How to Design Passwords

How to Design Passwords
H o w To D e s i g n pA55w0rDs:-)petercochrane.com ABC12345def Prof Peter Cochrane OBE Sentient Systems
THE nIGHTMARE! *A different password for each account *Change your passwords regularly *Don’t keep a documented record *Don’t embed them in a browser *Don’t write them down *Don’t tell anyone *Don’t share Guidelines and lots of useful advice that is often impractical and/or impossible:- Make them > 11 characters that include a mix of alpha numerics - upper & lower case plus punctuation marks and special characters…
Public Reality! A fundamental incapability to deal & cope with the complexities and many challenges of IT… Industry needs to produce, deliver and maintain inherently secure products - to get the users out of the Realm of Risk management, including password hell!
OMG - Really ! YES, people are indeed silly We need to do much better than this!
THE Threat Omnipresent Highly motivated Growing by the day Smart Adaptive Resourceful Well organised Global 24 x 7 People Machines Networks AI, Apps, Clouds +++ “Never underestimate the enemy - and never . assume you are smarter than they are”
Passwords in ‘diaries’ Passwords in ‘eMails’ Passwords on ‘post its’ Passwords in ‘open docs’ Passwords on ‘white boards’ Passwords shared ‘between apps’ Passwords shared ‘between peoples’ Passwords shared ‘between web sites’ Passwords used on spoof web sites/services +++++ The Gullibility Threat Social engineering - persuasion - observation - bribes ++ Passwords extracted by ‘smart’ conversationalists, friends, family, associates, colleagues, co-workers ++++
Welcome to password & two factor hell! We need to do much better than this! What do you do when there is no mobile signal or there’s a loooong delay or network fault? You need at least: a net sync’d app embedded on your machine, but ensure it does it imply more risk?
12 Characters, Minimum: There’s no minimum or standardised password length; but in general go for >12 to 14 characters Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types makes passwords harder to crack Dictionary Words/Combination: To be avoided as much as possible - any isolated word is bad, and word combinations are also high risk Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al Number Strings: at the end, beginning or in the middle are also ‘obvious’ Industry Advice For a strong password you ‘at least’ need..
12 Characters, Minimum: There’s no minimum or standardised password length; but in general go for >12 to 14 characters Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types makes passwords harder to crack Dictionary Words/Combination: To be avoided as much as possible - any isolated word is bad, and word combinations are also high risk Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al Number Strings: at the end, beginning or in the middle are also ‘obvious’ Industry Advice For a strong password you ‘at least’ need.. Machines are fast intelligent exhaustive with extensive libraries One size does not fit all people and machines present different risks people are slow and get exhausted and use different methods
For a strong password you ‘at least’ need.. The snag is you are one click away from losing everything! And so another much bigger security fail/fail pops up and kills you stone dead! “The secret to good security is to design (in) ‘fail-safe’ and ‘fail-gracefully’ with ‘layered’ protection and multiple routes to recovery “All your ‘eggs’ in one basket is the dumbest and riskiest solution of all “ Strong Advice A password generator and management system
Password Managers D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s Mostly Software embedded in browser plugins/web services to automatically manage user credentials They auto-paste (names/ID/email addresses) passwords into login forms, or simulate typing them, and generally support: •Printable characters •Passwords >64 characters •Pasting username and password
Password Managers D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s Mostly Software embedded in browser plugins/web services to automatically manage user credentials They auto-paste (names/ID/email addresses) passwords into login forms, or simulate typing them, and generally support: •Printable characters •Passwords >64 characters •Pasting username and password don’t rely on one app alone m ake sure you engage a degree of diversity
Password Managers D e l e g a t i n g t h e c o m p l e x i t y t o m a c h i n e s Also, choose embedded password generators with many user choices:- Length Upper Case Lower Case Numbers Symbols Special Characters Similar Characters Generate on Device Generate on Server Auto-Select New Password https://digital.com/blog/best-strong-password-generators/
Password Managers W h y y o u n e e d / s h o u l d a l w a y s u s e o n e ! W h a t c o u l d p o s s i b l y g o w r o n g ? •Yo u r d e v i c e / m a c h i n e i s s t o l e n / b r o k e n / f a i l s / d i e s •A s o f t w a r e u p g r a d e s c r a m b l e s e v e r y t h i n g •Yo u r b a c k u p / r e c o v e r y p r o c e s s f a i l s •M a l w a r e f r e e z e s e v e r y t h i n g •T h e A p p / B r o w s e r f a i l s ………………..
REALITY CHECK Diversity-essential to survival Confounding the enemy by the reduction of habituality - and the introduction of the new, unexpected, surprises, and a reduction of discernible patterns… At best you will prevent a break in, and at worst you should slow and impede the Dark Side to cost them time and $$$$ Vary your methods and measures as much/frequently as is reasonably possible. Maximise the total Entropy of your defences
REALITY CHECK Diversity-essential to survival Beware of ‘Common Mode Failures’ due to an over reliance on one technology choice/route, or by being blind sided and/or overconfident in you choices, products, and engineering solutions. “Fortresses tend to remain relatively static whilst methods of attack always evolve” Get someone to attack and test your defences and solution(s)…never be so sure that you got it all right first time around…or indeed that it all exhibits longevity!
Use a password and/or document/ file/folder encryption… Strongest Advice For protected documents that may be accessed The concatenation by layers can add exponential difficulty for any attacker Obscuration by volume and location is also an effective mode of protection Password protect at every layer
Strongest Advice Use every weapon of defence you have available Do not rely on any one technique Respond rapidly to surprises Be prepared to be adaptive Use all available options Keep on top of new attack technologies - adapt and evolve on the fly…
CrEating your own Making life very difficult for The Dark Side IcannaTellythee Thi5i5th3b35tIcand0 Non-standard/Novel solutions can be hard/expensive to defeat
Degrees of Freedom Exploiting as many as possible @ the same time 26 Letters - Lower Case 26 Letters - Upper Case 10 Digits 36 Other } 96 Options per password character
Password Entropy The more disorder the harder it is to crack Password Entropy = log2(Nn ) = n log2(N) Where N = Number of character options (ie ~96 for standard QWERTY keyboard) And n = Number of characters in the password Recognisable words and phrases + repeated characters + similar characters represent degrees of order that increase the likelihood that a password will be cracked. The bigger the Entropy/Disorder the stronger the password!
Dominant Component T h e e n t r o p y o r d e r / d i s o r d e r b r e a k p o i n t Password Entropy = n log2(N) The ‘breakpoint’ is at n = log2(N) ie the password length ’n’ overtakes the number of possible character states ’N’ as the dominant factor All ‘viable’ passwords lie in the range n >> log2(N)
viable length F o r a g i v e n a p p / p r o t e c t i o n In the proximity of the break point: N = 10 then n > 3 = 104 symbol states <<< 1s (n = 4) N = 26 n > 4 = 1.2 x 107 << 1s (n = 5) N = 52 n > 5 = 1.2 x 1010 < 1s (n = 6) N = 62 n > 5 = 5.7 x1010 < 1m (n = 6) N = 98 n > 6 = 8.7 x1013 < 10m (n = 7) Relative Computing Time to Crack
Ball Park Guide The entropy order/disorder breakpoint Password Length/Strength experience to 2019: 4 = Very Weak - puts you at risk 5 = Weak - just about OK for device password 8 = Fairly Strong for secure network access passwords 10 = Strong for secure access to company websites and data 16 = Very Strong for securing commercial and financial data access 22+ = Hyper Secure for encryption While a password with ~50 bits may be deemed ‘semi-safe’ in 2019, it is only a matter of time until more powerful GPUs, will see password cracking accelerate!
E n t r o p y G u i d e The entropy growth linearity… Length: 15, 16, 17, 18, 19 Strength: Strong (>16) - Safeguards sensitive information like financial records Entropy: 92.6 bits, 100 bits, 106.7 bits, 113.9 bits, 121.9 Empirical Security Threshold ~ 100 bits
T H I N K F U T U R E The ‘clicks/nulls’ are easy to find Beware of the dummy clicks on some of the later models - they can throw you off the track to eventual success ! It is easy to teach a child to crack locks of this kind!
No Feel or sound Owners have the upper hand at this point But the enemy only needs a weak or silly password to b r e a k i n a n d a s s u m e full control…and t h e n t h e f u n really starts! M o s t b r e a k - i n s a t t h i s l e ve l a r e d o w n t o t h e o w n e r / u s e r n a i v e t y, l a x i t y, a n d / o r i n f o r m a t i o n g a i n e d f r o m s o m e e x t e r n a l s o u r c e …
cracking Challenge Access limited to the keyboard and screen only Human typing speed What can be guessed Try all common passwords Brute Force Trial and Error Phishing/Spear-Phishing Social Engineering Prior Observation WiFi Break-in BlueTooth Break-in Identical browser data ? Same password for all ? Similar format for all ? Common key storage ? All BlueTooth Linked ? Public Data ? Social Nets ? Family Data? Publications? Hobbies? Likes ? Finger Face Print Spoof One device hit/ stolen: then all c a n b e l o c k e d d o w n w h e n o n line + location & pics of thief can be tracked /recorded Additions include 3 s t r i ke f re e ze - outs for 5, 15, 60 min, followed by p ro v i d e r g e n e ra l security alert
I n v i s i b l e t o u s ! Network, site, service and app attacks Wa y b e y o n d h u m a n s c a l e a n d m e n t a l a b i l i t i e s , b u t w e m u s t s t a r t w i t h a level of fundamental security based on a s t r o n g p a s s w o r d p ro t e c t e d c o re a n d connected devices Concatenated complexity can be employed to confound the e n e m y…ve r y h a rd f o r t h e m a n d ve r y e a s y f o r u s !
cracking TASK A prime driver of Password design Secure Comms Encrypted Vault Encrypted File Private Key Public Key E-Commerce Bank Account Financial Apps Network Apps Websites Documents E-Mail Personal Computer Work Station Mobile Device Bicycle Lock STRENGTH Password Name/ID Factors Very-Low Medium-High Optional Low-Medium Optional Extreme No Exceptions Very-Strong No Exceptions Extremely Dynamic Static Mechanically Set Dynamic Choice Discipline Changed Occasionally Regularly Randomly NEED Risk Exposure Driven Centuries Millenia Decades Years Minutes Time to Crack
Making it Safer C o n c a t e n a t i o n o f t h e s i m p l e C u s t o m e r N u m b e r, P a s s w o rd + invisible biome tri cs and ID/app checks+++ T h r e e f a i l e d t r i e s w i t h a n y i n c o r re c t o r s u s p i c i o u s e n t r i e s / information and the u s er is th e frozen out for a period. The ‘ f r e e z e o u t ’ p e r i o d i s t h e n progressively extended on every repeated log-in attempt: security d e p a r t m e n t i s a l e r t e d a n d c u s t o m e r s a r e a s k e d t o s t a r t from a new log on process
Password Libraries! Extensive collections built from successful hacks There are organisations collecting & marketing Passwords, PINs, ID and Card info on a business basis across the internet…and ‘The Dark Side’ is a prime mover and key player… Libraries are now a key component of the leading edge password attack engines/machines The Dark Side are not the only ones using such libraries ! Criminal Hackers Rogue States State Security Services
Always use A Checker T h e y g i ve ‘ B r u t e F o rc e’ c ra c k i n g t i m e e s t i m a t e s B e w a r e t h a t t h e y a r e based on computing power t o d a y, a n d n o t t h e f u t u re ! NOTE : ‘Brut e F orce’ im pli es e x h a u s t i v e s e a r c h i n g w i t h no a priori sophistication…. ie, t he use of lib rari es i s not the norm here! Dozens available: and it is worth testing a range…
For M o dest Security C h o o s e s o m e t h i n g e a s y t o re m e m b e r & m o d i f y VerseProseDatesPlacesNames ++++++
I wandered lonely as a cloud That floats o’er vales and hills, When all at once I saw a crowd I w l a a c Wa a o I s a c I w 1 a A c Wa 1 2 D a y s I w 1 a A c Wa A o 4 Ye a r s I w 1 a A c Wa A o I 5 4 C I w 1 a A c Wa A o I 5 a C 3 2 7 C I w 1 a A c Wa A o I 5 a C £ $ 1 0 K C + Wordsworth F a v o u r i t e P r o s e / P o e m s T h e t r i c k i s t o d e s t r o y / d i s g u i s e / o b s c u r e l e t t e r p a t t e r n s t h a t m i g h t h j e l p m a c h i n e s i d e n t i f y s e n t e n c e s a n d v e r s e s U s i n g o n l y t h e f i r s t o r l a s t l e t t e r i s a s t a r t , b u t u s i n g e v e r y o t h e r l e t t e r p l u s s y m b o l o b s c u r a t i o n i s b e t t e r !
Do not go qentle into that good night o t o e o t d t o t o e o t d t 1 2 D a y s O To e 0 t d 7 4 M o n t h O To e 0 7 d t ! 4 Ye a r s O To e 0 7 d t ! 6 9 3 3 Ye a r s £ O To e 0 7 d t ! 6 9 4 C P a s s w o r d g e n e r a t i o n b y a n a l g o r i t h m o f y o u r f a v o u r i t e v e r s e a n d o n e m e m o r a b l e y e a r s DYLAN THOMAS
M o s t s m a r t a t t a c k e n g i n e s w i l l e v e n t u a l l y d e c o d e p a s s w o r d s b a s e d o n p ro s e a n d v e r s e f o r a l l c o m m o n l y re a d t e x t … b e s t c h o o s e s o m e t h i n g r a r e / o b s c u r e … s p e c i a l t o y o u a n d y o u r l i f e r e m e m b r a n c e s … S m a r t m a c h i n e s Awa re o f Wo rd s wo r t h & T h o m a s e t a l
E n h a n c i n g S e c u r i t y S t a r t f ro m a c a t a l o g u e o f t h i n g s o n l y y o u k n o w Layering algorithmic complexity to increase the Entropy
All about you Known by you and you alone WHO WE: Are; Know; Met; Loved; Married; +++ H O W W E : L e a r n e d t o D r i v e ; We re E d u c a t e d ; + + + W H Y W E : D e c i d e d ( Y ) ; P u r c h a s e d ( Z ) ; + + + WHAT WE: D o ; D i d ; L i k e ; B e l i e v e ; Re a d ; + + + WHERE WE: L i v e d ; V i s i t ; P ro p o s e d ; M a r r i e d ; + + +
algorithmic vectors Carpenter Space Shuttle Constructing; not remembering passwords Something you: - Do - Did - Saw - Are - Said - Were - Know - Admire - Possess - Possessed - Remember - Understand Hillman Imp Drill C r S e D l H n I p C r 5 3 D 4 H n 1 p ! ! 4C to Crack login vectors Constructing - not remembering Carpenter Space Shuttle Algorithmic construction by the concatenation of elements only known by you…
Enhancing login vectors Perhaps a line from a song: “Its a kind of magic” 15akd0fmc! <4 Years to Crack Plenty strong enough for a laptop log-in or document password Perhaps a line from a book: “It was the best of times” 1tw573bt0fts <4 C to Crack Something you like to sing and/or listen to… Algorithmic construction by the concatenation of elements only known by you…
Enhancing login vectors Something between lovers or parent and child: I will always be here for you no matter How I love thee more than life itself H w 1 4 3 7 e m 3 t n 4 e i f ! ! 1 w 1 a s b 3 h e f r y u n 0 m r ! >10kC to Crack >10kC to Crack Something unique you said or promised within your family Algorithmic construction by the concatenation of elements only known by you…
Concatenating numerous very low cost biometrics is extremely powerful… - Eye 10 -3 @ < $5 - Face 10 -2 @ < $2 - Hand 10 -3 @ < $2 - Voice 10 -3 @ < $2 - Typing 10 -3 @ < $2 - Habits 10 -2 @ < $1 - Devices 10 -1 @ < $1 - Locations 10 -2 @ < $1 - ++++ Password ++ The typing rhythm at an ATM is unique and very cheap to recognise… Morse Code experience was the pre-cursor to this solution… Error Probability <10 -8 @ < $6 Obscuration by ’n' layers
Automate the process Choose a (or >1) reputable password generator Ensure that it is fit for purpose and that you choose sensible settings by application and by need
Overview A proportional view Device > 6…defeats humans Web Site >10…concatenate Document >12 - 16 Encryption >14 - 32 Membership >14…concatenate Social Networks >14…concatenate Financial Services >16 - 32…concatenate Concatenate = May Include: ID/PIN,Password/Questions/3 Try Limit/ BioMetrics/Random CheckBack/ 2/3 Factor Authentication/++
l a y e r e d S e c u r i t y Ex p onent ially increasing the entropy challenge 6 Digit PIN > 8 Character Password Name/ID > 10 Character Password Name/ID > 14 Character Password Name/ID + PIN >16 Character Password BackEnd BIOMetrics Up Front BIOMetrics
T h e r e i s a l w a y s a t h r e a t R E M E M B E R I t i s s m a r t : S h a r i n g R u t h l e s s D y n a m i c L e a r n i n g A d a p t i n g C o n s t a n t M o t i v a t e d N e t w o r ke d + + + B e yo n d T h e L a w F o r M o r e G OTO : https://bit.ly/2F0y6in https://bit.ly/2SuwVzL https://bit.ly/2FcCtqR https://bit.ly/2SxHsKv https://bit.ly/2QsmBWb https://bit.ly/2MBED7v https://bit.ly/39mJNxB
Thank You 57Ay5af3K33p53CuR3 Make it very hard for the enemy - everything is at stake! petercochrane.com

Check these out next

How to Design Passwords

Recomendados

Mais conteúdo relacionado

Apresentações para você(19)

Similar a How to Design Passwords(20)

Mais de University of Hertfordshire(17)

Último(20)

How to Design Passwords