Practical Password Strategies
Darian Muresan
Teaching Professor, Stevens Institute of Technology, and Chief Technology Officer at Computer Vision Company
Recently, I have listened to a few radio programs and read a few articles about strategies for choosing passwords, the worst kinds of passwords and tips on managing the ever-growing collection of passwords. In an attempt to beat the password issue to death, I offer my own, engineering approach to password management and password generating strategies. Employing good and secure password strategies can save significant amounts of time (from not having to do a password recovery to securely sharing strong passwords among IT teams – as we do with our IT teams at DMMD and Iconasys), money (especially if the password protects your bank account) and frustration. Let’s develop our practical and efficient password generating algorithm.
First, let’s look at what should be the responsibilities of our password-generating algorithm:
1. A password should be difficult to guess – by an algorithm, programmed by humans. Passwords are usually hacked by some type of iterative program that may try your password multiple times. These iterative programs are written by other programmers and for the sake of discussion, we can assume that these programmers have access to all your personal information, including social security numbers, date of birth, phone numbers, etc. The single most important factor to password security is the length of your password. The focus on using upper and lower cases, numbers and special characters comes secondary! Remember, the length of your password is the single most important security feature of your password.
Thus, the password: “ILoveToThinkAboutPasswords†is a stronger password than “1L0v3707h1nk†(which is ILoveToThink when replacing 1-for-I, 0-for-o and 7-for-t, where replacing numbers for letters is a common and recommended strategy for mangling passwords – for human readability only, because for a computer algorithm that tries to decipher your password, a 1 or I makes no difference when the algorithm assumes you can use either).
Unfortunately, many sites have limitations on maximum passwords lengths! You will often find a minimum password length requirement of 8 characters and I’ve seen reputable companies putting a maximum limit of 16 characters – which to this day, I don’t understand why the maximum password limit is so low and not significantly higher!
2. A password should be unique to one company or application. We don’t know how the service we use stores our passwords. We would like all passwords encrypted, but it is best to design a password for the worst-case scenario and that would be that our password is saved as text. Thus, if we do business with Company-A it is best to have a password that will only work for Company-A and a different password for Company-B. For the worst-case scenario, we make the assumption that an employee, or hacker, at Company-A has access to your Company-A password.
3. A password should be easy to remember. This is an obvious responsibility of the password generating algorithm. If we have a unique password for every single company (application) we work with, there will be a lot of companies and therefore a lot of passwords we have to remember or be able to re-generate on a whim. The passwords have to be easy to remember or regenerate.
Second, now that we understand the responsibilities of our password-generating algorithm, how are we going to design a password-generating algorithm that will handle all three responsibilities? Darn it! The first two responsibilities make complete sense, but how do we get to the third, when sometimes I have trouble remembering my own name?
The solution that I propose is to devise a secret and easy to remember algorithm that combines the three responsibilities. Thus, let’s go through the requirements and see what type of algorithms we can come up with:
1. Responsibility 1: A password should be difficult to guess – by an algorithm, programmed by humans. Since the “Password†password is probably the most common password, let’s simply do a letter-to-number replacement (4-to-a, 0-to-o and 5-to-s) together with a dynamic component, such as the current year – the dynamic component will also remind us to change the password at least once a year. Thus, for the difficult component of the password, we can have: “P455w0rd19â€
From our earlier discussion, this password is not difficult, since it’s fairly short. However, remember that this is only 1/3 of our final password. Our eventual password will be longer. We can call this the “encoding key†of our password.
2. Responsibility 2: A password should be unique to one company or application. I’ll go here with the most trivial option. Since the password is unique to each company (or application), the second component of my password will just be the company name. Thus, for Company-A the second part of my password algorithm will use “Company-A†and for Company-B it will use “Company-Bâ€
3. Responsibility 3: A password should be easy to remember. We are ready to bring it all into focus and suggest several algorithms for making our complex password easy to remember.
a. Concatenate. Simply string together, the above two responsibilities using a special character, such as ‘&’:
The disadvantage of this algorithm is that if the hacker at Company-A reads our password, they will be able to figure out our secret algorithm fairly easy and thus, may be able to make a pretty good guess about our password at Company-B.
b. Concatenate + 1. There are some password checking rules that do not allow the use of the company name in the actual password, deeming it less safe. Thus, a simple solution is to increase or decrease the letter of the company name by one location. Thus, a-to-b, b-to-c, …, z-to-a:
The advantage of “Concatenate + 1†(or + any number for that matter) is that if we make the assumption that an employee at Company-A does have access to the password, it is not nearly as clear that they will be able to figure out the simple algorithm employed by our password-generating algorithm and hence, they won’t be able to access our account at Company-B.
c. Interweaving. In cryptography, messages are often encoded using convolutions, which are sums of shifted, per-character multiplications. While suggesting such an algorithm for password generation complicates the logic too much for an average human, something similar but simpler to implement is interweaving. We interweave characters from our difficult key with the company name, keeping the special character &:
Of course, we could also have “interweaving+1†where instead of the Company-A we interweave “Company-A+1†and so on.
In conclusion, good passwords are critical for our own information security and can have a direct impact in saving time, money and frustration. This article proposed using a “key password†combined with the individual application or company name. Three different methods for combining the key with the company name were proposed. The suggested password generating algorithms are starting points for developing other password generating algorithms. The key to practical and strong passwords is keeping them long and having a fixed and secret personal algorithm that, depending on the name of the company or application, can be used to re-generate the passwords – thus enforcing a unique and long password for each company or application.
Keywords: #Passwords, #PasswordTechniques
Director at Logical Line Marking
6 å¹´Great awareness around business here! Great perspective.