Introduction:We all rely increasingly on our computers and the internet for a wide variety of tasks. From membership in a forum such as this, to retail purchases, to paying bills and conducting other routine financial transactions, we open an account at some website. Each such account requires a password and those passwords constitute a vital component of a security strategy designed to protect our personal and sensitive information, indeed our very identities, from the miscreants who would gladly exploit that information.
Throughout, we will use the term “strong password” to denote a password that provides effective security. Strong passwords are ones that can neither be easily guessed, nor ones that can be readily discovered using increasingly sophisticated and available trial and error, or brute force methods. If we are to protect our sensitive personal and financial information while using the internet, the use of strong passwords is
essential.
The Risk:Statistical data provide some insight regarding the risks and costs of becoming a victim of identity theft.
According to the February 2010 report "Identity Fraud Survey Report" prepared and published by Javelin Strategy & Research, 11.1 million adults in the United States alone were the victims of identity fraud in the year 2009. That was an increase of 12% over the prior year. The risk is real!
According to the survey report
Identity Theft: The Aftermath 2008 conducted and published by Identity Theft Resource Center, victims spent an average of $739 dollars in out-of-pocket expenses for damage done to an existing account. By comparison, victims with new accounts spent an average of $951. Existing account holders expended an average of 58 hours and new account holders an average of 165 hours to recoup from the damages. The damages in money and time spent are real!
Yet statistics cannot tell the entire story. In individual cases, the damage inflicted can be catastrophic. In
verbal testimony before the United States Senate Committee Hearing on the Judiciary Subcommittee on Technology, Terrorism and Government Information -- "Identity Theft: How to Protect and Restore Your Good Name" on July 12, 2000, Michelle Brown related the following:
To summarize, over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison.
Attack Methods:The methods used to break or steal a password vary greatly in sophistication and probability of success. The least sophisticated and least likely to be successful approach is nothing more than attempts to guess a password. The risk associated with such an attack does however increase as access, either hands-on or
via the internet, to the computer and personal familiarity with the account holder increase.
A more sophisticated and more likely successful method of attack makes use of so-called dictionary or statistical attack software tools. In such cases, the attacker relies upon a database of words, sequences of numbers, common phrases, and previously stolen passwords. The attack is completely automated such that a very large number of possible passwords are tried in a very short time. Passwords that are common words, phrases, or sequences of numbers are especially vulnerable under such an attack. The severity of the problem is amply revealed in the
results of a recent study by researchers at Harvard University and Microsoft, and the analysis conducted by the web security firm Imperva of passwords used at a popular social networking website. One such result is more than sufficient to illustrate the problem. The analysis of 32 million passwords showed that 300,000 accounts used the password “123456”!
The most sophisticated and most successful level of attack comes of course when the attacker has your computer in their possession and has access to very powerful computational resources. While such methods are available to governments, we will assume that our membership will not suffer the indignity of any such investigation.
Overall Perspective:Little thought is required to realize that the name of your dog is not a strong password. It is just too simple, known by too many people, too easily guessed. The same holds true for any date, word, common phrase, or sequence of numbers that is easy for you to remember.
It is equally clear that using the same password for more than one account places you at vastly greater risk. Were your password at this forum stolen, it would be annoying, inconvenient, and perhaps even somewhat embarrassing. Yet the most that would really be compromised would be one of your email addresses. Unless of course you also use the same password for your credit card and banking accounts. Rest assured that the first thing any hacker would do is try that password on other, more sensitive accounts.
The logical conclusions are self-evident. We must effectively protect our sensitive personal and financial information while using internet accounts. To do so, we must incorporate strong passwords into our security arsenal. Thus, we want passwords that are very difficult to guess or break by brute force methods. We want a unique password for each and every account. Obvious questions arise. What constitutes a strong password? How can one generate a strong password? How can one possibly keep track of all these different, obscure passwords?
With these conclusions and questions well in mind, we will consider the fundamental elements of a sound password strategy. We begin by considering password strength, that is the inherent qualities that make a password difficult to break. We will then turn our attention to a comprehensive, yet facile strategy for implementing strong and unique passwords.
Strong Passwords:We have already operationally defined the attributes of a strong password. To reiterate, a strong password is one that is exceedingly difficult to duplicate either by guessing or by brute force trial and error computer methods. There are few if any things that are more difficult to duplicate than a sequence of randomly selected characters. The difficulty of duplication is highly dependent on three factors. One factor is the number of elements in the random sequence. The second factor is the number of available characters within the pool from which any single random element can be selected. The third factor is the inherent randomness of the process used to select elements from the pool. For a more comprehensive discussion of these contributing factors, please consult
Password Strength and references therein.
Summarily stated, the longer a random password, the stronger it is. A sequence of 10 random elements is remarkably stronger than a sequence of 5 such elements. For a sensitive account, 24 or even 32 elements is not beyond reason.
Similarly, the pool of available characters should be as large as possible. The use of lower case letters alone is overly restrictive. The addition of upper case letters, numerals, and symbols (for example # and &) almost triples the number of available characters from which to choose. That addition adds remarkable randomness to the ultimate sequence.
Finally there is the inherent randomness of the element selection process itself. Suffice it to say that a computer is far better at making random selections than is any human.
Thus our strategy is to allow the computer to generate a long, random sequence by selecting individual elements from as large a pool of candidate elements as possible. As but one example
^'y.V:+Gv2JQ*P=^BHXdMOm/P%F`M@.V
is a 32 character, computer generated password created using lower and upper case letters, numerals, and special symbols. The entire process took less than 5 seconds to complete. We defy anyone to guess that string of characters, or to find it in any dictionary of common words and phrases.
Implementation of Strong Passwords:Knowing what constitutes a strong password is only the beginning. We need to implement a coherent, integrated strategy that provides both a mechanism to generate highly random sequences, as well as a reliable and secure mechanism for keeping track of those random sequences for future use. Concomitantly, we wish to avoid storing those sequences in printed form. A printed list of passwords requires that the list itself be kept secure, yet readily available. In addition, the onerous task of manually entering long complex random strings of characters from that list onto the computer as needed is overly prone to error. Storing passwords in an openly accessible file on our hard drive is unthinkable.
What we want is a dedicated software application, generically known as a password manager, that will generate high quality random sequences; associate each such sequence with a specific website account and its web address; and store those data sets in a secure, encrypted, yet readily available and easily utilized manner. Security is achieved by password protecting the database of stored information, thus requiring that we remember only one single master password in order to access all of our passwords. It is clearly important that the one single master password you select be strong. Additional security is provided by those password managers that are available as portable applications. In such cases, the application is run from a removable Universal Serial Bus (USB) flash drive which also holds the database. There is no installation on the hard drive and no settings are stored outside of the application directory. Password managers generally also provide functionality, either directly or through add-ons, that integrate into browsers such as
Internet Explorer and
Firefox thus greatly facilitating access to account websites and entry of the corresponding passwords.
It goes without saying that even a strong password can be rendered useless if you fail to log out of a website when leaving.
List of freeware and open source password managers.
