Saturday, July 16, 2011

Thoughts on creating a strong password system

Ever since TechSnap launched on JupiterBroadcasting, I've started worrying about my online privacy. I've not been the best about creating unique passwords for every site, unless the site is important. Plus, over the years, the passwords I use change so I will often forget the password to a site I haven't used in a while, give it a few guesses, and then eventually have to reset the password (which can be a hassle, since I may have signed up under any of 5 different e-mail addresses).

So I've been trying to think of a good way to create passwords that are easy to remember, but also very strong and different from one another. Most sites just suggest how to create a strong password, which is fine if you only use one site. It's really not hard to create a secure password: mix in numbers and symbols, don't use all lowercase and try to avoid using words period if you can. But if you have literally over 100 sites you've signed up for over the years (like me), from forums to e-mail accounts to social networking, it's a little more important that they are both secure and convenient to remember.

The best site I've come across so far in my searching is an article on titled Passwords: Creating and Maintaining a Strong Password System. They recommend splitting it into three parts: A common part, a "type" part, and a site-specific part. I think it's a good idea, especially because this makes it easier to remember and I even started dividing the sites I'm on up by categories.

...but it seems like it has one gaping flaw: what if someone were to obtain two passwords from the same type? They could quickly recognize that they were alike except for the last three characters were the same, which means that they just reduced having to guess a 14 character password to a mere 3. Now by doing a quick count on my keyboard, it looks like there are ~100 possible characters for each of those three, which still makes it 1,000,000 different combinations (if I did my math right...I was always bad with possibilities).[Yeah, you could totally include Unicode characters or other non-standard ASCII, but most people aren't going to want to dive into the Character Map or memorize a bunch of Alt codes just to log into a website.]

That may seem a little impressive, but then remember that those three really aren't going to be anything, they're going to build off of the site name, then trade out only one of those for a random symbol/number. So if we took Gmail, for example, two of the letters are going to be from gmail, and they are going to be in the same order as "G-M-A-I-L" ('L' won't come before 'A'). That means character...
  1. Can only be 'g/G', 'm/M' or 'a/A'. That's only 6 characters.
  2. Can only be 'm/M', 'a/A' or 'i/I'. Again, only 6 characters.
  3. Can only be 'a/A', 'i/I' or 'l/L'. Again, 6 characters.
But one of those is going to be random, but only a symbol or number, because having a random letter in there is going to make it confusing. So after another quick count, there are only 35 characters and numbers on my keyboard.

We add that up: (35*6*6), we only get 1,260 possible combinations for your password. "Gmail" is a rather short site name so sites like "Jupiter Colony" would definitely fair better, but really if you're going to try to be able to conjure up these names without looking at a list, you're probably going to pick the first letter of the first word -in this case "J"- and then probably go from there, most likely including something from the second word resulting in something like "JuC".

That's definitely my main concern, without even considering how you'd remember what symbols you stuck where for every site and type. (If you "assign" a symbol to a letter, that drastically decreases the strength and possible combinations -in thee case above, it would drop it to 6*6*6 = 216.) It seems like it's more along the lines of "security via obscurity" because you're betting that no one will figure out the method you're using but if they do, they've basically broken in.

Another one of the fears I've had about it is sites that store the password in clear text. Mostly small forums and such over the years, but I have noticed that some will actually send you your current password in an e-mail when you do a reset, which is a nono because that means they have a 2-way hashing algorithm, or they store it in plain text. To me, that seems just ripe for the picking for naughty people seeking passwords and the more of those they are able to get, the easier it will be to start seeing patterns in the method.

I'm not sure if there's really a better way to do it though. I realize that all "systems" you might invent mostly use obscurity just because you have a basic algorithm that you used to derive them, but it just seems like this one is less secure than I would hope. The only true way to make it actually a truly secure is to use a randomly generated password for every single site you use and keep track of them in a TrueCrypt volume on a PC not connected to the internet with a password on the BIOS and a TrueCrypt encrypted drive......

My point is, there's always going to be some weakness, it just depends on how much you feel comfortable with it. I definitely don't feel comfortable using the same password for every site, but I'm not quite sure I feel comfortable with this method either. I definitely don't feel comfortable picking a category for "banking", as they suggested, because if you're going to use the same password minus three characters for all the sites that manage your money, you might as well go ahead and just make the check out to "Nigerian Princess Scammers" right now.

If you want to correct or even make a suggestion, feel free.

No comments:

Post a Comment