Q&A: Passwords

Dmitry Sklyarov is an IT security analyst at Elcomsoft. In this interview he discusses strong and insecure passwords, the compromise between usability and security as well as software you can use to make sure your credentials are safe.

What are the biggest mistakes users make when it comes to choosing passwords?
The biggest mistake is choosing a convenient password, a short and easy-to-remember one. Most everyone think the same way, and if someone has thought of a “convenient” password, it is possible that an adversary can think of and try the same password.

Can there ever be a compromise between ease-of-use and strong security when it comes to passwords?
Convenience and security will always oppose each other. Being an IT security specialist I am used to sacrifice convenience, as I see no other way to ensure security. Many people either do not understand why simple passwords are bad, or do not wish to spend too much time to complete security measurements thinking that it is more useful to spend this time on the main task.

You can find a compromise based on information value. You should try to estimate what damage can be incurred in case someone gets your password and compare it to expenses wasted on security measures (e.g. time for remembering and entering a password).

What makes a strong password?
In 1948 an American mathematician and engineer Claude Shannon entered information entropy term (measurement of uncertainty) in his work “A Mathematical Theory of Communication”. If we take, for example, English text, it takes 8 bit (one byte) to represent one symbol. Eight bit allow encoding 256 different symbols. However, there are only 26 characters in English alphabet and they can be easily represented by five bit (32 possible combinations). Consequently, uncertainty of one symbol of an English text makes not 8, but less than 5 bit.

In addition, some symbols and combinations are considerably more frequently used than others. A letter “E” is encountered hundred times more frequently than “Z”, and “U” always follows “Q”. Such peculiarities allow reducing uncertainty even more. According to mathematicians’ evaluation it makes around 1.5 bit per symbol for texts in English.

This means that if information is protected by encryption with 128-bit encryption key, and a password will be an English phrase (without space characters, punctuation marks, and in one register), a really strong password should be no shorter than 128/1.5 = 86 symbols.

Another way to create a strong password is using a random combination of characters from a maximal charset. You can enter 95 different symbols using a standard English keyboard (upper- and lowercase, space character, numbers, punctuation marks, and special symbols). Accordingly, entropy of each symbol will make approximately 6.5 bit, and to guarantee uncertainty of 128 bit a password should be as long as 128 / 6.5 = 20 symbols.

Here is an example of such a password:
5#C#Al2pmn96Q$Dy5j&

What advice would you give to those that have tens if not hundreds of accounts to keep track of? What kind of security practice should they be using?
Definitely, it is virtually impossible to remember many long and complex passwords. And the only practicable method to more or less securely use plenty of passwords is using a special program for keeping passwords. Such programs are usually called Password Vault or Password Safe.

The program is a small database, which stores resource descriptions and corresponding passwords. Database records are encrypted and to get access to them one needs authentication.

There are many different ways to authenticate (biometrics, smart-cards), but it is common that access to the base with passwords is protected by a master-password. It will be the only password a user should remember to be able to use all other passwords stored in the base.

The master password should be strong because in case an adversary learns it he/she will get access to all passwords kept in the base. You should never forget that a password can be intercepted while you enter it (e.g. by means of keyboard spy (keylogger) installed in a computer). That is why you should never enter a master password sitting at an unknown/untrusted computer.

I use free open-source program KeePass to store my passwords.

Based on what we have available at the moment, what is the most secure way to authenticate? What do you expect to emerge as a winning technology in the future?
Perhaps the most secure method is multi-factor authentication. Biometrics (namely something trickier than fingerprint) + smart card + password (PIN code). And all this under control of an armed security officer. However, in practice such serious measures are very seldom applied, because of expensiveness and unpracticality.

Speaking about the Internet in general – we won’t escape from passwords in the nearest future. They are habitual and their usage doesn’t require special equipment.

However, in business segment passwords will continue to get substituted by two-factor authentication (e.g. smart card/USB Token + password/PIN code). Though such means of authentication require financial expenditures, they should be repaid. They will guarantee a significantly higher security level than the one provided by using only passwords.

Don't miss