How to Design Passwords

H o w To D e s i g n
pA55w0rDs:-)petercochrane.com
ABC12345def
Prof Peter Cochrane OBE
Sentient Systems

THE nIGHTMARE!
*A different password for each account
*Change your passwords regularly
*Don’t keep a documented record
*Don’t embed them in a browser
*Don’t write them down
*Don’t tell anyone
*Don’t share
Guidelines and lots of useful advice
that is often impractical and/or
impossible:-
Make them > 11 characters that include
a mix of alpha numerics - upper & lower
case plus punctuation marks and special
characters…

Public Reality!
A fundamental incapability to deal &
cope with the complexities and many
challenges of IT…
Industry needs to produce, deliver and
maintain inherently secure products - to
get the users out of the Realm of Risk
management, including password hell!

OMG - Really !
YES, people are indeed silly
We need to do
much better
than this!

THE Threat
Omnipresent
Highly motivated
Growing by the day
Smart
Adaptive
Resourceful
Well organised
Global
24 x 7
People
Machines
Networks
AI, Apps, Clouds
+++
“Never
underestimate
the enemy - and never
. assume you are smarter
than they are”

Passwords in ‘diaries’
Passwords in ‘eMails’
Passwords on ‘post its’
Passwords in ‘open docs’
Passwords on ‘white boards’
Passwords shared ‘between apps’
Passwords shared ‘between peoples’
Passwords shared ‘between web sites’
Passwords used on spoof web sites/services
+++++
The Gullibility Threat
Social engineering - persuasion - observation - bribes ++
Passwords extracted by ‘smart’ conversationalists,
friends, family, associates, colleagues, co-workers ++++

Welcome to password &
two factor hell!
We need to do
much better
than this!
What do you do when
there is no mobile signal
or there’s a loooong
delay or network fault?
You need at least: a net
sync’d app embedded on
your machine, but ensure
it does it imply more risk?

12 Characters, Minimum: There’s no minimum or standardised password
length; but in general go for >12 to 14 characters
Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types
makes passwords harder to crack
Dictionary Words/Combination: To be avoided as much as possible - any
isolated word is bad, and word combinations are also high risk
Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e
or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al
Number Strings: at the end, beginning or in the middle are also ‘obvious’
Industry Advice
For a strong password you ‘at least’ need..

12 Characters, Minimum: There’s no minimum or standardised password
length; but in general go for >12 to 14 characters
Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types
makes passwords harder to crack
Dictionary Words/Combination: To be avoided as much as possible - any
isolated word is bad, and word combinations are also high risk
Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e
or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al
Number Strings: at the end, beginning or in the middle are also ‘obvious’
Industry Advice
Machines are fast
intelligent exhaustive
with extensive libraries
One size does not fit all
people and machines
present different risks
people are slow and
get exhausted and
use different methods

The snag is you are one click away from losing everything!
And so another much bigger security fail/fail pops up and kills you stone dead!
“The secret to good security is to design (in) ‘fail-safe’ and ‘fail-gracefully’ with
‘layered’
protection and multiple routes to recovery
“All your ‘eggs’ in one basket is the dumbest and riskiest solution of all “
Strong Advice
A password generator and management system

Password Managers
D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s
Mostly Software embedded in browser plugins/web services to automatically
manage user credentials
They auto-paste (names/ID/email addresses) passwords into login forms, or
simulate typing them, and generally support:
•Printable characters
•Passwords >64 characters
•Pasting username and password

Password Managers
D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s
Mostly Software embedded in browser plugins/web services to automatically
manage user credentials
They auto-paste (names/ID/email addresses) passwords into login forms, or
simulate typing them, and generally support:
•Printable characters
•Passwords >64 characters
•Pasting username and password
don’t
rely
on
one
app
alone
m
ake
sure
you
engage
a
degree
of
diversity

Password Managers
D e l e g a t i n g t h e c o m p l e x i t y t o m a c h i n e s
Also, choose embedded password generators with many user choices:-
Length
Upper Case
Lower Case
Numbers
Symbols
Special Characters
Similar Characters
Generate on Device
Generate on Server
Auto-Select
New Password
https://digital.com/blog/best-strong-password-generators/

Password Managers
W h y y o u n e e d / s h o u l d a l w a y s u s e o n e !
W h a t c o u l d p o s s i b l y g o w r o n g ?
•Yo u r d e v i c e / m a c h i n e i s s t o l e n / b r o k e n / f a i l s / d i e s
•A s o f t w a r e u p g r a d e s c r a m b l e s e v e r y t h i n g
•Yo u r b a c k u p / r e c o v e r y p r o c e s s f a i l s
•M a l w a r e f r e e z e s e v e r y t h i n g
•T h e A p p / B r o w s e r f a i l s
………………..

REALITY CHECK
Diversity-essential to survival
Confounding the enemy by the
reduction of habituality - and
the introduction of the new,
unexpected, surprises, and
a reduction of discernible
patterns…
At best you will
prevent a break
in, and at worst
you should slow
and impede the
Dark Side to
cost them time
and $$$$
Vary your methods
and measures as
much/frequently
as is reasonably
possible. Maximise
the total Entropy
of your defences

REALITY CHECK
Diversity-essential to survival
Beware of ‘Common Mode Failures’ due to an
over reliance on one technology choice/route,
or by being blind sided and/or overconfident in
you choices, products, and engineering
solutions.
“Fortresses tend to remain relatively static
whilst methods of attack always evolve”
Get someone to attack and test your defences
and solution(s)…never be so sure that you got it
all right first time around…or indeed that it all
exhibits longevity!

Use a password and/or document/
ﬁle/folder encryption…
Strongest Advice
For protected documents that may be accessed
The concatenation by layers can add exponential
difficulty for any attacker
Obscuration by volume and location is also an
effective mode of protection
Password protect at every layer

Strongest Advice
Use every weapon of defence you have available
Do not rely on any one technique
Respond rapidly to surprises
Be prepared to be adaptive
Use all available options
Keep on top of new attack
technologies - adapt and
evolve on the fly…

CrEating your own
Making life very difficult for The Dark Side
IcannaTellythee
Thi5i5th3b35tIcand0
Non-standard/Novel solutions can be hard/expensive to defeat

Degrees of Freedom
Exploiting as many as possible @ the same time
26 Letters - Lower Case
26 Letters - Upper Case
10 Digits
36 Other } 96 Options per password character

Password Entropy
The more disorder the harder it is to crack
Password Entropy = log2(Nn
) = n log2(N)
Where N = Number of character options (ie ~96 for standard QWERTY keyboard)
And n = Number of characters in the password
Recognisable words and phrases + repeated characters +
similar characters represent degrees of order that increase
the likelihood that a password will be cracked.
The bigger the Entropy/Disorder the stronger the password!

Dominant Component
T h e e n t r o p y o r d e r / d i s o r d e r b r e a k p o i n t
Password Entropy = n log2(N)
The ‘breakpoint’ is at n = log2(N)
ie the password length ’n’ overtakes the number of possible character
states ’N’ as the dominant factor
All ‘viable’ passwords lie in the range n >> log2(N)

viable length
F o r a g i v e n a p p / p r o t e c t i o n
In the proximity of the break point:
N = 10 then n > 3 = 104
symbol states <<< 1s (n = 4)
N = 26 n > 4 = 1.2 x 107
<< 1s (n = 5)
N = 52 n > 5 = 1.2 x 1010
< 1s (n = 6)
N = 62 n > 5 = 5.7 x1010
< 1m (n = 6)
N = 98 n > 6 = 8.7 x1013
< 10m (n = 7)
Relative
Computing Time
to Crack

Ball Park Guide
The entropy order/disorder breakpoint
Password Length/Strength experience to 2019:
4 = Very Weak - puts you at risk
5 = Weak - just about OK for device password
8 = Fairly Strong for secure network access passwords
10 = Strong for secure access to company websites and data
16 = Very Strong for securing commercial and ﬁnancial data access
22+ = Hyper Secure for encryption
While a password with ~50 bits may be deemed ‘semi-safe’ in 2019, it is only
a matter of time until more powerful GPUs, will see password cracking
accelerate!

E n t r o p y G u i d e
The entropy growth linearity…
Length: 15, 16, 17, 18, 19
Strength: Strong (>16) - Safeguards sensitive information like
ﬁnancial records
Entropy: 92.6 bits, 100 bits, 106.7 bits, 113.9 bits, 121.9
Empirical Security Threshold ~ 100 bits

T H I N K F U T U R E
The ‘clicks/nulls’ are easy to find
Beware of the dummy
clicks on some of the
later models - they can
throw you off the track
to eventual success !
It is easy to teach a
child to crack locks
of this kind!

No Feel or sound
Owners have the upper hand at this point
But the enemy only needs a
weak or silly password to
b r e a k i n a n d a s s u m e
full control…and
t h e n t h e f u n
really starts!
M o s t b r e a k - i n s a t t h i s l e ve l
a r e d o w n t o t h e o w n e r / u s e r
n a i v e t y, l a x i t y, a n d / o r i n f o r m a t i o n
g a i n e d f r o m s o m e e x t e r n a l s o u r c e …

cracking Challenge
Access limited to the keyboard and screen only
Human typing speed
What can be guessed
Try all common passwords
Brute Force Trial and Error
Phishing/Spear-Phishing
Social Engineering
Prior Observation
WiFi Break-in
BlueTooth Break-in
Identical browser data ?
Same password for all ?
Similar format for all ?
Common key storage ?
All BlueTooth Linked ?
Public Data ?
Social Nets ?
Family Data?
Publications?
Hobbies?
Likes ? Finger
Face
Print
Spoof
One device hit/
stolen: then all
c a n b e l o c k e d
d o w n w h e n o n
line + location
& pics of thief
can be tracked
/recorded
Additions include
3 s t r i ke f re e ze -
outs for 5, 15, 60
min, followed by
p ro v i d e r g e n e ra l
security alert

I n v i s i b l e t o u s !
Network, site, service and app attacks
Wa y b e y o n d h u m a n
s c a l e a n d m e n t a l
a b i l i t i e s , b u t w e
m u s t s t a r t w i t h a
level of fundamental
security based on a
s t r o n g p a s s w o r d
p ro t e c t e d c o re a n d
connected devices
Concatenated complexity can
be employed to confound the
e n e m y…ve r y h a rd f o r t h e m
a n d ve r y e a s y f o r u s !

cracking TASK
A prime driver of Password design
Secure Comms
Encrypted Vault
Encrypted File
Private Key
Public Key
E-Commerce
Bank Account
Financial Apps
Network Apps
Websites
Documents
E-Mail
Personal Computer
Work Station
Mobile Device
Bicycle Lock
STRENGTH
Password
Name/ID
Factors
Very-Low
Medium-High
Optional
Low-Medium
Optional
Extreme
No Exceptions
Very-Strong
No Exceptions
Extremely
Dynamic
Static
Mechanically
Set
Dynamic
Choice
Discipline
Changed
Occasionally
Regularly
Randomly
NEED
Risk
Exposure
Driven
Centuries
Millenia
Decades
Years
Minutes
Time to
Crack

Making it Safer
C o n c a t e n a t i o n o f t h e s i m p l e
C u s t o m e r N u m b e r, P a s s w o rd +
invisible biome tri cs and ID/app
checks+++
T h r e e f a i l e d t r i e s w i t h a n y
i n c o r re c t o r s u s p i c i o u s e n t r i e s /
information and the u s er is th e
frozen out for a period. The
‘ f r e e z e o u t ’ p e r i o d i s t h e n
progressively extended on every
repeated log-in attempt: security
d e p a r t m e n t i s a l e r t e d a n d
c u s t o m e r s a r e a s k e d t o s t a r t
from a new log on process

Password Libraries!
Extensive collections built from successful hacks
There are organisations collecting & marketing
Passwords, PINs, ID and Card info on a business
basis across the internet…and ‘The Dark Side’ is
a prime mover and key player…
Libraries are now a
key component of the
leading edge password
attack engines/machines
The Dark Side are not
the only ones using
such libraries !
Criminal Hackers
Rogue States
State Security Services

Always use A Checker
T h e y g i ve ‘ B r u t e F o rc e’ c ra c k i n g t i m e e s t i m a t e s
B e w a r e t h a t t h e y a r e
based on computing power
t o d a y, a n d n o t t h e f u t u re !
NOTE : ‘Brut e F orce’ im pli es
e x h a u s t i v e s e a r c h i n g w i t h
no a priori sophistication….
ie, t he use of lib rari es i s
not the norm here!
Dozens available: and it is
worth testing a range…

For M o dest Security
C h o o s e s o m e t h i n g e a s y t o re m e m b e r & m o d i f y
VerseProseDatesPlacesNames
++++++

I wandered lonely as a cloud
That ﬂoats o’er vales and hills,
When all at once I saw a crowd
I w l a a c Wa a o I s a c
I w 1 a A c Wa 1 2 D a y s
I w 1 a A c Wa A o 4 Ye a r s
I w 1 a A c Wa A o I 5 4 C
I w 1 a A c Wa A o I 5 a C 3 2 7 C
I w 1 a A c Wa A o I 5 a C £ $ 1 0 K C +
Wordsworth
F a v o u r i t e P r o s e / P o e m s
T h e t r i c k i s t o d e s t r o y /
d i s g u i s e / o b s c u r e l e t t e r
p a t t e r n s t h a t m i g h t
h j e l p m a c h i n e s i d e n t i f y
s e n t e n c e s a n d v e r s e s
U s i n g o n l y t h e f i r s t o r
l a s t l e t t e r i s a s t a r t ,
b u t u s i n g e v e r y o t h e r
l e t t e r p l u s s y m b o l
o b s c u r a t i o n i s b e t t e r !

Do not go qentle into that good night
o t o e o t d t
o t o e o t d t 1 2 D a y s
O To e 0 t d 7 4 M o n t h
O To e 0 7 d t ! 4 Ye a r s
O To e 0 7 d t ! 6 9 3 3 Ye a r s
£ O To e 0 7 d t ! 6 9 4 C
P a s s w o r d g e n e r a t i o n b y a n
a l g o r i t h m o f y o u r f a v o u r i t e
v e r s e a n d o n e m e m o r a b l e y e a r s
DYLAN THOMAS

M o s t s m a r t a t t a c k e n g i n e s w i l l
e v e n t u a l l y d e c o d e p a s s w o r d s
b a s e d o n p ro s e a n d v e r s e f o r a l l
c o m m o n l y re a d t e x t … b e s t c h o o s e
s o m e t h i n g r a r e / o b s c u r e … s p e c i a l t o
y o u a n d y o u r l i f e r e m e m b r a n c e s …
S m a r t m a c h i n e s
Awa re o f Wo rd s wo r t h & T h o m a s e t a l

E n h a n c i n g S e c u r i t y
S t a r t f ro m a c a t a l o g u e o f t h i n g s o n l y y o u k n o w
Layering
algorithmic
complexity
to
increase
the
Entropy

All about you
Known by you and you alone
WHO WE: Are; Know; Met; Loved; Married; +++
H O W W E : L e a r n e d t o D r i v e ; We re E d u c a t e d ; + + +
W H Y W E : D e c i d e d ( Y ) ; P u r c h a s e d ( Z ) ; + + +
WHAT WE: D o ; D i d ; L i k e ; B e l i e v e ; Re a d ; + + +
WHERE WE: L i v e d ; V i s i t ; P ro p o s e d ; M a r r i e d ; + + +

algorithmic vectors
Carpenter
Space Shuttle
Constructing; not remembering passwords
Something you:
- Do
- Did
- Saw
- Are
- Said
- Were
- Know
- Admire
- Possess
- Possessed
- Remember
- Understand
Hillman Imp
Drill
C r S e D l H n I p
C r 5 3 D 4 H n 1 p ! !
4C to
Crack
login vectors
Constructing - not remembering
Carpenter
Space Shuttle
Algorithmic construction by
the concatenation of elements
only known by you…

Enhancing login vectors
Perhaps a line from a song:
“Its a kind of magic”
15akd0fmc!
<4 Years to Crack
Plenty strong enough for a laptop log-in
or document password
Perhaps a line from a book:
“It was the best of times”
1tw573bt0fts
<4 C to Crack
Something you like to sing and/or listen to…

Enhancing login vectors
Something between lovers or parent
and child:
I will always be here for you no
matter
How I love thee more than life
itself
H w 1 4 3 7 e m 3 t n 4 e i f ! !
1 w 1 a s b 3 h e f r y u n 0 m r !
>10kC to Crack
>10kC to Crack
Something unique you said or promised within your family

Concatenating numerous
very low cost biometrics
is extremely powerful…
- Eye 10
-3
@ < $5
- Face 10
-2
@ < $2
- Hand 10
-3
@ < $2
- Voice 10
-3
@ < $2
- Typing 10
-3
@ < $2
- Habits 10
-2
@ < $1
- Devices 10
-1
@ < $1
- Locations 10
-2
@ < $1
- ++++
Password ++
The typing rhythm at an
ATM is unique and very
cheap to recognise…
Morse Code experience
was the pre-cursor to
this solution…
Error Probability
<10
-8
@ < $6
Obscuration by ’n' layers

Automate the process
Choose a (or >1) reputable password generator
Ensure that it is ﬁt for purpose
and that you choose sensible
settings by application and by
need

Overview
A proportional view
Device > 6…defeats humans
Web Site >10…concatenate
Document >12 - 16
Encryption >14 - 32
Membership >14…concatenate
Social Networks >14…concatenate
Financial Services >16 - 32…concatenate
Concatenate = May Include: ID/PIN,Password/Questions/3 Try Limit/
BioMetrics/Random CheckBack/
2/3 Factor Authentication/++

l a y e r e d S e c u r i t y
Ex p onent ially increasing the entropy challenge
6 Digit PIN > 8 Character
Password Name/ID
> 10 Character
Password
Name/ID
> 14 Character
Password
Name/ID + PIN
>16 Character
Password
BackEnd
BIOMetrics
Up Front
BIOMetrics

T h e r e i s a l w a y s a t h r e a t
R E M E M B E R
I t i s s m a r t :
S h a r i n g
R u t h l e s s
D y n a m i c
L e a r n i n g
A d a p t i n g
C o n s t a n t
M o t i v a t e d
N e t w o r ke d
+ + +
B e yo n d T h e L a w
F o r M o r e G OTO :
https://bit.ly/2F0y6in
https://bit.ly/2SuwVzL
https://bit.ly/2FcCtqR
https://bit.ly/2SxHsKv
https://bit.ly/2QsmBWb
https://bit.ly/2MBED7v
https://bit.ly/39mJNxB

Thank You
57Ay5af3K33p53CuR3
Make it very hard for the enemy
- everything is at stake!
petercochrane.com

How to Design Passwords

More Related Content

What's hot

Similar to How to Design Passwords

More from University of Hertfordshire

Recently uploaded

How to Design Passwords