Defending The Kingdom

For those who are using Password Safe, or some other password management program, a quick word of caution: back up your password databases! Send copies to your email address. Store them on USB sticks. Send copies via email to friends. Upload them to Dropbox.

Since good password management systems store passwords in encrypted databases, it doesn’t hurt to have a few copies of the database floating around in the world. If your database gets corrupted or you lose your database, you can always revert to one of the backups. I’ve had two corrupted PasswordSafe databases in a few years of usage, so it’s a rare but perfectly plausible event that you should plan for. There’s also the possibility that your hard drive crashes or your laptop gets stolen, and you lose your database that way. So plan for the worst, and make frequent backups of your database!

Commenter dearjym notes that, in some instances, crooks may be trying to crack your passwords at a rate of hundreds of thousands of passwords per second. He’s right.

Where true, the math I presented in this recent post starts to look a little shaky. See this rather arresting summary via a blogger who used to post on topics similar to those featured at Defending the Kingdom.

So let’s be specific about where we’re likely to get into trouble with short-ish passwords. First, it’s unlikely that internet bots can try more than one (or maybe a few) passwords per second over the internet. Bandwidth speeds and server response times are the primary breaks on the process, and some websites purposely slow things even further after a few wrong tries. Some programs on personal computers also make an effort to retard the password verification process in computer time (making the process last 0.5 seconds rather than 0.0001 second, perhaps, which is indistinguishable to most users but not computers). Password Safe is one such program.

But some programs are not built so securely, and this is where we can run into trouble. As generic advice, it wouldn’t be a bad idea to use very long passwords (15 to 30 digits) for Microsoft Office files, Zip files, password protected folders, or any other program for which you’re unsure what password trial limiting features it has.

Dictionary words as passwords

The commenter also makes an interesting point about using multiple dictionary words to make memorable yet safe passwords. He suggests that putting three dictionary words together can make for a very good password. He’s right. Apparently, there are around 170,000 words in a very popular dictionary. Assuming that all of them are equally suitable as memorable words for use within a password (or, more to the point, assuming that password crackers wouldn’t be able to distinguish memorable from unmemorable words), that makes for 5,000 trillion possible password combinations. Note, though, that the number drops to around 5 trillion combinations if we assume that only 10% of words in the dictionary are memorable enough to use within a password.

There’s a well known truism in the security community that says that a system’s security is only as good as the backup entry method employed. That’s as true on the web as elsewhere. People forget or lose their passwords, they want to be able to get back into their accounts, and many websites give them the chance to do so by offering entry through a “backdoor”. The backdoor is meant to recognize and grant entry to the true account owner by asking “security questions” for which only he would know the answer.

The problem is that most security question answers, if generated as intentioned, typically make poor passwords. You can have the strongest primary password in the world, but if you use your mother’s maiden name as the answer to the security question a website offers, then you can forget about the strength of your primary password. Your effective password might as well be your mother’s maiden name, since knowledge of that will get you into the website as sure as knowledge of the primary password will.

You should keep that in mind when creating answers to security questions. Instead of providing the actual answers, I recommend creating real passwords as answers to these (i.e., your mother’s maiden name could be entered as “d9IgzUe33s”), then keeping track of these additional passwords in a program built for the job (I’ve discussed such programs before).

The fortress problem

Now that you’ve gussied up the backdoor, strengthening it with a stronger password requirement, you may run into the problem that backdoors were invented to solve: what if you suddenly find yourself locked out of your fortress? What if you lose both passwords? If you are using a password management tool, what if your password database gets corrupted? What if you accidentally erase an entry in your database (this is scarily easy to do)? What if your hard disk crashes and you lose your database?

The answer is that you need to create backup systems for yourself. These backups need to be in two forms:

1. If you use a password manager, create backups of your password database. After creating a new entry, store a copy of the database on a USB flash drive or send a copy to a family member’s email address. As long as the database itself is password protected, you needn’t worry about making copies and leaving them lying around or giving possession to others. In fact, the more copies you make and the easier they are to find, the better.
2. If you use a password manager, you need to protect against the possibility that you forget the master password that unlocks the database. If you’ve used this method, that should never happen. But sometimes bad things do happen, and you should plan for that. A low-tech method would be to write down your database password and store it in your wallet. That is safer and more sensible than many people suspect. A second option would be to write down your master password and store it in a safety deposit box at your bank. The latter option has the advantage of finally sealing up that backdoor to be both safe and useful – if you lose your safety deposit box key, for example, you can regain access to it by proving your identity to your bank, something that should be extremely difficult to do for an imposter but relatively easy for the true account holder to do.

Time marches on, computing power grows stronger, hackers get cleverer. Every now and again we need to review what we once thought was “safe enough”. Today, the time has come to review what ought to be considered a safe password length.

Pragmatic security and powerful bots

This blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than average.

What does that mean for password length? Consider this: computing time is so cheap today that it’s not inconceivable that every one of our email accounts has a bot trying to access it about once per second, every day, 365 days per year.

Still feel safe with the password you’re using right now? Personally, I’m starting to feel queezy, but let’s look at the problem carefully.

Is eight still enough?

I used to recommend an eight digit password. Is that still enough? The Microsoft Password Checker, a tool I’ve recommended before, does not seem to think so. If you type, for example, “t8Uh10xI” into the checker, it tells you that you’ve made a weak password. Is that the case?

To answer that, suppose you found one of those bots that is, in all likelihood, pounding at the gates to your email account. Feeling generous, you give the bot a bit of information. “Look,” you say, “my password is eight digits, so don’t bother guessing passwords of any other length. And I use numbers, uppercase characters, and lowercase characters. I don’t use any special characters.”

Now, how scared should you be?

Well, you’ve made the bots job a bit easier, but let’s take a look at the math. The key statistic is the number of possible permutations of passwords you could have made using those parameters. To find out how many permutations there are, and therefore how many different passwords the bot would have to try, we need to compute the following:

Permutations = (26+26+10)^8

That is, there are 62 ways to pick the first digit of your password (26 uppercase letters, 26 lowercase letters, and 10 numerical digits), 62 ways to pick the second, 62 to pick the third, and so on — eight times.

The solution is that there are 218,340,105,584,896 possible eight character permutations. That’s 218.3 trillion. Supposing that a bot can try one password per second, it would be able to try 31,536,000 in a year. In just under 7 million years, it could try all the possible permutations.

So the answer has to be “yes, eight is still enough”.

On the other hand, if you’re using a software tool like PasswordSafe, the cost of upgrading your passwords to be a bit longer is so low that it’s difficult to think of a reason not to do so. Personally, I’ve begun to use 15 to 30 digit passwords for some applications because it increases my safety without increasing my costs appreciably. But I still feel secure knowing that the master password that unlocks my PasswordSafe database is less than ten characters long. If I lose my PasswordSafe database on the subway again (yes, this has happened once already), I won’t worry.

Phones and laptops are easily lost or stolen, and I would urge you to use one or both of the following to protect yourself in the event that it happens to you:

1. Encrypt your personal files. If you choose to do just one of the two things on this list, choose this one.TrueCrypt is a good, non-scary encryption utility.
2. Install tracking software. LoJack and Prey were both mentioned in a recent Economist article, and they seem like reasonably good options.

The Economist article tells the story of a laptop getting stolen and then tracked down without police assistance:

Tales of stolen phones and laptops being successfully retrieved are the exception to the rule. One widely publicised case (perhaps because it was so rare) concerned a Canadian web consultant, who had a bag containing his laptop, mobile phone, health card and copies of his birth certificate lifted while on a business trip to New York. Fortunately, the owner had taken the precaution of installing an open-source tracking tool called Prey on his MacBook Pro beforehand.

Several days later, back in Ottawa, the owner got a message from his stolen laptop, saying it was being used in a restaurant in the Soho district of Manhattan. The tracking software not only sent the location details, but also transmitted screen-shots of what was running on the laptop at the time. It even turned on the user-facing camera and transmitted video of the user to the owner 500 miles away.

In this case, the owner was luckier than most. He had some 12,000 followers on Twitter to call upon for help. Meanwhile, the thief made the mistake of logging onto Skype with his real name. The laptop owner saw all this happening before his eyes and tweeted the details to his followers. He also called the New York police and asked, to no avail, for help. The missing laptop and other items were recovered only when a friend, aided by a Twitter follower in New York, rushed to the restaurant and confronted the staff with the evidence. The stolen laptop was handed over without a struggle.

Being able to track your laptop is a great idea in theory, but if the police aren’t willing to do the potentially dangerous work of confronting the criminal, I suspect the software will be useless to most people. That’s why encrypting your data is priority number one, and installing tracking software is nice to have but not something to rely on.