Right, so, hopefully we are on the same page, password structure is just as important as length and the types of characters that you use.
Having a complicated password everywhere isn’t practical, remembering a complicated password can be difficult, so here we are going to look at some misconceptions and what we can do about them.
Password managers are an option for this, this is a store of complicated gibberish passwords. Great for businesses, awful for consumers, they just open you up to more problems.
So first off, where do we use passwords
Where do we use passwords
I’m not talking about your bank or your email, we will come to that, what I am talking about is where you are when you enter a password.
So consumer devices and networks are really bad for security.
In short, it doesn’t matter how strong your password is, if you are on a non-secure network then it can be got.
As a rule of thumb, important passwords for important things should not be used when out of the home.
The definition of important is up to you, my version of important is
Carry on with online retail, it’s not the securest thing anyway but it isn’t tremendously damaging if someone gets your password for that alone, it all depends on the type of online retail
Paypal = Do not enter passwords into devices when out of your home
Amazon = Go nuts
Same applies to entering payment details, especially for the first time
- Never enter payment details into devices when outside of the home
- Don’t enter payment details into a mobile device, ever
Not worth the risk and not entirely necessary. Pretty rare that you need to do this.
So Amazon for example, if you set it up with payment details on your account, you don’t ever need to re-enter these details, so no reason for you to use your mobile devices for entering payment details again. The payment details are associated with the account.
So you can use your mobile device to purchase things when out of the home without entering payment details.
The other really bad part of security we have imposed on us, without us knowing, is a change from “Store on computer” to “store on account”
So, if you use Gmail with Chrome, if your gmail account is logged in and you see a prompt for “save password” or “save bank details”, they are not stored on your device, but rather on your cloud Gmail/Windows Live account.
- Don’t use things like Gpay, we look at this in a later article, but in short it’s not the on the spot transfer, it is how Google stores payment information on your google account.
- Don’t use “Store Payment Details” on browsers, again, how they store them is really non-secure
- Don’t use “Save Password” on browsers for things you need to be secure, again, it is the way these are stored that can be really non-secure.
Security everywhere, is it necessary?
Nope, half the things you use online have accounts, I would hedge a guess that only a fraction of them need accounts.
Change.org, yeah petitions are good, changing the world, not sure why you need an account though.
Netflix, I can see why you need an account, not sure it needs to be overly secure though.
This is an important notion, when it boils down to it, we need certain things to be secure, certain things we could not care less about.
Bank = Secure
Email = Secure
Things we use to transact regularly (retail) = Secure
Netflix = What is someone going to do that won’t be resolved by me cancelling my direct debit and setting up a new account?
Do we need different passwords everywhere?
Some places need to be unique, complex and secure
Bank = Secure
Email = Secure
Paypal = Secure
Credit Score Company = Secure (although, they have already leaked most of our data)
Online Retail = Secure
Netflix = Who cares?
Things that can cause us damage if someone else accesses them need to be unique and secure, everything else is irrelevant.
Think of it this way
Would someone get a hold of my email password to access my Netflix, Change.org, Twitter, LinkedIn, NowTV accounts? Probably not
Would someone get a hold of my Netflix password to try to access my email? Probably
Would someone get a hold of my eBay password to access Amazon? Maybe, but what more damage can they do?
So we need something like this
Bank = Secure and Unique
Email = Secure and Unique
Paypal = Secure and Unique
Ebay, Amazon, Sainsburys, Tesco, Next etc. = The same password, Secure
Netflix, NowTV, Change.org etc. = The same password, somewhat secure
Keep in mind that your email can be used to access the majority of these anyway, so priorities are key here. A weak email means everything is weak.
Cause and effect, think of the physical world. You don’t leave your keys in the car, but you might leave a shovel in the front garden while you go and make a cup of tea.
A shovel could be nicked by the time you come back, it is annoying but not the end of the world.
Online security needs the same considerations. Focus on making the things you need to be secure as secure as possible, everything else is a risk based assumption.
Can you write down a password?
You can’t do this though
“NHS Worker leaves laptop on train with password stuck to the front”
But there is nothing stopping you from writing down part of the password, or even writing down the password in a safe place that you have in your home.
In fact, we are going to get into the habit of writing down passwords, but we are going to do it in a way where
- If someone gets a hold of what I have written down, they still cannot log in
- It protects us from hackers
- We have other reasons for writing down passwords that we cover in other attack methods in later articles, specifically that we don’t want to use a password manager on a consumer device or network and we also don’t want to use account recovery options. (For now, just take my word that this is a good method, I promise I will back it up in coming articles)
How to define a secure password you can write down
(Please not, we have a separate page for writing passwords in multiple methods you should follow, this example is just for explanation with this article and is not a full example)
That is a 15 character secure password, I aim for 10 random characters plus a 6-10 letter word. Sometimes I use fictitious words from Sci-Fi or Fantasy, we are just extending the length.
As we mentioned, entropy is the randomness of things and essentially the total combinations.
So let’s assume my word pool is 30,000 which is roughly the number of words that English speaking people know.
So I can calculate the combinations 2 ways
1. Dictionary attack combinations = 30,095^10
Won’t show on a calculator
So the reason for that is that there are essentially 10 words in my password
Word 1 = $
Word 2 = m
Word 3 = Donkey
Making 30,095 potential words in 10 different positions
2. Brute force combinations = 95^15
464 Octillion combinations, that would be if I started at something like aaaaaa and just kept trying every combination available.
So what we do for this method is
- Write down a random code of gibberish, make sure to take things from different parts of the keyboard
- Remember 1 or 2 random words and place it in a random location
So all I remember is – The Word “Donkey” comes after “m” for my particular example
I would write down this on a piece of paper or in a diary that I keep somewhere in my home
Now this is short, complex, easy to remember (written down) and removes us from trends found in sophisticated attacks.
How does this compare to a longer password with a bad structure
Well let’s thing about the entropy for 4 random words, often seen as
horse battery staple correct
It all depends on how random the random words are, so if it is 4 random 6-8 letter words (as these are easy to remember, 4 randomly generated long words is just as difficult to remember and spell as a complicated password)
We could say an average length of 28 Characters
We say that this comes from a pool of 14,000 potential words, then the dictionary attack entropy is 14,000^4
38 Quadrillion combinations
Even if we say this is taken from a pool of 30,000 words
810 Quadrillion combinations
So while you have doubled the length, you have halved the entropy, because it is structured and a well known method, it all depends on the source of the words and the pool of words that we select from.
If you were to think up these words yourself without using a random generator, 5-8 letter words, maybe 2000 or so words that you and everyone else knows, it would be a trend, 16 trillion combinations, otherwise known as crack able.
Now in 2016 the National Cyber Security Centre Suggested 3 random words in a blog because the length would be long enough and easy to remember, even going by a large word base of 30,000 words that is only 27 Trillion combinations, also know as crack-able.
So I’m likely going to cater for 3 word combinations just based on bad advice from a recognised authority, you won’t cater for a large amount of the available words in the dictionary, simply because the long and complicated ones would not be easy to remember.
You can read that advice here, but please DON’T FOLLOW IT
Now the interesting thing you will find is, once you enter this several times you will start to remember it.
The problem with remembering passwords stems from work, that is Friday to Monday issue, or more usually when someone goes on annual leave, they forget their password.
There is a patronising notion that people cannot remember complex passwords, it isn’t true, as proven by my mother nearing retirement age who uses and remembers total gibberish passwords, but it is the same reason why we no longer remember telephone numbers.
The reason we don’t remember passwords is generally speaking not to do with the complexity, it is to do with the lack of repetition, or in other words, don’t use convenient “Do you want to remember this password” options on a computer.
So same as phone numbers, contacts on a digital device mean we don’t physically dial numbers as frequently, which means we don’t build repetition, the same is true for passwords, it doesn’t matter what the characters are, we just need to enter them frequently to create the retention required.
However, if you do then forget the password, the bit that is difficult to recall is written down somewhere.
What about when we are at work?
Do whatever your employer tells you to do. Simple as that.
But the rules they prescribe for work don’t necessarily reflect for consumer life. They have different considerations, password manager are likely secure by virtue of an IT administrated network, so a password manager is a valid work tool.
Do we need to reset passwords?
But once per year is enough for consumers IF your password is of reasonable complexity.
The problem we have is that a companies data breach is inevitable as is a successful hack against a company, data breaches essentially lead to the offline attacks where the hacker can make more attempts. So getting your password is somewhat inevitable
When they get that file, provided your password is secure enough, then by the time they crack the password from the data file they have, you will have changed it so they cannot do any damage to you via that route or password.
They would have to re-attack the same company to get new data, then attempt the offline hack of your account again, by the time that is done you would have changed your password again.
What have we done here?
Well in short, the attack method I outlined on the previous page has been made substantially more difficult, essentially, I cannot use my previous method to crack your password.
Now on the next page we will look at the industries responsibility around this, and some of the biggest problems we create.