Browsed by
Category: Authentication

Your Passwords Suck

Your Passwords Suck

So do mine.  What can you say?  Maybe I should write that, p@5SW0rdz?  It doesn’t matter.  We all use passwords.  It’s the simplest and most popular method systems and sites have to authenticate us.  But let’s face it, passwords suck.  There are lots of problems with how we use passwords, and my aim today is to help sort some of those out.

The main thing you need to know about passwords is that they are typically not used well enough to secure much of anything, because humans have certain mental patterns that are difficult to break out of.  One is that we will tend to choose, as “secret words” that we know we need to remember, things that have a particular meaning to us.  A child’s name, a wedding anniversary, a favorite sports team.  The advantage is that these things don’t change, so we can reliably remember them.  But that is also a huge disadvantage, especially since we make it easy for anyone to learn these things about us, via social media.

A common strategy used to attack password security is brute force: just guess all the possible passwords until you get a match.  Once an attacker knows your kids’ names, your milestone dates, your favorite teams or bands, the range of things they have to guess just got a lot smaller, so getting that match just got a lot easier.  Almost as easy for an attacker, is when your passwords are not based on your life, but still are real words.  Now we have a refinement to brute-force guessing: the “dictionary attack”.  This can reduce finding a password using modern computing equipment to only seconds, instead of hours or days.  And it’s usable even if you take your favorite fruit, say, “pineapple”, and cleverly change it to “p1N3Appl3”.  Dictionary-attack software takes all those transformations into account, and it’s only slowed down by a few heartbeats.

also: this. don’t do this. 

There’s another habit we have as humans that makes life easier for criminals; we reuse passwords.  Having more occasions to type in a given password makes sure we are likelier to remember it, doesn’t it?  Well, all this means to a criminal is that once they figure it out for one site, they have it for everywhere we go.  Now, even as hard as it is to remember a single good password, here’s that mean old Safer Computing blogger telling you to make up a new and different one for every site.  This is ridiculous!  You can’t do this!  Heck, Safer Computing can’t!  Nobody can….

Nor should they.  No, the human brain is not up to making or remembering good passwords.  Because p@5SW0rd is a pretty lousy one, and so is p1N3Appl3.  A good password is actually something like Kg52k$hm^YG@yuR%WD.  But I don’t want to type that, and I don’t want to have to remember it.  Lucky for me, I don’t have to.  There are a number of good password managers out there, which are systems that create, set and use good complex passwords for you, without giving you the headache of dealing with strings like Kg52k$hm^YG@yuR%WD.  The one I would recommend from my current tool kit is LastPass (  It integrates into your browser so you can let it automatically log into sites for you.  When you’re signing up for some new service, it (usually) detects that and offers to generate a gnarly unguessable password for you.  And if you load your current set of passwords into its database, it will offer to fix problems like weaker passwords and duplication.  All in all I have been happy enough with it to upgrade to the paid version for several years now.  But start with the free version, it’s got more than enough power for most folks.  If you want to try something else, try taking a look at 1Password ( or for a stand-alone program instead of a web-based database, try KeePass2 (  I have no affiliation to any of these products.  

Finally, let’s talk about ways to make your passwords less important (they suck, remember?).  The best way to do this is to add a second factor to your authentication on anything important.  If the password is the only thing you need to get into a service, then having that password compromised is a disaster.  But if getting in to, say, your GMail requires both a password and the code for GMail on the Authenticator app in your phone, then losing only one of those is much more like annoying rather than disastrous.  Any important website (email, social media, banking, stock trading, etc.) that offers two-factor authentication, you should absolutely accept that offer and set it up.  The second factor will often be tied to your phone, but that’s actually just about ideal.  You already have it, and it’s something you have that a crook who just guessed a password does not have.  This makes everyone safer (crooks excepted).

If an important site you use does not offer two-factor authentication, ask them some questions: Why not?  When WILL they offer it?  and of course, How do I transfer my account to a competitor who DOES offer it?


Two are Better than One

Two are Better than One

Two?  Two what?  Heads?  Maybe it’s true that two heads are better than one.  Depends on how alike they are, but also how different.  Too much alike, and they can reinforce their mutual weaknesses as well as strengths.  Not to mention, make the same amount of work simply require more effort without more benefit.  That’s all true, too, of the topic I am writing about today: authentication factors.

Authentication factors for computing resources are the ways you prove to the system that you’re the authorized user, and get in to gain access to programs and files.  Most frequently, the authentication factor you encounter in the digital world is, your user ID and your password.  And that is the first type of factor, out of three.  When security pros talk about authentication factors, we talk about three broad types:

  1. Something you know
  2. Something you have
  3. Something you are
look familar?

You can see how user ID and password fit the first category.  You have also probably noticed that there are many sites that will allow you bypass creating yet another user ID and password combination, by logging in via one of your social media accounts.  This is a great convenience, when the developers of a web resource have gone to the trouble of integrating their authentication process with one or more of the popular social media platforms.  You have the added convenience of having one less password to remember.

Just don’t forget: every time you take advantage of this convenience, you raise the stakes a bit on the logins you have to the base sites.  Now a compromise to your Facebook, Twitter, LinkedIn or Google+ login is that much bigger an issue.  So it’s all the more worthwhile to consider a way to make the “cracking” of those high-stakes logins much more difficult.

It’s good practice to have two of the three factors for any high-value authentication.  For consumers, that means, banking and investment accounts, credit and insurance sites, anything with a financial impact, in addition to social media sites that can have reputational impact, and can be leveraged for other sites you use with integrated logins.  Pretty much everywhere you go uses that first category, something you know.  Your user ID, and especially your password, are bits of knowledge you carry around in your head (OK), or on bits of paper in your wallet (not so OK), or on post-it notes stuck to your monitor (very bad), or stashed safely in an encrypted password vault (verry goood!).  Okay, we’ve got #1 covered.  Now we need #2 or #3.

“Biometrics” is the techie term for #3: something you are.  It’s growing in popularity.  Fingerprint unlocking is not optional anymore on some Apple and other products.  Facial recognition is the unlock mechanism they’re furiously pushing for the coming devices, including the iPhone 8.  Fingerprint locks are almost ubiquitous in data centers and other places that want to look very secure.

Look secure.  I’m not sold on the genuine superiority of consumer-level biometrics sensors.  Biometrics sensors all have a measure called the “crossover error rate.”  Think about it like this: there are two ways a sensor can be wrong.  It can mis-identify someone else’s fingerprint (or retina, or face, or whatever…) as yours.  Or it can see yours and not get that it is yours.  The first type of error is called “false-positive,” and the second “false-negative.”  The charming nature of biometrics devices is, they will always present both kinds of errors.  You can tune the device to present less of one, but that increases the rate of the other.  And vice-versa.  When you balance the two so that the total number of errors — of both kinds — is at its lowest, that is called the crossover point.  The false-negative and -positive curves cross there.  And the difference between a $4 sensor part and a $40 sensor part?  The crossover point is a lot higher in the $4 part.

With an unavoidably substantial number of errors of both kinds, I tend to shy away from recommending biometrics in small-budget situations.  The way I prefer to go for a second factor is not, something you are, but something you have.  In the past, his has often been a dedicated token with a display that puts up a numeric code every minute or so.  This is synchronized with the user’s identity record so that the code entered gives assurance that the user logging in is in possession of that unique key.

This is now possible at a superbly low cost, because the function of the hardware key is now taken by an app on a smartphone.  Shown here is a typical screen from Google Authenticator.  You install Authenticator on your phone.  When you enable a second factor for authentication on any website, you perform a synchronization that shares a randomized secret between the web application and your instance of Authenticator.  That seeds a process in Authenticator that generates a six-digit code every minute.  You give the current code when logging in to that site thereafter.

There are some sites that send second-factor authentication codes via SMS text, or via email.  This is not preferred because of the many intermediaries in those messaging protocols and therefore the difficulty of accounting for the authentication code through the entire process. 

Even if using the inferior methods of SMS or email, and certainly if using a smartphone app like Authenticator, it’s always encouraged to use two-factor authentication for every service that matters.

If the service provider does not offer two-factor authentication, I would recommend inquiring of the provider why it doesn’t, and if that will change soon.  If the answer to that last is No, then it might be well to switch to an alternative provider.

Horse Battery Staple is Correct After All

Horse Battery Staple is Correct After All

The password advice we all hate – upper and lower case, numerals and punctuation, change it frequently – is wrong.  We knew this in our guts, but now Bill Burr, the original author of the NIST report that started it all in 2003, has recanted.

So now, we’re back to this.

The Electronic Frontier Foundation has word lists you can use for this.  They recommend dice to safeguard your picks from any system compromise you may have.  If you’re a little less paranoid about it, you can use this Google sheet I have prepared from the SOWPODS.

Finally… DON’T change the pass phrase you make, unless you have a positive reason to believe it’s been compromised.  Changing passwords on a regular schedule makes people tend to use predictable passwords.  And no good can come of that!

Employee RF ID

Employee RF ID

Employees at Three Square Market, a vending machine maker in Wisconsin, have been given the opportunity to be chipped (like an AKC puppy!) and allow that chip to serve as their employee ID, computer login, and purchasing token at the vending machines in the break rooms.

The company has “offered” their employees the “opportunity” to sign up for this, “voluntarily”.  They will be chipped at a “party” to be held August 1.  Was that enough “scare quotes” for you?  I trust my readers to “get it.”

via The Register