Unpredictable Entropy

Jody Whitlock


    Passwords are something that every user hates; having to enter passwords several times in a day in order to access a system.

    In Information Security there is a concept called CIA. This is not the Central Intelligence Agency, but rather represents the three tenants of Information Security: Confidentiality, Integrity, and Availability. Passwords tie into this and provide the basis for building CIA core concepts in IT. Passwords are only one piece of the puzzle; authentication being the primary means for a user to validate to a computer system they are who they say they are. Traditionally this has been Single-Factor Authentication, meaning you only needed one of the three components of authentication to prove your identity.

    The three components of authentication are: Something I know, Something I have, and Something I am. Single-factor authentication only uses one of these components, but stronger Multi-Factor Authentication (MFA) uses two or more elements to ensure your identity. Before we dig into that, let’s define what each of these components mean.

    Something I Know: This would be something that you have knowledge of such as a password or PIN. This is the oldest form of authentication.

    Something I Have: This is an object that you possess that can uniquely identify you, similar to a driver’s license or house key.

    Something I am: This is something that is part of you such as a fingerprint or retinal scan.

    So now that we have defined what these are, let’s re-iterate that Multi-Factor Authentication, which is much more secure than Single-Factor Authentication, requires two or more of the above three components to authenticate the user. Now you may be sitting back and thinking there’s no way you can do this, but you already do in your everyday life. Can’t think of it? You ATM card and PIN is an example of MFA; something you have is your ATM card, and something you know is your PIN and only together can money be taken out of your account at an ATM. We all know that due to carelessness, this model is broken but that doesn’t mean there’s not ways to improve.

    Another way to implement MFA is to use something like an RSA key or Google Authenticator. Both of these use a Time-Based One-Time Password system, or TOTP, to generate a 6-digit token number every 30 seconds. In order for one to authenticate they have to know their password (Something I Know) and have the authenticator app to see the TOTP code (Something I Have). So, this is much like the above example of an ATM card with one exception, the PIN changes every 30 seconds. This means it’s extremely secure as someone has to gain access to your knowledge and the authenticator for more than a few seconds to enable access to the account. Not all systems support MFA, but those that do should be switched to using this method for heightened security.

    For systems that don’t support MFA, there are some tips that can be followed that will help to secure your digital identity from misuse.


1 xkcd Comic # 936

    So looking at the cartoon, it’s easy to see that character substitution is not the best way to go about having your password. Not only is it difficult to remember, it’s not all that hard for a computer to crack. The example given of random words is much better but then how easy is it to remember? Well luckily most systems including Windows support a modern implementation of passwords called a Passphrase. A passphrase is basically a sentence, complete with punctuation and any grammar. This will satisfy most systems out there, with some requiring a number as well. These are not difficult to remember as you can have a passphrase like (without the quotes) “My dog likes to play fetch!” If you have to have a number, which is not a bad idea, then put it somewhere that you can remember, such as “My dog likes to play fetch1!” This is actually an extremely hard password/passphrase for a computer to crack and is not difficult for a user to remember.

    Now for the ultimate in secure passwords, something random, using a lot of different characters, is as long as possible, and only used on one site. An example would be something like “*SgrzImxUw4yUINYQVx1tf5+”. That would take a very long time for a computer to crack, but how is someone supposed to remember that! Well the intent is you don’t; instead you use something called a Password Vault to store this password in. This password vault would have many entries, each with the garbled password given, and the entire vault is encrypted with one strong password which you will need to remember. This way, you are not writing down passwords, and they are not easily cracked. This also allows you to have a different password for each site and login you have, which is important because if every site has the same password then one site compromised will compromise them all.

    So how does all this work and how does a hacker crack one’s password? Well, modern systems can perform several million guesses each second, so short passwords that are based on a single word (even with character substitution) are not that difficult to guess. Longer random passwords (such as the example *+) require the system to test every possible permutation of every character in every position. Each position can have one of 95 characters (based on the standard US keyboard), which means in the random password there’s a lot of possible combinations that have to be attempted in order to crack the password. This comes out to 9524, or 2.9198902433877270327307553755766e * 1047 which is a ridiculously large amount of possibilities! Now, factor in that most modern desktop computers can easily perform 10 million guesses per second, and it should take a few thousand years to guess this password. So combine that with regular password rotation, even if your password where compromised odds are you would’ve changed it at least once before it could be guessed.

    One of the best options out there is LastPass; it has a Windows, Android, and iOS client. It also features the ability to use Multi-Factor authentication to really increase security, but for something basic and easy to use one can look at KeyPassX which is very viable, just not as featured as LastPass. With these, you need to have a strong master password that you change from time-to-time to make sure that “the keys to the kingdom” are safe.

    Regardless of how you manage your passwords, changing them on a frequency and not using the same password over and over will increase your protection on-line and keep you from being a victim.