# Passwords – Do they really matter?

Aug 06 2015

In a previous blog we discussed different mechanisms for authentication to systems, and combining the methods to form multi factor identification. Multifactor Identification is like a chain; each method and aspect of your security forming a chain to protect your information. But as with any chain, the chain is only as strong as its weakest link. For many people this link is the password. Generally we are just bad at creating passwords, but with a little forethought it can be easier to create a good one.

First a few definitions that are truly useful when talking about passwords:

Entropy – the statistical measurement of the strength of a password

Usability – the likelihood that a person is able to successfully use a password without locking an account

Hash – A one way encryption method for storing passwords

Salted-Hash — a more secure way of hashing.

Passwords are generally stored in what security analysts call hashes. Hashes are a way to encrypt information in a one way fashion. This is to say that there is no mathematical way to reverse the encryption. A computer will take the password that you have set and create a hash; this hash is stored in the computer’s access database.

In order to authenticate you, a computer will take the password you entered, hash it and compare to the existing stored hash. Password cracking is often done in much the same way. When a person tries to crack a password they will often use a program to “guess” the password and have it create the hash of the password. The program will then compare it with the password in the database. For this to work, however, the program or attacker would need to know the hash method, the mathematical formula to arrive at your hashed value. The easiest way here for a user to ensure his password is secure is to make it too complex to be guessed, We call this having high entropy.

Rainbow Tables

Another tool in the arsenal of the password cracker is what are commonly called Rainbow Tables. These are pre calculated databases that contain unencrypted and hashed passwords for well knowing hashing methods. This saves time as the person attacking an account no longer needs to spend time guessing if they have the password database. They can just reverse lookup the actual password using tables that were made beforehand.

Salted Hash

It is generally accepted that if your password has uppercase characters, lowercase characters, and numbers, it would need to be at least 12 characters long for it not to appear in common Rainbow tables. If your password only has upper and lower case characters you should have a password with greater than 15 characters. One method used to combat crackers and make it a little bit more difficult on them is a salted hash.

A salted hash uses some secret string (salt) added to each password before hashing the password. As long as the salt is a well-chosen one, this would reduce the effectiveness of an attack, as the user would have to get the password database, figure out the salt value, and only then can he start the slow process of recreating all the possible passwords with the salt.

Password + Salt →  Encryption →  69a76caeda3ca6ddd5cc86b214b89737

As you can see, these methods rely on an attacker getting access to the password database. In most windows machines there are two possible places where a password is stored. One is the local registry hive, a local password. This hive uses known methods for hashing a password making it not the most secure location to have a password. Moreover, workstations tend not to be locked up thereby making it easier for an attacker to gain access, download the database and attack it at his leisure.

Another location is Active Directory, and is commonly said to be your network password. These are stored on the network and, in an ideal setup, copies exist on multiple servers called domain controllers. Active Directory generally has better security and if you have many domain controllers you increase your ability to detect corruption and tampering. Additionally, servers tend to be locked up so physical access becomes less of a concern. Active Directory, is weak to password reuse. Often a user will use his network password on a local account that is used for services or development. If that local password is compromised it could be used to gain access to the network account.

Windows has some basic complexity requirements.

• Upper and lower case alphabet

• Numbers

• Special Characters
–      ~!@#\$%^&*_-+=`|\(){}[]:;”‘<>,.?/

• Minimum 8 characters long

By trying to force these rules Windows is trying to increase entropy, but unfortunately it’s often at the cost of usability. Randall Munroe wrote in his comic XKCD, “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Additional requirements include forcing a minimum and maximum password age.  A maximum age might force a user to reset his password every 90 days. A minimum password age prevents a user from changing his password immediately after having already changed his password. This paired with a system remembering some of your old passwords also forces a user to avoid reuse and have good entropy.

## More Advanced Techniques = Passphrases

Sometimes making a password that fits the rules can be hard. Edward Snowden made an appearance on John Oliver’s this week tonight to highlight the problem.

As Mr. Snowden highlights, sometimes a long memorable passphrase is easier to remember, too long to brute force, and not likely to be in a password dictionary. Passphrases will also help rainbow tables, making passwords that are too long to likely appear in rainbow tables.

Somethings to keep in mind when putting together a passphrase; legacy systems (like those at banks for instance) often are too old to have a security system that can use a proper password. Many limit you to 8-11 characters with a small subset of characters to choose from. In this case, your best defense is to simply make sure the bank is federally insured.

Language consideration is another element. If a password is shared by a team, or has to be entered on a coworkers’ terminal and that coworker speaks another language, will you be hurting the usability? Certain key changes on the keyboard radically change when a different language is applied, so verifying your password is important.

Passphrases Mycatloves4flavouricecreamas discussed above there are a number of ways to look at passphrases. This given some basic thought often yields the highest entropy whilst still maintaining usability.

Mnemonic PasswordsGl2tp4l\$ would be a password made from the mnemonic of “Government likes to tax people for lots of money”.  This satisfies entropy but is less usable. You also risk short passwords.

Psycho Pass – a method of choosing a password by drawing a shape on your keyboard. For example <<  !qAsdE#2  >> is a rhomboid drawn on your keyboard. This method generally has low entropy but yields high usability.

• Ringo!!drumsWJohn  – Password for Pandora

• Ring!!45Kbanking      – Password for banking

Shift method – Here you choose a direction and shift your typing one letter in that direction.   Password to the upper left might yield << )qww294e  >>