Saturday, 11 June 2011

Ninja Passwords

So Sony have been hacked. Again. I was reading an analysis of the password data the responsible (or rather, irresponsible) parties obtained, and was dismayed at the low password quality on display. "letmein", "password", "123456" and the like were out in full force. I find this very sad, because when you create an account on any site, you give it the honour of curating a part of your identity; this may be a social part (e.g. social networking), a financial part (e.g. e-commerce or banking), or an aspect we take less seriously (e.g. the ability to leave comments on a blog). In all of these cases your password is the "front-door key" to that part of your identity.

Therefore you are putting a great deal of faith in every site you sign up with. I'd like to say "do not get an account with any website you don't fully trust" but that would leave a potentially empty list - instead try to sign up with as few as possible. Why would you entrust any minor part of your identity to a website just to access information, for example? This is why I find OpenID/OpenAuth great solutions - as Jeff Atwood has said before it's the equivalent of showing your driver's license to show who you are, rather than creating a new shard of your identity with yet another 3rd party.

It also means all your passwords must be strong. Every password controls access to part of your identity - and there are often ways to "upgrade" from one part of a person's identity to another. For example, take facebook - a lot of people don't see it as the security risk it is, and so are more lax about it. If you've connected your facebook profile to your family, I can potentially derive your mother's maiden name. By analysing who you've recently contacted, I can probably deduce where you're living. And there are far more creative things beyond these - everyone has a friend who isn't as security-conscious as them (they're the ones with the public profile listing their date of birth and mobile number), they will be immediately obvious and are now part of your attack surface!

This can be a lot of work - strong, memorable passwords are hard to produce. I want to share with you my method for overcoming the problem, and an example.

I'm not going to discuss password managers, which some people see as the solution to the problem, because

  1. I've never used them myself so can't comment
  2. You still need a master password for the manager
  3. There are times when a password manager can't help you - e.g. on someone else's computer, or for storing the password you need to access your machine in the first place.
  4. I have concerns about storing all my eggs in one basket, however secure

Generating passwords

Last summer my wife and I holidayed in Peru and I knew I'd be using a lot of internet cafes and other insecure locations for accessing my email. To minimise the risk of having my identity compromised, I generated a fresh "holiday password" that I could change back as soon as I got home (Disclaimer - I can't vouch for the efficacy of tthis method, but it was the best method I could think of - please describe any better ideas in the comments). This password has now been fully retired so I have no concerns about sharing it with you.

1) Start with something very personal; but that isn't obvious

The knife edge you must walk is to pick something important to you, so that you won't forget it; but something that can't be externally guessed, so a malicious attacker can't work it out. Imagine you are Winston from Nineteen Eighty-Four, trying to trick an enemy who can track and record your every waking action. People choosing their spouse's name, date of birth or even the name of a pet are very common, but this information is far too easy to access with the internet - for example I have no doubt that with a bit of googling you can find out where I went to university and what I studied, the name of my spouse, the date of our marriage or pretty much any other significant event in my life.

Update: Apparently this is known as Kerckhoff's principle

So stick to the small things. Very few people know I'm slightly obsessed with song lyrics for example. More people are aware I'm a fan of Radiohead (I daresay you can work it out from information about gigs I've attended), but fewer again would know that "Paranoid Android" is one of my favourites. In particular one line comes across with great power in the song,

"When I am King you will be first against the wall"

2) Condense it into something quick to type

So now we have the "seed" for our password, we have to reduce it down. This is purely because while longer passwords are more secure than shorter passwords, overlong passwords are too hard to reliably type. The easiest way to reduce a seed is to convert it to an acronym - but anything that you can reliably remember is fair game (second letter of every word? Reverse-order acronym? Whatever works for you).

WIAKYWBFATW

3) Add special characters/Numbers/Capitals in a way that is personal to you

Come up with some substitutions for the letters in your reduced form, the quirkier the better - remember the game we're playing: It must be memorable to you, but totally illogical to a 3rd party. I tend to look at the keyboard and try and imagine alternative meanings for the keys that fit what I want to say. In my example:

  • 1 for "First" and "I“
  • “U” for “you”
  • / for against
  • | for wall
  • lowercase for "am", "will, "be", "the”

Which leaves us with:

W1aKUwb1/t|

4) Practise!

The worst thing you can do at this point is to go ahead, change your password, and forget about it until you next need it! Make sure you can reliably reproduce the password at least 5 times on the trot (without looking at the screen!). This will help you develop muscle-memory for the pattern, so that eventually you don't even have to think about your password - your fingers know what to do for you.

So we now have a quick method for producing a password which a computer will struggle to brute-force, but which we will never forget, and can reproduce at a moment's notice. Hopefully you will find this a useful tool for protecting your online identity - please let me know your experiences/your own techniques in the comments.