It's not hard to do a quick search and find a plethora of blog posts, scholarly articles, and editorials that stress the importance of strong passwords and the importance of rotating your passwords regularly.¬† While this is all great advice, it is largely unenforceable out outside of a corporate environment where things like GPOs don't exist.¬† Unfortunately, our friends and families still have personal computers and I am reminded of this every so often when I receive spam e-mail from one of their accounts which is immediately followed with the text message, "Hi you need to change your password again. Have a great day!"¬† In fact, this is exactly what happened last week when I received an e-mail from a family member which promised me a sure-fire way to lose weight and attract women in less than 10 days (oh boy!).¬† In thinking about this situation and why it continually happens, not only from family, but also from other random e-mail contacts, I realized that giving people security advice is a lot like sex education: people are likely to engage in dangerous security practices because the information on good security isn't accessible to the common person.
"B..b...b...but Andrew," you say, "didn't you just say that there is a plethora of information out there on the public internet!?"¬† Yes. I did in fact say that, but I also said that this information isn't really accessible or practical for mostpeople.¬† There is absolutely no way that my dad or my neighbor, or that random guy you bought a car from on Craig's List is going to search for information about password strength and read up on entropy, key space, mnemonic memory techniques, or anything else that's so complicated.¬† And yes, I said it's complicated; not for security people, but for people who aren't security people and let's face it, most people aren't security people.
Before continuing, check out a recent article written by Brian Krebs which details the value of a hacked e-mail account.¬† In this post, which I won't regurgitate, Krebs goes into significant detail about the value of an e-mail account, which most people have never even really thought about.¬† Based on Krebs' information, the value of an e-mail account is broken down into 6 components:
If you want more information on these categories, I strongly recommend reading the Krebs article.¬† Moving on...
When it comes to password advice, there are two kinds that I provide.¬† The first kind is the type of advice I would provide in a corporate environment which follows industry standard best practices.¬† The second type of password advice I would give out is the type that I would never give in a corporate environment.¬† For this second type, I recommend a password system that uses different passwords for different "categories" of services and a system that's easy for you to remember based on a predictable convention.¬† Many would argue against this, however when it comes to pilfered e-mail accounts, it is important to understand that very rarely is it a targeted attack.¬† Most often it is simply the result of a much larger compromise, such as the mailing list for an e-commerce retailer, in which case the likelihood of some script kiddie trying to "crack" your password convention is minimal.
So, as an example, let's come up with a system that someone could use to ensure that they have passwords that are different across system/platforms and can still be remembered while being reasonably strong.¬† We'll do this using 4 components that can of course be modified to suit the individual:
- Best friend's first name
- Memorable date in MMYYDDDD format (hold shift when entering it)
- Phrase to match the "category"
- House number
Alright, let's put this to use to come up with an example password.¬† My best friend's name is Steven.¬† My memorable date is 02141979.¬† The phrase I've picked for my online banking passwords is "somanybills" and my house number is currently 3467. Using this system and those items in this order, my online banking password(s) will be:
That looks like a difficult password, and according to a password strength checker, it's very strong. This same mechanism can be applied to other systems by simply changing the phrase (item #3).¬† For employment related sites, use the phrase, "pleasehiremenow" and we get the below password:
Technically industry folk would say this isn't a good idea because it uses a predictable system with insufficient entropy, and they'd be right.¬† However, for the individual, it's a significant improvement over the tradition of using one password containing a letter, number, and maybe one special character if we're lucky, for all of their passwords.¬† Point being, if you're going to choose lazy passwords, please choose lazy passwords that are at least a bit more secure
So, next time your mom sends you a link to some Java 0-days rather than a link to her favorite chili recipe, maybe you can send here a link this article here and save yourself a little time and frustration in the process.