One of the things we’ve tried to do at the Digital Digest is to address best practices on topics that are in the news. With the upcoming launch of Windows 8 and its new approach to passwords we thought it would be a good time to talk about password and pass-phrase options as they relate to the overall security of information on any network.

As computer systems are more important to business and pleasure, more hackers are trying to exploit those systems. Unfortunately the weakest link in security is often the human one – people still use simple passwords that are easy to guess, or when forced to pick a “complex” password they resort to writing them down or storing them in non-encrypted files.

There are many reasons for this, but the biggest one is that it’s very hard to remember things like “Xy3<$8yHl7@1”. Is that a capital “I” or a lower case “l”? These cryptic collections of letters, numbers and symbols are increasingly difficult to remember and to keep straight, so in order for someone to access the systems, they defeat the entire purpose of a password and write them down.

It’s good practice to have a separate password for your email and your financial accounts, another for your network, yet another for your work email, your work network, and so on… One way to avoid having to commit to memory so many cryptic confusing passwords is to use a pass-phrase for each system instead. A “pass-phrase” is a series of letters and numbers that mean something: “l3tMeln” for “let me in,” for example. Another example might be “TheSunWillComeOutTomorrow!” or “I<3MyDog”. Each of these pass-phrases is more memorable because it means something to us. It’s not just a cryptic string of random characters.

Software security guru Robert Hensing said the following in 2004:

So why are these pass-phrases so great?

  1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don’t HAVE to use numbers to meet password complexity requirements)
  2. They are so freaking easy for me to remember it’s not even funny.  For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember ‘xYaQxrz!’ (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack).  That password would not survive sustained attack with LC5 long enough to matter so in my mind it’s pointless to use a password like that.  You may as well just leave your password blank.
  3. I dare say that even with the most advanced hardware you are not going to guess, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

As more of us become reliant on computers and the cloud it seems more important than ever to guard your passwords and maintain separate passwords between systems. What better way to do it than using quotes from your favorite songs, tributes to your kids, or a shout out to your favorite movie monster – “I<3Godzilla!”? I should have listened to Hensing sooner and I’d have locked myself out of various websites a lot less.

Now, a friend or a hacker armed with one of those ubiquitous email “surveys” could still compromise the phrases discussed above. For even more security you can try a system like Diceware. Diceware gives you the ability to create random strings of words that are even harder to crack than a general pass-phrase.

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. A five-digit number precedes each word in the list. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select one unique word from the list.

All you need is five dice and the Diceware word list to have an almost uncrackable password.

xkcd had it right:

Image

Ultimately we’re all responsible for the security of the data we touch, whether it’s ours or it belongs to others. We must find better ways to secure this data and to eliminate the temptation to write passwords down, or to use passwords that are too easy to crack.