Davey tries to wean people off the Cr@ppy p@ssw0rd Syndr0me and makes an “ass” out of anyone who uses it in their password.
Davey tries to wean people off the Cr@ppy p@ssw0rd Syndr0me and makes an “ass” out of anyone who uses it in their password
I’m always banging the password manager drum. There’s a good reason for this, in fact there are millions of good reasons for this: the crappy passwords that are still used, and reused, by way too many people who really should know better. I’m confident that PC Pro readers aren’t among this number, but I bet they have family, friends and work colleagues who are.
It’s not just the quality, in terms of entropy (more of that will follow shortly), that’s problematic, but the quantity as well. Everyone appreciates that there are far too many websites and services that require a login for anyone who isn’t Akira Haraguchi to remember unique password for each. Haraguchi holds an unofficial world record for memorising more than 111,701 digits of pi. That said, even he might succumb to password fatigue, which leads to the security nightmare that is password reuse.
In 2020, researchers at NordPass analysed 275,699,516 passwords that had appeared in breached site credential databases, finding that 56% of them weren’t unique. The only thing that I found shocking about that number is that it wasn’t higher, given how common password reuse remains despite the best efforts of cybersecurity evangelists to spread the best practice word. Nor did I fall down in shock when the research also found that half of the top 200 most commonly occurring passwords were exactly the same ones that had appeared in the previous year’s research. The most-used password, and the dumbest, remained “123456” and was exposed more than 23 million times in breach databases. Number strings actually accounted for seven of the top ten most used passwords during 2020.
It’s not just number strings that need to be mentioned: the third password on that particular list was “picture1”. Possibly one of the saddest attempts at following the “mixture of alphanumeric and digits” rule I’ve seen. Not that mixing very short dictionary words with a single digit is really entering into the spirit of the good password construction games, and more of that in a minute as well. Number four was “password”, in case you wondered, while number ten was “senha”. That, by the way, is Portuguese for password.
Putting the ass into password
Even senha with five characters isn’t the shortest commonly used password to appear in breach analysis reports. When CyberNews dived headfirst into billions of breached login database records, they discovered a lot of “ass”. The use of ass as a password occurred 26.8 million times, whereas “sex” could only manage 5.1 million and the F-word 4.8 million. C’mon, at least be a little creative here, huh? Seriously, who thinks these are secure in any sense of the word? It’s 2021 and people are still taking the convenience over security thing way too far in the wrong direction.
But what, then, if you squished a few of these cr@ppy passwords together and threw a number or two into the mix, wouldn’t that work okay? Well, “ass123456” is better than “ass” or “123456”, but not by a whole hill of beans: it remains a ninecharacter password, which is poor anyway, so the distinction is moot. If there’s one thing I’ve learned from people who know this stuff inside out and back again is that a composite passphrase tends to be a more secure option than a password of the same length. Which might make you think that throwing some memorable words together is the solution we’re all looking for here. I’d like to submit “the former guy” Donald Trump into my evidence as to why this isn’t always so.
Remember when the Orange One uttered something that instantly became a meme? No, not “covfefe” (a bad password, in case you were tempted), but “person, woman, man, camera, TV”. This was during an interview that was meant to show how great a memory Trump had. Would that make a good password? Well, it would have been better than either “yourefired” or “maga2020!”, both of which Trump apparently used for his Twitter account while holding the presidency of the United States. A friend of mine, Dr Mark Carney, happens to be both a mathematician and security researcher who I usually bow down to when I need help getting to grips with quantum encryption. He also happens to know just about as much password math as anyone I know. He’s even written an academic paper on estimating real entropy when it comes to using a passphrase. See, I said we would get to entropy soon enough.
“It’s 2021 and people are still taking the convenience over security thing too far”
Mark, and entropy for that matter, would argue that passphrases aren’t the solution we’ve all been looking for. Are you sitting down? Good, because here comes the science bit.
In communication theory, entropy relates to the numerical measurement of the uncertainty of an outcome. Think relative randomness of whatever it may be, like a password. Mark explained to me that each bit, in which entropy is measured, represents a doubling of the search space: the higher the entropy, the more an attacker would need to search to crack your password.
Given there are, very approximately, 171,000 common words in the English language, of which something between 20,000 and 40,000 are in everyday usage, using lyrics from a song would mean for each word used in a passphrase you would multiply by 40,000 again to get the upper limits of entropy. So, random words are the key, pardon the pun, here.
The now infamous XKCD passphrase cartoon’s “correct horse battery staple” ( see above) isn’t a sentence, has no structure and, this is important, as long as nobody else was using it, would be (171,000)^4 (to the power of four, that is), which equates to 855,036,081,000, 000,000,000 or roughly 70 bits of entropy. Which is quite enough. Apart from it not being enough because lots of other people do use that as a passphrase: moot argument hit once more.
So, what about “person woman man camera TV”? Even ignoring the fact that it became a meme and so is well known, and no doubt well used, it’s still a crappy passphrase.
Why? Mark explains that this is because the words are linked; know one of the words and the others are relatively easily guessable. “Person” isn’t a huge leap to “woman” and/or “man”. “Camera” and “TV” are equally well connected. Seeing as word association is a known technique for cracking passwords, it’s far from a rock-solid phrase. That said, the link, or rather lack of one, between the first three words and the last two helps up the ante. Or would were it not a well-known meme.
Another industry friend of mine is former policeman and current cybersecurity specialist at ESET, Jake Moore. “Password managers, which can hold all our passwords securely, are the answer to this problem,” he said. And I agree, mostly. Maybe they are part of the answer, along with the use of two-factor authentication (which many password managers now roll into their products to make them a one-stop secure credential shop). Don’t worry, I’m not about to spend the next ten minutes ex explaining l what a password manager is and a how it works, I’ve been quite schoolmarmish enough for today. Instead, I’m going to explain something they cannot do.
Password managers still fail one important test
One area where password managers aren’t making the grade – and that puts people off using them, or at the very least annoys the holy hell out of their users – is autofilling random characters from passwords. Or, rather, not doing so. One PC Pro reader, Chris L, got in touch to explain.
“I’m not an IT ‘pro’ or a business owner but I have subscribed to PC Pro for many years. Although you have been plugging the need for years, I have only recently (I know, I know!) dipped my toes into the realms of password managers. Although I have used d Kaspersky persky security for many years, I did have some issues with their password manager so am now w getting to grips with LastPass astPass as the free version seems to cover all my needs,” Chris L wrote.
Maybe not for much longer as the free version is losing the ability to support syncing as people have been used to. It will mean ean a user of the free version sion will have to choose from syncing yncing passwords between computers s or mobiles. So, that’s desktops, laptops, browsers or smartphones, tablets and even smartwatches, but not both groups. That’s unless you switch to LastPass Premium, which represents decent value at £2.60 a month, paid annually at £31.20. Not a huge investment to help secure your data if you ask me. Of course, other password managers are available, including free ones. Anyway, back to the email.
“I have encountered an issue that I don’t believe you have covered in your columns (I have trawled back through two or three years’ worth of back issues) and there is scant coverage on the web. I am referring to multi-stage logins and those that require random characters from passwords or PINs. Do you know if
any progress has been made by any provider in this respect? It’s probably a tall order to expect memorable words can be covered but it would be helpful if this could be applied to the password and PIN fields. For now, I’m recording all this extra detail in the notes section of each LastPass record ,” Chris L continued.
Which, funnily enough, is exactly what I do where there’s additional login information that’s required by way of a special word or eight-digit PIN and so on.
“As far as multi-stage logins are concerned, it would be useful to have some guidance. For example, I regularly access a financial site: the first page requires my user ID (not my email) plus my date of birth. On the next page it requires my full password and three random digits from a six-digit security PIN. I’ve fudged it by matching the data to the fields so have page one then two for the same login. I see LastPass has the option to edit the form fields, but I have not yet experimented.”
I’m pretty sure there must be a way to accomplish this but doing so truly securely and reliably seems to be, well, not exactly easy. I reached out to LastPass to see what it is doing with regards to this problem. Here’s what a spokesperson told me:
“After talking with our LastPass product team, I can confirm that at this time, our autofill offering does not support multi-stage logins in the way this user is looking to use it.
“Today, the LastPass autofill experience allows a user to create and store a Secure Note (such as a credit card number or address) into your vault that will be autofilled in the appropriate field when you visit a website. However, you aren’t able to save a Secure Note to an existing password entry, as these are two different entries in the vault. There is a section for notes in the saved password entry in your vault, so you will have access to it at any time, but that would not autofill.
“We recommend the user continue to save this added information in the notes sections of the password entry and manually enter onto the website in the correct fields.”