Passwords and Options

Level 1 You might have seen in the news, or experienced, that a good portion of the US internet was down on Friday.  I'll get into this event in a few different levels, but I want to talk about security and password in general first.   Passwords.  We all have them, most of us hate them. Some of us can even remember a few.  As this lovely thing we call technology presses onward, we're having to keep track of more passwords than ever before. In a previous job, I had over 100 passwords for my work computer and various vendor sites.  A point of syntax.  I will no longer be using the term 'password'.  If you're using a word, or string of words, that is found in the dictionary, you are open to a type of attack called a 'dictionary attack'.  I'll use 'passphrase' instead, though that's not quite the right term either. So the question is, how do we maintain a decent level of security with such an overload of things to remember.  We don't, well at least we (as a society) aren't doing very well. In 2015 the 10 most used passphrases were: 1. 123456 2. password 3. 12345 4. 12345678 5. qwerty 6. 123456789 7. 1234 8. baseball 9. dragon 10. football If you're using a passphrase from this list, or even something similar. Stop. Right now. I mean it.  This list, and the choices that went into thinking that these were secure are the reason many sites require UPPERCASE, lowercase, Numbers and special characters for every passphrase.  Of course, passphrase length is important too.   A Great Passphrase Plan How do we build more secure passphrases? And better yet, to protect your organization, how do you enforce good passphrase policies for your employees?  Perhaps the best way is to deploy a Single-Sign-On(SSO) application.  This type of application will allow your end users to log into their device and authenticate against Active Directory.  From there, the SSO can grant login/passphrase pairs to nearly any application or site utilizing very secure passphrases that are unique to each site.  If you want to learn more about SSOs and how they can help secure your business, reduce the impact on your helpdesk, and improve employee morale and productivity. You know how to find me. A Good Passphrase Plan Use a trusted passphrase utility like: Lastpass.com Dashlane Zoho Vault KeePass All have good reviews. Do some research and pick one that covers the different platforms that you use. A Simple Passphrase Plan For personal use, and for smaller organizations I'm going to through out this little system.  Note: This system is NOT SUITABLE FOR ANYTHING THAT DEALS WITH MONEY OR SENSITIVE DATA. Eh-hem. Let's continue.  The goals of a passphrase are: Generous mix of the four characters: Uppercase Lowercase Numbers Symbols Sufficient length to make brute force attacks time consuming.   Step One: Pick a word that is 6+ letters in length.  For this example, I'm going to use 'Preferred'. Step Two: Substitute one or more of the letters with numbers.  Do not substitute 0 for O or 4 for A.  This is common and too easy to guess. I'm going to select the letter 'e' and substitute it with the number 8.  'Preferred' becomes 'Pr8f8rr8d'. Let's add some symbols in there to mix it up.  Avoid the '#' and '!' symbols as there are very common. Let's use the ']' for the 'r'. 'Preferred' becomes 'Pr8f8rr8d' becomes 'Pr8f88]]8d' While there's a bit of repetition in that passphrase, it's complicated enough to be fairly secure. Step Three: use the first and last letters of the site or program you're logging into to make the passphrase more unique.  Let's say you need a passphrase for a site that's requesting you to crate a login so that you can receive an e-mail newsletter, let's say you're interested in tiny houses and went to this site: http://thetinylife.com/tiny-house-plans/ If you take the 't' and 'e' from the beginning and end of the URL thetinylife and add them to the passphrase you get 'Pr8f8]]8dte'. That passphrase is fairly unique and fairly secure. I'll say it again, because I care, DO NOT USE THIS SYSTEM FOR SITES THAT DEAL WITH MONEY OR SENSITIVE INFORMATION. As you'll see in future posts, this is a fairly strong passphrase. The problem is with the system. If you're using this system then the core of your passphrases are the same. While this still poses a problem for code based attacks, it wouldn't take long for a human to see two of these passwords and figure out the pattern. With the core being the same, you would be fully exposed on all sites, instantly. Oh, and don't ever reuse a passphrase. Don't make it easy for the bad guys/gals to be bad. Bonus alternate "Simple" version (YMMV): I understand that this might seem a bit too complicated, so I've come up with another version: Take your favorite quote or poem or song lyric, and remove all the vowels. Replace them with numbers and special characters. Take "Any sufficiently advanced technology is indistinguishable from magic." by Arthur C. Clarke Remove all the spaces: Anysufficientlyadvancedtechnologyisindistinguishablefrommagic. Replace one of the vowels with a number: 3nysufficiently3dv3ncedtechnologyisindistinguish3blefromm3gic. Replace another vowel with a special character: 3nysuff&c&ently3dv3ncedtechnology&s&nd&st&ngu&sh3blefromm3g&c. Need more help? Send me a request. 2016-10-25 MDux