Tuesday, July 12, 2016

A layman's Introduction to Passwords

When the internet first experienced the pains of identification over the web, the simplest solution was the password system. At it's heart this system pairs two pieces of information together to identify people over the internet.

The first is your name/email/userid or any other thing which is generally publicly available. The other is your password. A piece of information which only you and the website knows. The entire security of this system rests on the premise that your password cannot be easily known unless you tell it to someone else.

Along came humans and broke this perfectly sane system. They choose bad passwords. Period. That paired with the fact that computers are amazingly fast, makes for a good run of old school brute force.

Here's the breakdown of how things are:

  • Access to your account is given to anyone who can present the correct name-password combination.
  • The password is kept secret only because it is assumed that there is no other way for an attacker to know it.
  • In essence, if your password is easily guessable, well it can be guessed so it's not really a secret anymore is it?
  • The only way to make passwords which result in a really secure system is to make them hard to guess.
To do those things, we need to understand how an attacker works.

  • Brute force
    • Let's say that the password field is limited to alphabets and numbers and can only be 20 characters long.
    • That means that there are (26+10=36) unique characters available which can be typed in. Also, any of the 20 places can take those characters. Thus there are 36 ^ 20 possible passwords.
    • That number is actually big. 13367494538843734067838845976576 to be exact.
    • You chosen password is bound to be contained within one of those combinations.
    • An attacker simply tries out one combination at a time and waits till he finds the one which matches your account.
  • Ordered brute force / dictionary
    • Instead of trying all of those passwords in a random order, the attacker makes assumptions on what password you are likely to chose.
    • For example a password `dog` is more likely than `odg` simply because it occurs in the English language.
    • You are also more likely to have passwords containing your name/ your children's name/ date of births and other special dates.
    • An attacker tries these out first.
The solution

We simply need to increase the magnitude of that number further and make sure that the attacker has a hard time guessing which ones you are more likely to type into your password.

There is only one way to do this properly and that is to use a password manager. I recommend KeepassX since I've been using it for years now and it has given me no problems.

The way they work is:

  • They generate passwords for you, making sure that they are hard to guess and pretty long. (I usually have 100 character passwords)
  • You can test your password's strength using this nifty service.
  • Once your passwords are generated, they store them in a database file which you can carry around / upload to Dropbox or Google Drive
  • All those passwords are encrypted using a single Master Password which needs to be pretty strong.
  • I usually choose the master based on a something which is transitory and in front of me. For example one of my past master passwords was "aredcarhonkinglikemadinfrontofmewhenthereisnobodyinfrontofhim".
  • This master password is all you need to remember.
  • Now whenever you want to log in to say, Facebook:
    • Open the Facebook login page
    • Type in your username
    • You open your password manager using your master password
    • Select the Facebook entry
    • Copy the password (Crtl + C for KeepassX)
    • paste it into the password field of Facebook's login page
    • Close the password manager.
That is all there is to it. This makes sure that all your passwords are nice and secure. Using password managers also comes with nice services like reminding you when you have not changed your password since a long time and so on.

Here are some nice tutorials for KeepassX: