After a long journey he was nearly there. In the distance there was the outline of the city wall. Moments later he approached the city gate.
“Halt!”, shouted a heavily armed guard.
He had grown used to this ritual, so he went through the motions.
“What is the pass word?”, the guard asked.
He spoke the phrase he had memorized. The guard nodded, lowered his hands from his weapon, and stepped aside to allow him entry.
The above is how I imagine passwords came into common usage long ago. Passwords are not very practical in the above scenario, which is probably why we now have passports: literally a document to pass through some port, such as a city gate or a border. Checks at the border can also be done using fingerprints. If the guard would take fingerprints and quickly compare them to a set of known prints, he could determine whether to let you pass based on a matching print.
Consider what these three things fundamentally represent:
- A password is something that you know, you need to memorize it.
- A passport is something that you have, you need to take it with you.
- A fingerprint is something that you are, you always have it with you.
Most security systems combine at least two of these three factors:
Access to your bank transactions requires two things. Firstly, your debit card: something that you have. Secondly, your Personal Identification Number (PIN): something that you know. Entering a modern house also requires two things: the keys to your door and the access code to disable the alarm, which again combines something that you have with something that you know. Finally, entering a foreign country may even combine all three ingredients: a border guard may ask why you are entering the country and where you will be staying, he will ask for your passport and may scan your fingerprints.
Where am I going with this? Good security systems combine at least two of the three factors above. Think about how you access all your on-line accounts like Google, Facebook and LinkedIn. Do you use a password? Is that the only thing that you use to gain access? The answer to that is likely yes, and that is not a good thing.
Of all the three fundamental ingredients above, the password: something you memorize, is likely also the easiest to bypass. Not so much because of technical issues, although those do occur, but because of completely understandable human limitations.
The problem with passwords is that a complex password is hard to remember, and a simple password is easy to guess. Most people err on the side of making their passwords too simple. Why are such passwords easily too weak? For that we have to do some calculations.
Let us assume that you pick a single number between 1 and 10 as password. Let me think: you likely picked either a seven or a three, am I right? Even if I am not, people prefer some numbers over others, and that is exactly the root of the problem. Consider that with a single digit password I would need to guess only ten times and then I would certainly be right. If I can make my guesses a bit smarter – starting with the digits that are more often chosen – I may be able to guess ninety percent of the single digit passwords with only five tries.
Obviously we need something a little longer, a four digit password would have possible combinations, which is already much harder to guess. This is in fact the search space of the famous PIN codes. Some banks allow their customers to choose their own four digit code, which is a bad idea. Four digits are, from a memorization point of view, ideal for representing a birth date, or some other significant date. Consider that many such dates either start with 19 or 20 and we are left with only two numbers we need to guess: is a much smaller space of possibilities.
Digits are often not the only parts of a password, letters are often allowed. This seems sound, since adding twenty-six letters gives us an additional fifty-two possibilities, letters can be either lower or uppercase, yielding us possible passwords of length four. If we add in special characters this number grows even larger.
Adding extra symbols (digits, letters, other characters) to the possible password range may seem like a good idea. However, just as we saw with numbers: if the patterns are predictable they are easy to guess. Consider that if we make a word of two characters in English there are a limited number of actually valid words: ‘of’, ‘it’ and ‘to’ are all valid. In contrast ‘tj’, ‘gh’ and ‘lq’ are not valid words. Sequences of letters that are not words are difficult to remember. Hence, people rarely use them. This leads to predicable passwords that consist usually of nouns combined with predictable number sequences: ‘Ghost2012’, ‘lipgloss’ and even ‘password’.
Indeed the top five passwords are: ‘123456’, ‘password’, ‘12345’, ‘12345678’ and ‘qwerty’. Fortunately few people actually use these passwords. If you were to guess someone’s password using one of these top ten most popular passwords, you would succeed in about sixteen in one thousand tries. Which, while not spectacular, is still ridiculously high.
A thousand tries may seem like a lot, and it is if you would have to type all those passwords yourself. However, this can be automated quite easily. Trying all possible passwords is called ‘brute-forcing’. A modern computer can easily do this at a rate of five-thousand per second. Using some statistical insights, such as those mentioned above, this process can be made highly effective. In fact most passwords under ten characters can be easily broken in several hours using off-the-shelf computer hardware.
I hope it is clear by now that using only a password that you can memorize to secure your on-line accounts is a bad idea. So, how can we improve this?
There are at least two things that you can quite easily do with respect to passwords alone:
- Generate passwords, instead of making them up yourself. No offense, but: a randomly generated password by a computer is most certainly better than something that you can think of.
- Use long passwords, as we have seen the length of a password is a means to easily increase the difficulty of guessing it. A minimal passwords consists of ten characters, but as computing power increases, this may rapidly become too short. A password of twelve characters is a more realistic minimum nowadays, and sixteen to thirty-two characters is a safe range.
- Use a different password for each service that you use. This way, when one account is breached, you do not get a domino effect.
Using a very long password, is one of the few exceptions where you could suffice with choosing your own. Consider that a long sentence as password is quite hard to guess: there are so many possible sentences! Even though a completely random password of the same length is harder to guess, this matters less if the password is sufficiently long.
If you are not into the long passwords, then the best solution is using a password manager of some sort. Keepass and Lastpass are popular solutions that are easy to use. There are two caveats to these services:
- They usually use one strong ‘master’ password, which gives access to all the site-specific passwords. This is a single-point of failure is some sense, and can also lead to a domino effect, but this is not a major problem if you have a sufficiently strong master password combined with two-factor authentication: more on that later.
- Some of these services may store your passwords ‘in the cloud’ in encrypted form. Understandably not everyone is okay with that. Fortunately, there are also variants which store your passwords locally on your own machine.
In a sense using a password manager in some way may feel like ‘writing down your password on a piece of paper’. This is true, but a strong password written down on a piece of paper that you keep in a safe place, is much better than a weak password that you have memorized. The same applies to password managers: the benefits outweigh the risks.
Improvements to your password do not address the most pressing concern: remember that most systems combine at least two of the three factors: something you know, something you have and something you are. A password is still only one of those ingredients. Hence, where possible you should add another one of these ingredients.
Almost all major on-line service providers – Microsoft, Google, Facebook, Yahoo, et cetera – offer some form of two-factor authentication. One popular mechanism called TOTP consists of codes that are generated using an app on your phone. How does this work? You take a picture of a QR image on the screen once, and a security app uses the data in this image to generate access codes that change every thirty seconds. You can set things up so that you are asked for a code only once a month on computers that you regularly use. So the effort is minimal and the security benefit is huge: in addition to guessing your password an attacker would have to gain access to your phone, which is way more difficult.
Some other services may rely on sending you an SMS with a code, or an e-mail with a clickable link. This is a bit less secure, but still way better than only using a password, and thus certainly worth it. If you use a password manager, then securing it with some type of two-factor authentication is an absolute must.
Say that you want to secure some other service X that does not offer two-factor authentication.
What to do? Well, the service may offer logging in via OpenID. This means that you can log in to the service using one of your main on-line accounts, like Google or Facebook. If you have secured that on-line account by enabling two-factor authentication, then transitively the account of service X is now also protected using two-factor authentication.
To wrap up: I recommend that you:
- Always use two-factor authentication wherever it is offered.
- Always construct sufficiently long passwords.
- Seriously consider using a password manager.
After a long journey the data packet, the first in a long data stream, was nearly there. Residing inside the last switch, in the distance was the faint hum of a server. Moments later the packet had entered the server system. The server unwrapped the data packet and found a password inside. But it knew the password was not enough. The server generated a code that it was expecting. It unwrapped the next packet in the stream and found the exact same code it had generated just a moment ago. It allowed the rest of the stream op packets to enter.