Defending The Kingdom

James Fallows had an article in the Atlantic last year that did a good job of scaring the wits out of me, as any entertaining and informative security article should. Fallows described what happened when his wife’s Gmail account was hacked and she (briefly, before friends of theirs at Google saved the day) lost the entire contents of her Gmail account. The experience got Fallows thinking about how vulnerable we are when we store our information in the cloud.

My passwords are strong — and I’m hoping yours are too after reading the articles on DtheK — but what if your account gets broken into anyway, either through a server problem, hacker, or some other issue? Most of us would be willing to expend considerable effort to prevent the loss of all of our email data in such a worst case scenario, so I’ve compiled a few ways you can protect yourself. Each method is rated by difficulty, using the “Grandma Frustration-O-Meter” gold standard.

Options for backing up your email accounts

1. Use a desktop client like Microsoft Outlook, Zimbra, or Mozilla Firebird to download and store copies of your emails on your hard drive. Grandma-Frustration-O-Meter: What the dang is POP3? Aaack!
2. If you want to backup a Gmail account, start a new Hotmail account. Then ask Hotmail to store copies of your emails. Or vice versa if you use Hotmail and want Gmail to store your emails. I haven’t looked into Yahoo, but I’m guessing something similar might work for that. Grandma-Frustration-O-Meter: Goes down easier than a warm glass of milk.
3. Use Gmail Backup and hope that it is not stealing your password information like the program described here. User beware, but one reason to trust it is that it is featured on the Google Apps Marketplace; another reason is that Softpedia certifies it as a clean program, free of adware, spyware, and viruses. Grandma-Frustration-O-Meter: I have to remember to run the program monthly? Okey dokey. What? Where am I?
4. Use Backupify, an online service that claims to be able to store all of your Gmail account information and settings, then restore it to a Gmail account at any time. Sounds great, but of course you have to trust Backupify with your email content. Even if you trust Backupify to keep your information private, you now have to worry about two websites that could potentially get hacked instead of just one. Grandma-Frustration-O-Meter: Remember the warm glass of milk? It’s like that, but pricier.
5. Pray. Don’t worry about backups, use the password “Lucky123” for every account on the internet, and pray that trouble won’t befall you. Grandma-Frustration-O-Meter: Ignorance is bliss… while it lasts

While I am uneasy about giving my email password to anyone but Google, I have chosen options 1 and 2 (note that options 3 and 4 require trusting another program, company, or website with your password, too). Make your choice, and may the odds be ever in your favor.

For those who are using Password Safe, or some other password management program, a quick word of caution: back up your password databases! Send copies to your email address. Store them on USB sticks. Send copies via email to friends. Upload them to Dropbox.

Since good password management systems store passwords in encrypted databases, it doesn’t hurt to have a few copies of the database floating around in the world. If your database gets corrupted or you lose your database, you can always revert to one of the backups. I’ve had two corrupted PasswordSafe databases in a few years of usage, so it’s a rare but perfectly plausible event that you should plan for. There’s also the possibility that your hard drive crashes or your laptop gets stolen, and you lose your database that way. So plan for the worst, and make frequent backups of your database!

Commenter dearjym notes that, in some instances, crooks may be trying to crack your passwords at a rate of hundreds of thousands of passwords per second. He’s right.

Where true, the math I presented in this recent post starts to look a little shaky. See this rather arresting summary via a blogger who used to post on topics similar to those featured at Defending the Kingdom.

So let’s be specific about where we’re likely to get into trouble with short-ish passwords. First, it’s unlikely that internet bots can try more than one (or maybe a few) passwords per second over the internet. Bandwidth speeds and server response times are the primary breaks on the process, and some websites purposely slow things even further after a few wrong tries. Some programs on personal computers also make an effort to retard the password verification process in computer time (making the process last 0.5 seconds rather than 0.0001 second, perhaps, which is indistinguishable to most users but not computers). Password Safe is one such program.

But some programs are not built so securely, and this is where we can run into trouble. As generic advice, it wouldn’t be a bad idea to use very long passwords (15 to 30 digits) for Microsoft Office files, Zip files, password protected folders, or any other program for which you’re unsure what password trial limiting features it has.

Dictionary words as passwords

The commenter also makes an interesting point about using multiple dictionary words to make memorable yet safe passwords. He suggests that putting three dictionary words together can make for a very good password. He’s right. Apparently, there are around 170,000 words in a very popular dictionary. Assuming that all of them are equally suitable as memorable words for use within a password (or, more to the point, assuming that password crackers wouldn’t be able to distinguish memorable from unmemorable words), that makes for 5,000 trillion possible password combinations. Note, though, that the number drops to around 5 trillion combinations if we assume that only 10% of words in the dictionary are memorable enough to use within a password.

There’s a well known truism in the security community that says that a system’s security is only as good as the backup entry method employed. That’s as true on the web as elsewhere. People forget or lose their passwords, they want to be able to get back into their accounts, and many websites give them the chance to do so by offering entry through a “backdoor”. The backdoor is meant to recognize and grant entry to the true account owner by asking “security questions” for which only he would know the answer.

The problem is that most security question answers, if generated as intentioned, typically make poor passwords. You can have the strongest primary password in the world, but if you use your mother’s maiden name as the answer to the security question a website offers, then you can forget about the strength of your primary password. Your effective password might as well be your mother’s maiden name, since knowledge of that will get you into the website as sure as knowledge of the primary password will.

You should keep that in mind when creating answers to security questions. Instead of providing the actual answers, I recommend creating real passwords as answers to these (i.e., your mother’s maiden name could be entered as “d9IgzUe33s”), then keeping track of these additional passwords in a program built for the job (I’ve discussed such programs before).

The fortress problem

Now that you’ve gussied up the backdoor, strengthening it with a stronger password requirement, you may run into the problem that backdoors were invented to solve: what if you suddenly find yourself locked out of your fortress? What if you lose both passwords? If you are using a password management tool, what if your password database gets corrupted? What if you accidentally erase an entry in your database (this is scarily easy to do)? What if your hard disk crashes and you lose your database?

The answer is that you need to create backup systems for yourself. These backups need to be in two forms:

1. If you use a password manager, create backups of your password database. After creating a new entry, store a copy of the database on a USB flash drive or send a copy to a family member’s email address. As long as the database itself is password protected, you needn’t worry about making copies and leaving them lying around or giving possession to others. In fact, the more copies you make and the easier they are to find, the better.
2. If you use a password manager, you need to protect against the possibility that you forget the master password that unlocks the database. If you’ve used this method, that should never happen. But sometimes bad things do happen, and you should plan for that. A low-tech method would be to write down your database password and store it in your wallet. That is safer and more sensible than many people suspect. A second option would be to write down your master password and store it in a safety deposit box at your bank. The latter option has the advantage of finally sealing up that backdoor to be both safe and useful – if you lose your safety deposit box key, for example, you can regain access to it by proving your identity to your bank, something that should be extremely difficult to do for an imposter but relatively easy for the true account holder to do.

Time marches on, computing power grows stronger, hackers get cleverer. Every now and again we need to review what we once thought was “safe enough”. Today, the time has come to review what ought to be considered a safe password length.

Pragmatic security and powerful bots

This blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than average.

What does that mean for password length? Consider this: computing time is so cheap today that it’s not inconceivable that every one of our email accounts has a bot trying to access it about once per second, every day, 365 days per year.

Still feel safe with the password you’re using right now? Personally, I’m starting to feel queezy, but let’s look at the problem carefully.

Is eight still enough?

I used to recommend an eight digit password. Is that still enough? The Microsoft Password Checker, a tool I’ve recommended before, does not seem to think so. If you type, for example, “t8Uh10xI” into the checker, it tells you that you’ve made a weak password. Is that the case?

To answer that, suppose you found one of those bots that is, in all likelihood, pounding at the gates to your email account. Feeling generous, you give the bot a bit of information. “Look,” you say, “my password is eight digits, so don’t bother guessing passwords of any other length. And I use numbers, uppercase characters, and lowercase characters. I don’t use any special characters.”

Now, how scared should you be?

Well, you’ve made the bots job a bit easier, but let’s take a look at the math. The key statistic is the number of possible permutations of passwords you could have made using those parameters. To find out how many permutations there are, and therefore how many different passwords the bot would have to try, we need to compute the following:

Permutations = (26+26+10)^8

That is, there are 62 ways to pick the first digit of your password (26 uppercase letters, 26 lowercase letters, and 10 numerical digits), 62 ways to pick the second, 62 to pick the third, and so on — eight times.

The solution is that there are 218,340,105,584,896 possible eight character permutations. That’s 218.3 trillion. Supposing that a bot can try one password per second, it would be able to try 31,536,000 in a year. In just under 7 million years, it could try all the possible permutations.

So the answer has to be “yes, eight is still enough”.

On the other hand, if you’re using a software tool like PasswordSafe, the cost of upgrading your passwords to be a bit longer is so low that it’s difficult to think of a reason not to do so. Personally, I’ve begun to use 15 to 30 digit passwords for some applications because it increases my safety without increasing my costs appreciably. But I still feel secure knowing that the master password that unlocks my PasswordSafe database is less than ten characters long. If I lose my PasswordSafe database on the subway again (yes, this has happened once already), I won’t worry.