/or document/ file/folder encryption… Strongest Advice For protected documents that may be accessed The concatenation by layers can add exponential difficulty for any attacker Obscuration by volume and location is also an effective mode of protection Password protect at every layer
  18. 18. Strongest Advice Use every weapon of defence you have available Do not rely on any one technique Respond rapidly to surprises Be prepared to be adaptive Use all available options Keep on top of new attack technologies - adapt and evolve on the fly…
  19. 19. CrEating your own Making life very difficult for The Dark Side IcannaTellythee Thi5i5th3b35tIcand0 Non-standard/Novel solutions can be hard/expensive to defeat
  20. 20. Degrees of Freedom Exploiting as many as possible @ the same time 26 Letters - Lower Case 26 Letters - Upper Case 10 Digits 36 Other } 96 Options per password character
  21. 21. Password Entropy The more disorder the harder it is to crack Password Entropy = log2(Nn ) = n log2(N) Where N = Number of character options (ie ~96 for standard QWERTY keyboard) And n = Number of characters in the password Recognisable words and phrases + repeated characters + similar characters represent degrees of order that increase the likelihood that a password will be cracked. The bigger the Entropy/Disorder the stronger the password!
  22. 22. Dominant Component T h e e n t r o p y o r d e r / d i s o r d e r b r e a k p o i n t Password Entropy = n log2(N) The ‘breakpoint’ is at n = log2(N) ie the password length ’n’ overtakes the number of possible character states ’N’ as the dominant factor All ‘viable’ passwords lie in the range n >> log2(N)
  23. 23. viable length F o r a g i v e n a p p / p r o t e c t i o n In the proximity of the break point: N = 10 then   n > 3 = 104 symbol states <<< 1s (n = 4) N = 26 n > 4 = 1.2 x 107 << 1s (n = 5) N = 52 n > 5 = 1.2 x 1010 < 1s (n = 6) N = 62 n > 5 = 5.7 x1010 < 1m (n = 6) N = 98 n > 6 = 8.7 x1013 < 10m (n = 7) Relative Computing Time to Crack
  24. 24. Ball Park Guide The entropy order/disorder breakpoint Password Length/Strength experience to 2019: 4 = Very Weak - puts you at risk 5 = Weak - just about OK for device password 8 = Fairly Strong for secure network access passwords 10 = Strong for secure access to company websites and data 16 = Very Strong for securing commercial and financial data access 22+ = Hyper Secure for encryption While a password with ~50 bits may be deemed ‘semi-safe’ in 2019, it is only a matter of time until more powerful GPUs, will see password cracking accelerate!
  25. 25. E n t r o p y G u i d e The entropy growth linearity… Length: 15, 16, 17, 18, 19 Strength: Strong (>16) - Safeguards sensitive information like financial records Entropy: 92.6 bits, 100 bits, 106.7 bits, 113.9 bits, 121.9 Empirical Security Threshold ~ 100 bits
  26. 26. T H I N K F U T U R E The ‘clicks/nulls’ are easy to find Beware of the dummy clicks on some of the later models - they can throw you off the track to eventual success ! It is easy to teach a child to crack locks of this kind!
  27. 27. No Feel or sound Owners have the upper hand at this point But the enemy only needs a weak or silly password to b r e a k i n a n d a s s u m e full control…and t h e n t h e f u n really starts! M o s t b r e a k - i n s a t t h i s l e ve l a r e d o w n t o t h e o w n e r / u s e r n a i v e t y, l a x i t y, a n d / o r i n f o r m a t i o n g a i n e d f r o m s o m e e x t e r n a l s o u r c e …
  28. 28. cracking Challenge Access limited to the keyboard and screen only Human typing speed What can be guessed Try all common passwords Brute Force Trial and Error Phishing/Spear-Phishing Social Engineering Prior Observation WiFi Break-in BlueTooth Break-in Identical browser data ? Same password for all ? Similar format for all ? Common key storage ? All BlueTooth Linked ? Public Data ? Social Nets ? Family Data? Publications? Hobbies? Likes ? Finger Face Print Spoof One device hit/ stolen: then all c a n b e l o c k e d d o w n w h e n o n line + location & pics of thief can be tracked /recorded Additions include 3 s t r i ke f re e ze - outs for 5, 15, 60 min, followed by p ro v i d e r g e n e ra l security alert
  29. 29. I n v i s i b l e t o u s ! Network, site, service and app attacks Wa y b e y o n d h u m a n s c a l e a n d m e n t a l a b i l i t i e s , b u t w e m u s t s t a r t w i t h a level of fundamental security based on a s t r o n g p a s s w o r d p ro t e c t e d c o re a n d connected devices Concatenated complexity can be employed to confound the e n e m y…ve r y h a rd f o r t h e m a n d ve r y e a s y f o r u s !
  30. 30. cracking TASK A prime driver of Password design Secure Comms Encrypted Vault Encrypted File Private Key Public Key E-Commerce Bank Account Financial Apps Network Apps Websites Documents E-Mail Personal Computer Work Station Mobile Device Bicycle Lock STRENGTH Password Name/ID Factors Very-Low Medium-High Optional Low-Medium Optional Extreme No Exceptions Very-Strong No Exceptions Extremely Dynamic Static Mechanically Set Dynamic Choice Discipline Changed Occasionally Regularly Randomly NEED Risk Exposure Driven Centuries Millenia Decades Years Minutes Time to Crack
  31. 31. Making it Safer C o n c a t e n a t i o n o f t h e s i m p l e C u s t o m e r N u m b e r, P a s s w o rd + invisible biome tri cs and ID/app checks+++ T h r e e f a i l e d t r i e s w i t h a n y i n c o r re c t o r s u s p i c i o u s e n t r i e s / information and the u s er is th e frozen out for a period. The ‘ f r e e z e o u t ’ p e r i o d i s t h e n progressively extended on every repeated log-in attempt: security d e p a r t m e n t i s a l e r t e d a n d c u s t o m e r s a r e a s k e d t o s t a r t from a new log on process
  32. 32. Password Libraries! Extensive collections built from successful hacks There are organisations collecting & marketing Passwords, PINs, ID and Card info on a business basis across the internet…and ‘The Dark Side’ is a prime mover and key player… Libraries are now a key component of the leading edge password attack engines/machines The Dark Side are not the only ones using such libraries ! Criminal Hackers Rogue States State Security Services
  33. 33. Always use A Checker T h e y g i ve ‘ B r u t e F o rc e’ c ra c k i n g t i m e e s t i m a t e s B e w a r e t h a t t h e y a r e based on computing power t o d a y, a n d n o t t h e f u t u re ! NOTE : ‘Brut e F orce’ im pli es e x h a u s t i v e s e a r c h i n g w i t h no a priori sophistication…. ie, t he use of lib rari es i s not the norm here! Dozens available: and it is worth testing a range…
  34. 34. For M o dest Security C h o o s e s o m e t h i n g e a s y t o re m e m b e r & m o d i f y VerseProseDatesPlacesNames ++++++
  35. 35. I wandered lonely as a cloud That floats o’er vales and hills, When all at once I saw a crowd I w l a a c Wa a o I s a c I w 1 a A c Wa 1 2 D a y s I w 1 a A c Wa A o 4 Ye a r s I w 1 a A c Wa A o I 5 4 C I w 1 a A c Wa A o I 5 a C 3 2 7 C I w 1 a A c Wa A o I 5 a C £ $ 1 0 K C + Wordsworth F a v o u r i t e P r o s e / P o e m s T h e t r i c k i s t o d e s t r o y / d i s g u i s e / o b s c u r e l e t t e r p a t t e r n s t h a t m i g h t h j e l p m a c h i n e s i d e n t i f y s e n t e n c e s a n d v e r s e s U s i n g o n l y t h e f i r s t o r l a s t l e t t e r i s a s t a r t , b u t u s i n g e v e r y o t h e r l e t t e r p l u s s y m b o l o b s c u r a t i o n i s b e t t e r !
  36. 36. Do not go qentle into that good night o t o e o t d t o t o e o t d t 1 2 D a y s O To e 0 t d 7 4 M o n t h O To e 0 7 d t ! 4 Ye a r s O To e 0 7 d t ! 6 9 3 3 Ye a r s £ O To e 0 7 d t ! 6 9 4 C P a s s w o r d g e n e r a t i o n b y a n a l g o r i t h m o f y o u r f a v o u r i t e v e r s e a n d o n e m e m o r a b l e y e a r s DYLAN THOMAS
  37. 37. M o s t s m a r t a t t a c k e n g i n e s w i l l e v e n t u a l l y d e c o d e p a s s w o r d s b a s e d o n p ro s e a n d v e r s e f o r a l l c o m m o n l y re a d t e x t … b e s t c h o o s e s o m e t h i n g r a r e / o b s c u r e … s p e c i a l t o y o u a n d y o u r l i f e r e m e m b r a n c e s … S m a r t m a c h i n e s Awa re o f Wo rd s wo r t h & T h o m a s e t a l
  38. 38. E n h a n c i n g S e c u r i t y S t a r t f ro m a c a t a l o g u e o f t h i n g s o n l y y o u k n o w Layering algorithmic complexity to increase the Entropy
  39. 39. All about you Known by you and you alone WHO WE: Are; Know; Met; Loved; Married; +++ H O W W E : L e a r n e d t o D r i v e ; We re E d u c a t e d ; + + + W H Y W E : D e c i d e d ( Y ) ; P u r c h a s e d ( Z ) ; + + + WHAT WE: D o ; D i d ; L i k e ; B e l i e v e ; Re a d ; + + + WHERE WE: L i v e d ; V i s i t ; P ro p o s e d ; M a r r i e d ; + + +
  40. 40. algorithmic vectors Carpenter Space Shuttle Constructing; not remembering passwords Something you: - Do - Did - Saw - Are - Said - Were - Know - Admire - Possess - Possessed - Remember - Understand Hillman Imp Drill C r S e D l H n I p C r 5 3 D 4 H n 1 p ! ! 4C to Crack login vectors Constructing - not remembering Carpenter Space Shuttle Algorithmic construction by the concatenation of elements only known by you…
  41. 41. Enhancing login vectors Perhaps a line from a song: “Its a kind of magic” 15akd0fmc! <4 Years to Crack Plenty strong enough for a laptop log-in or document password Perhaps a line from a book: “It was the best of times” 1tw573bt0fts <4 C to Crack Something you like to sing and/or listen to… Algorithmic construction by the concatenation of elements only known by you…
  42. 42. Enhancing login vectors Something between lovers or parent and child: I will always be here for you no matter How I love thee more than life itself H w 1 4 3 7 e m 3 t n 4 e i f ! ! 1 w 1 a s b 3 h e f r y u n 0 m r ! >10kC to Crack >10kC to Crack Something unique you said or promised within your family Algorithmic construction by the concatenation of elements only known by you…
  43. 43. Concatenating numerous very low cost biometrics is extremely powerful… - Eye 10 -3 @ < $5 - Face 10 -2 @ < $2 - Hand 10 -3 @ < $2 - Voice 10 -3 @ < $2 - Typing 10 -3 @ < $2 - Habits 10 -2 @ < $1 - Devices 10 -1 @ < $1 - Locations 10 -2 @ < $1 - ++++ Password ++ The typing rhythm at an ATM is unique and very cheap to recognise… Morse Code experience was the pre-cursor to this solution… Error Probability <10 -8 @ < $6 Obscuration by ’n' layers
  44. 44. Automate the process Choose a (or >1) reputable password generator Ensure that it is fit for purpose and that you choose sensible settings by application and by need
  45. 45. Overview A proportional view Device > 6…defeats humans Web Site >10…concatenate Document >12 - 16 Encryption >14 - 32 Membership >14…concatenate Social Networks >14…concatenate Financial Services >16 - 32…concatenate Concatenate = May Include: ID/PIN,Password/Questions/3 Try Limit/ BioMetrics/Random CheckBack/ 2/3 Factor Authentication/++
  46. 46. l a y e r e d S e c u r i t y Ex p onent ially increasing the entropy challenge 6 Digit PIN > 8 Character Password Name/ID > 10 Character Password Name/ID > 14 Character Password Name/ID + PIN >16 Character Password BackEnd BIOMetrics Up Front BIOMetrics
  47. 47. T h e r e i s a l w a y s a t h r e a t R E M E M B E R I t i s s m a r t : S h a r i n g R u t h l e s s D y n a m i c L e a r n i n g A d a p t i n g C o n s t a n t M o t i v a t e d N e t w o r ke d + + + B e yo n d T h e L a w F o r M o r e G OTO : https://bit.ly/2F0y6in https://bit.ly/2SuwVzL https://bit.ly/2FcCtqR https://bit.ly/2SxHsKv https://bit.ly/2QsmBWb https://bit.ly/2MBED7v https://bit.ly/39mJNxB
  48. 48. Thank You 57Ay5af3K33p53CuR3 Make it very hard for the enemy - everything is at stake! petercochrane.com

×