Sunday, August 11, 2013

3 Ways to Remember Strong Passwords

This post has been updated (17 Aug 13) based on lots of useful feedback received from my Facebook friends.

The Irony of Strong Passwords

Passwords are the bane of my online existence. Every time I see a screen like this, my opinion of the policy maker behind the system drops a few notches. And it gets worse if the cycle repeats itself every month. Allow me to rant a bit and try to educate these administrators, before I get to the solutions.

People are not good at remembering strings of letters, numbers and funny characters. What happens is that if you impose such requirements on them, they will resort to writing it down. And the likelihood is that they will paste it beside their computer. How is that supposed to make the system more secure? I've been a system administrator before ... and when we generated super duper passwords for all our users to comply with the guidelines imposed, that is exactly what happened.

In my mind, there are a few characteristics of strong passwords
  1. They are easy to remember
  2. They are long
  3. They are not comprised of words in a dictionary
None of those requires the mix of upper and lower case, or the funny characters. Beyond a certain point, you are just increasing the likelihood that the user will open up some other security loophole such as writing it down and sticking it on his monitor. Or that you will be flooded with password change requests that just annoy everyone involved.

The problem, I have come to realise is that us users and them system administrators are trying to manage two different kinds of security risks. The system administrator is trying to prevent the embarrassing scenario where someone breaks into their system and steals the database of user information, such as when hackers accessed the passwords and credit card data of up to 100 million Sony Playstation users. Needless to say, this is extremely embarassing and expensive for the system owner. Since this data is encrypted in their system, they would want to make the passwords as difficult to crack as possible, hence the minimum length, special characters, upper and lower case letters all increase the number of possible permutations and amount of time needed to crack each password. Qin Chuan shared a great article from Arstechnica that explains a little more how such hackers work.

On the other hand, users are more concerned with preventing their password from falling into the hands of people around them. Which is why ideally you want a password that you can remember, rather than write down. Because most logins are protected by 3 attempts anyway, so someone accessing your terminal can't sit there and try a few million different possible password permutations. 

Unfortunately, the system owners set the rules, and the users have to work around them. And frankly, it's not a problem for the system owner if one or two independent accounts are broken into. So they will guard againts the threat to them, and we have to solve the problems they create for us.

3 Ways to Remember Strong Passwords

Method 1: Patterns

The method I use today is to draw patterns on the keyboard. This is not a common method. In fact I learned it form my sister, and I have yet to find anyone else who uses it. But I find it works the best.

For examples, let's say I choose the shape of the letter "N".
I can start with the password "aq12wsde3".

For systems that are really pick and require upper case letters and special characters, I can hold down the shift key for the middle three characters. This gives me "aq1@WSde3".
The beauty of this is that you just need to remember the starting letter and shape, which can be any pattern of your choosing. If you need to change your password every month, just move across the keyboard to "sw2#EDfr4".

Victor has since pointed out to me that this type of password, while easy to use, can also be quite vulnerable to dictionary attacks, since there aren't that many memorable patterns on the keyboard. So it goes back to which type of security risk you are most concerned about.

Method 2: Phrases

A much more common way to generate a strong password is to turn a memorable phrase into the password. This is the official strategy recommended by Microsoft as well as my own employer. I find it much easier to use the lyrics of a song. For one line of the song, you just take the first letter of each word and mash them together.

For example, let's take "Goodbye" by Air Supply.
I can see the pain living in your eyes
And I know how hard you try
You deserve to have so much more
I can feel your heart and I sympathize
And I'll never criticize all you've ever meant to my life
"I can see the pain living in your eyes" becomes "Icstpliye" which is 9 characters. You can add a digit for good measure: Icstpliye1. For systems that require repeated new passwords, you can either increment the number, or move on to the next line of the song. That would be a password acceptable on most systems, except those that require special characters. For those, you could substitute a special character, for example "|" for "l" gives "Icstp|iye".

The problem with this last substitution is that it is not intuitive. The next time you come back, you might remember the phrase, but you might try substituting the "|" for "i" instead of "l". Next thing you know, you are asking for your password to be reset again. And that's why I think systems that require these special characters are idiots. It sounds like a good idea, but in effect you are making things less secure and less user-friendly.

Another great suggestion from David is to use bible verses. So for example
Psalm 23:1 - The Lord is my shepherd; I shall not want
becomes "P23:1-TLims;Isnw"

That's a great password because it is pretty long and has all kinds of characters in it. According to Gibson Research Corporations' calculator (thanks Wayne!), it would take at least a few million centuries to crack this one. Of course, you need to make sure you are consistent with the capitalisation and punctuation. But I would say that this is the overall best solution against both types of security risks.

Method 3: Apps

If all else fails, rather than writing your password down on paper, you can store it in a Password Manager App. There are both free and paid variants; all of them will use a master password to encrypt the rest of your passwords. Some of them allow you to sync across multiple devices through the cloud.

I've been using the open-source KeePass for almost ten years, and it has followed me across a variety of operating systems from PalmOS to Windows Mobile and currently Android. No complaints so far. The folks at LifeHacker are big fans of LastPass. There are plenty of options, so pick one that suits your needs best.

Moving On To ... Password Reset Questions

Clueless Password Reset Questions

If there is one thing worse than a ridiculous password policy, it is ridiculous password reset questions. Let's recap the purpose of such questions: it should prompt you to enter some uniquely identifiable detail of your life, so that the system will send you your new password.

There are some really dumb password reset questions out there...

What was the first school you attended?
And I can never remember if it is "Nanyang Primary School", "Nanyang Primary" or "NYPS". Or maybe I should put in my kindergarten. Hmm...
What is your favourite food?
That is the dumbest question to ask a Singaporean. It is KFC, black pepper crab, (Hainanese) chicken rice, unago sushi, etc etc all at once! Which answer should I key in?
What is your mother's maiden name?
Ok, there is only one answer to this. But if someone was trying to hack my account, I don't think this would be that difficult for them to find out.

And then there is HSBC ...

Faced with options like this, I just want to skip the whole process. Because I know that if I ever forget the password, I'm definitely not going to remember which was the cartoon character or wild animal I used as a reminder.

The Best Password Reset Questions

The best password reset questions have only one answer, which only you should know. Whenever the option is presented, I will set my own question. Because I grew up in a generation without mobile phones, one fail-proof tactic I have devised is to use the old phone numbers of my childhood friends. These are numbers that are ingrained in my brain, but you couldn't find in any telephone book today. For example, "What do you call Jonathan?" would be my clue to myself that I want Jonathan's old telephone number, without giving away to any would-be hacker that he should use a brute-force attack of digits to crack the hint.

If you don't have phone numbers in your brain, you might consider the license plate number of an old car, or anything else that has only one way of writing it.

Apart from my own personal experience as a user, my perspective on this is drawn from my past work as a network systems administrator and as a Certified Ethical Hacker.