What makes a password secure?
We have to keep the bad guys out while letting the legitimate user in.
We need to protect authentication and prevent user identity masquerading or spoofing, so it must be impractical for the attacker to guess it.
I didn’t say “impossible” because any string could be guessed eventually. But impractical, so that it would require enough guesses that a rational attacker would give up.
We must also protect availability by using something that the legitimate user has a chance of remembering.
As we discuss in Learning Tree’s System and Network Security Introduction course, we must provide all the needed security aspects, and prevent one from interfering with another.
This will require a pass phrase rather than a pass word. Let’s think about how we might try to solve this problem.
As I have mentioned before, security needs randomness, and this is yet another example. But why?
We said that it must be impractical to guess the secret.
That’s another way of saying that it must be unpredictable.
And that’s just another way of saying that it must be random.
The problem is that highly random strings are impractical. People won’t remember anything like this:
So, sticky notes go onto the monitors. And even with a string like that on paper, it is very difficult to type such a long random string when you can’t see what you’re typing.
The bad guy can learn what the password is with a glance at the monitor or laptop, while the legitimate user will be locked out after three sequential typing errors.
We need things that are more like words. Not necessarily words, but words or at least pronounceable word fragments.
/usr/share/dict/words is used by the various spell-checking tools. It’s very large, with 483,523 words and word fragments on the distribution I’m using here. Let’s see how many of those are 4, 5, or 6 characters long.
$ wc -l /usr/share/dict/words 483523 /usr/share/dict/words $ egrep '^....$|^.....$|^......$' /usr/share/dict/words | wc -l 80489
egrep command retrieves lines matching extended regular expressions from that file, and then it is piped into the
wc command with an option asking for the number of lines only (not words and not characters).
Consider that 216 = 65,536. One word randomly selected out of a list of 80,489 means a little over 16 bits of entropy, as in unpredictability, randomness, and security in this setting. Five such words would mean a little over 80 bits of security.
It’s almost as easy to use Linux command-line tools to generate pass phrases of 5 word-like strings each. Let’s extract the 4-, 5-, and 6-character strings from that file, send those through 5 rounds of shuffling with the
shuf command, the last round selecting just the first five, and format the result onto a single line with the
fmt command, repeating until I get something I think I have a chance of remembering:
$ egrep '^....$|^.....$|^......$' /usr/share/dict/words | shuf | shuf | shuf | shuf | shuf -n 5 | fmt pecite glub haleru diamin Ellyn $ egrep '^....$|^.....$|^......$' /usr/share/dict/words | shuf | shuf | shuf | shuf | shuf -n 5 | fmt witted Rowan Aenius twang stul $ egrep '^....$|^.....$|^......$' /usr/share/dict/words | shuf | shuf | shuf | shuf | shuf -n 5 | fmt barbs clonic Teryl rictus vestas
Yes, I know what the security policy is going to insist: I must use mixed case and digits and special characters. So how about simply capitalizing them and adding sequential digits plus punctuation. Now I only have to remember five “words” and a punctuation mark. The result:
Barbs1! Clonic2! Teryl3! Rictus4! Vestas5!
Hmmm. That looks like some sort of cheer for the gladiators. Well, if that helped me to remember it, that would be great.
I doubt that I could remember this quasi-gibberish for one pass phrase, let alone multiple unique ones for multiple servers and web sites!
Check back here next week as I have a recommendation for a cross-platform solution that provides far stronger password strings and it does the remembering for you!