Technology: Our resident tech guy Colin Moors delves into the murky world of passwords. Hate them or ignore them, you can’t love them. This month, I shall be taking a look at those little words we all love to hate and what we can expect for our passwords in progress.
We’re all painfully aware that when you create a password, you need to supply a capital letter, a number or two, have at least one special (non-alphanumeric) character and it needs to be at least 9 characters, leaving you with a hard-to-remember combination such as Gl4d!4tor? It turns out that’s some of the worst advice in the world. The man who is ultimately responsible for the directive issued by the US National Institute of Standards and Technology (NIST), one Bill Burr, has gone on record as having deeply regretted forcing this on us.
Burr, who is now 72 and probably just trying to enjoy retirement, wrote the snappily titled NIST Special Publication 800- 63 Appendix A in 2003. This directive was pretty soon adopted by most organizations, providing the backdrop for the nightmare everyone has nowadays trying to craft something both unique and memorable. He’s on record as saying “much of what I did, I now regret”, also admitting that he based a lot of his research on a white paper from the 1980s, way before we had anything like a public internet. “In the end”, Burr said, “[the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”.
The real issue with these kinds of password is that they are – surprisingly – relatively easy to crack, leaving your site or system less secure, not more. Why would this be? Simply put, it’s a question of pure number-crunching. Hackers will most often use what is known as a brute force attack, using their computer or a network of computers to try to guess your password. The main issue with using a plain word like the non-encrypted ‘Gladiator’ in the example above makes it a cinch to crack. “Aha”, you may think, “I’ll just use some special characters or numbers in the place of letters.” Good thinking, except for the fact that any
hacker worth his or her salt also knows you do that and will have adjusted their
hacking programs accordingly. Yes, it’ll take them a little longer but they aren’t going anywhere.
The answer to this too simple/too hard to remember quandary is surprisingly easy. Use more words. If we look at the computing power available today, and the complexity of the password, research has shown that our ‘Gl4d!4tor’ example would take somewhere around three days to guess – not to mention the trouble you may have remembering it. On the other hand, the password ‘gladiatoromnibuslighthousechop’ or any combination of four words of a decent length written as a single phrase would take around 550 years, given the possible permutations. You can more easily remember four seemingly random words than a complicated set of squiggles, so your data are safer. None of this protects you completely from attack but the idea is to make it complicated for them and easy for you.
Do we still need passwords, though? I would guess ‘yes’, at least for the foreseeable future, because most of the different authentication systems either rely on passwords as a backup or provide a mere brokerage to accessing the device or data in question. A few things doing the rounds at the moment are:
ZIA (Zero interaction authentication): This works by providing you with a token on a device you might carry about a lot. The obvious candidate here is the mobile phone. Using Bluetooth, NFC or a few other short- range communication tools, the computer you were trying to unlock (for example) would ‘see’ this token on your phone and unlock itself automatically. This merely provides someone with the opportunity to steal your phone as well as your bank details.
Fingerprint: This one is probably the most popular and useful currently. Android and iOS both have the tech built in and it works well so far, with a very small margin of error. The problem, of course, is that they all rely on a PIN or a password as a backup in case you’ve been in the bath and your finger has gone like a prune. Or worse. A chain is only as strong as the weakest link, after all.
Two-factor authentication: This uses two factors, unsurprisingly. The most common way is that once you have supplied a user name and password, the site will send you an SMS with a code to fill in on the site. Only if your ID and SMS match will you be given access. In my personal experience, this works well and it does mean that the potential criminal would need to have both your password and your phone.
I am pretty old-school when it comes to looking after my passwords, as I have been on the internet since forever and have a hundred of them. Quite literally. For me, the simplest option is a copy of KeePass (keepass.info) that I keep on a USB stick and back up to my Dropbox. Simply, you only need one password to open the whole thing – so make it memorable and secure – then you’ll have access to all your other passes, plus the ability to make notes, enter site login links and lots of other stuff I don’t use. Best of all, it’s free. Now there’s a happy note to end on.