Continued from page 1
Network systems and services, and introduction of PC as a networked device as well as a stand-alone computer, together created idea that it must be possible to have infinite retries at getting password right. (In case of PC, concern was focused upon problem of having its owner get locked out with no way to recover situation. Therefore, some systems had physical password reset buttons to get round this problem.) The attacker was being given a massive advantage!
The Internet, built for resilience and information sharing, included idea of an ID/password, but did not provide encryption to protect password and allowed infinite retries to get it right. As a result, passwords are usually transmitted unprotected, and may be sent with every page that needs access to a password protected area as well as allowing attacker all time site is up to try and crack it.
Potential routes forwards
The biggest hurdle to overcome is ability of a user to hit more than six consecutive keys reliably, given that they cannot ‘see’ results of what they are doing. (Actually, this is not new. Anyone with a Remington typewriter No 3 and before would know that type basket on those models hit paper directly under roller, not on front of roller, and user had to lift roller to see what they had typed.)
Of course a user needs a bit of practice in order to get a longer password right. Constant change makes for bad typing. Using a much longer password, say 30 or so character positions, may not be guaranteed to generate what cryptologists call entropy, but it has a good chance. If it is combined with using hash algorithms that generate much larger spaces (say SHA-1 512) then attack space will still be large compared with current results.
A long password should also be harder to crack with short dictionary attacks and more resistant to brute force attacks, because time to create either password or hash becomes significant. This may have a lot to recommend itself. Long passwords are also resistant to being captured by others by mere observation (except when keystroke capturing methods are in use) because there is too much now for attacker to remember, no matter how often then observe. (Perhaps videos will become more popular in ‘public places’.
But how do you educate users into using passwords successfully?
The first thing to remember is that length must be proportionate to overall security requirement. If a ‘three strikes and you’re out’ system combined with a token of almost any kind is in use you can live with a 4-digit PIN. If there are multiple systems then a single long password could be used as a system enabler for all services.
Choosing long passwords is not daunting prospect that so destroys choosing short passwords. Natural language is now to be preferred since it must be memorable. But expression of natural language must be left to capricious nature of user.
By way of some examples of longer passwords, one could consider following:
“Table!house*”, “Knight(soil)” or “Dem0n**manager”. Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now is time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know where spaces are! These kinds of passwords are proof against any dictionary attack, and, provided they are not changed often, users are more likely to choose something difficult and unique. Another handy feature is that they are slightly harder to share with friends since there is so much more to remember.
Never forget real purpose
The password, as we use it today, is more often than not ‘secret’ that unlocks systems capabilities or grants authorizations (including access control). In future services it will be used to authorize cryptographic secrets, most likely held in software, and then later in hardware. These ‘keystores’ may hold various secrets, perhaps even including other passwords that are transparent to user. Where infinite retries are possible, use of short passwords will represent a significant, and avoidable weakness which designers may one day be called to account for.
Ultimately, real purpose of a security system is to try and make user’s life easy whilst making attacker’s life difficult. Systems that ignore user are going to fail with very community they are supposed to serve.
Whenever users cannot manage systems they are given an advantage is being given to attacker because they will exploit those aspects of system first. Similarly, a poorly designed system will fail and will compromise very users it is supposed to protect. Poor design is much harder to fix than bad coding or errors in implementation.
Steve Mathews, is one of the authors of ISO/IEC 17799 (formerly BS7799) and is well recognized in the security industry. He provides security advice to the European commission, the UK Government and an impressive range of globally based Fortune 100 companies. He regularly lectures on risk management, PKI, information security management and secure e-business implementation.