This is part of the VPNCity Best Practices articles where we will explain along the way the “What”, “How” and “Why” the best practices will improve your security and privacy in your day-to-day life while helping you understand the technology, dispel the myths and give you the tools to understand why your personal privacy and security is in your hands. This part concentrates on passwords, the magic behind them and how to make them secure.
Passwords are one of the easiest ways to breach a persons digital security. A lot of websites opt for a minimum of 8 characters with at least one uppercase, at least one lowercase, at least one number and at least one special character. Using this system, it would mean a password would look something like ‘Pas$w0rd’. This is based on NIST guidelines from 2011.
Unfortunately, a large number of websites do not opt to update password policies to newer NIST guidelines. Passwords are often broken through either guessing (social engineering), malware (keylogging), brute force or by using a pre-existing list of known username and passwords (obtained in previous data breaches and published online).
There are 6.63 quadrillion different possible 8 character passwords and at the Passwords^12 convention in 2012, Jeremi Gosney demonstrated a machine that broke all 6.63 quadrillion passwords in 5.5 hours. That equates to 350 billion password guesses per second. Password cracking has significantly improved since 2012.
Password security can always be broken. Always. It simply all depends on how long and how much effort it would take. For example, most people’s router username and password is still admin/password. That would take about 4 seconds to enter with next to no effort.
Password strength is called password entropy and entropy is based on the character set used (uppercase, lowercase, numbers and symbols) as well as length. Password entropy predicts how hard a password is to crack using guesses, brute force methods, dictionary attacks or other methods.
If a password uses numbers (0-9), uppercase (A-Z), lowercase (a-z) and special characters (!”£ etc), there are 95 possible choices for a one character password. If the password is two characters long there are 9,025 possible choices and for three characters there are 857,375 possible choices (and so on with the equation being expressed as 95^n (with n being the number of characters in the password)).
As a species, humans make terrible choices for passwords. Even if a person chooses a ‘random’ password, we have a bias towards certain letters and numbers. This is called letter frequency and can easily be seen in the game Scrabble. There are more letter E (12) then Q (1). Nobody wants to get the Q or the Z. In addition, humans are notoriously bad at remembering random strings of letters and numbers, so we either write it down (which is a very bad idea for a password) or we make it easy to remember.
- “Pas$w0rd” is a bad password as it’s easy to guess.
- “0ZhY3S6Q” is a password less susceptible to guessing, however has the same entropy and is hard to remember
Both example passwords have the same amount of entropy but it would take less than 6 hours to guess either password with Gosney’s machine. As such, neither password is secure.
Securing your Password
Because you can’t change the option of accepted characters, you can secure your password through the amount of characters used on your password. This is where the 95^n comes in and that means 95 multiplied by itself however many characters are in your password. That means the password entropy on an (8) eight character password is worked out by;
- 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 (and is written as 95^8)
This equates to 6.63 quadrillion different possible passwords. A more secure password would be at least 20 characters long (95^20) and would equate to 10.24 decillion possible different passwords. For reference:
- 6,630,000,000,000,000 = 6.63 Quadrillion
- 10,240,000,000,000,000,000,000,000,000,000,000 = 10.24 Decillion
Using Gosney’s machine on a twenty character password could potentially take up to 9,277,379,140 years to crack a single password. Unfortunately the speed at which passwords can be cracked is increased over time, meaning less secure passwords are cracked faster and faster.
As time develops, new tools are also being created to highlight how secure a password is. Tools such as How Secure Is My Password and ZXCVBN which demonstrate how secure a password is and how long it will break.
Using a 20 digit password, would have taken over 9 billion years for someone to crack a single password using Gosney’s machine from 2012. However, it’s not the only issue. a chain is only as strong as the weakest link. Hackers were able to access the Equifax database in 2017 because the username and password to the data base was Admin according to court filings. Industry practice states to have a different password for every site. However, due to human nature, it is difficult to remember a single twenty character password, let alone a different twenty character for every single site.
Luckily there is software which nullifies this issue: Password Managers.
A password manager is software which stores all the secure passwords in an encrypted database which can only be accessed with the correct password (which should still be at least twenty characters, but more is better). This may seem like a weak part of the plan having all the secure passwords stored in a single place secured with a single password, however this can be further overcome with the addition of Two-Factor Authentication (2FA). Various methods exist for 2FA, but for security, a hardware method is preferred. This is where a hardware device is used to authenticate that you are the correct holder of the account and you’re authorised access (such as a Yubikey).
This ensures that all your passwords are secure, encrypted and still easy for you to access. Granted even this isn’t 100% secure, but it a method to create random and long passwords which should be unique to each site you sign into.
The password manager needs to be secured by a master password however. My trick for a random master password that’s easy to remember? Get a dictionary and open it to a random page. Close your eyes and stick your finger on the page and the closest word is chosen. Do this 4 or 5 more times. This can be used as your master password. This method is explained in an excellent XKCD comic.
For transparency, I use Bitwarden as my password manager, as it is opensource and can be self hosted or cloud based. I utilise a Yubikey as my 2FA.