/ 12 October 2012

Enter the perplexing password

Experts dismiss the popular advice of combining letters and numbers.
Experts dismiss the popular advice of combining letters and numbers.

Let me hazard a wild guess: the system of passwords you use on the internet for accessing online banking, email, shopping sites, Twitter and Facebook accounts is a mess.

You know perfectly well what you ought to be doing: for each site you visit you should be choosing a different, complex sequence of letters, numbers and symbols and then memorising it. That is rule number one of the conventional wisdom on passwords: never, ever write them down.

But you do not do this because you were not blessed with a brain that is capable of such feats. So instead you use the same familiar words for every site – your dog's name, the name of your street – with occasional ingenious permutations, such as adding "123" at the end.

Or maybe you do try to follow the rules, in which case you are probably constantly getting locked out of your bank account or trying to remember the answers to various absurd security questions. "What was your favourite sport as a child?" I am now asked, although my real favourite sport was finding ways to dodge physical education. One question at the iTunes Store asks users to nominate their "least favourite car".

One reason not to feel too guilty about your bad password behaviour is that it seems to be almost universal. In September an analysis of leaked pin numbers revealed that about one in 10 of us uses "1234"; a recent security breach at Yahoo showed that thousands of users' passwords were either "password", "welcome", "123456" or "ninja". People choose terrible passwords, even when more is at stake than their savings. Among military security specialists, it is well known that at the height of the Cold War the "secret unlocking code" for the United States's nuclear missiles was 00000000. Five years ago, the BBC's Newsnight programme revealed that until 1997 some British nuclear missiles were armed by turning a key in what was essentially a bike lock. To choose whether the bomb should explode in the air or on the ground, you turned dials using an Allen key, Ikea-style. There were no pass codes at all. Speed of retaliation, in the event of an enemy attack, counted for everything.

The parlous state of our passwords is the result of a different arms race – between malicious hackers and "white hat" security testers. But when you talk to some of the people most deeply involved, it soon becomes clear that the conventional wisdom is flawed. For example, writing down your passwords may be an excellent plan. Employers who insist on their staff changing passwords every 90 days probably are not increasing security and may be making things worse. The same goes for some of the password rules that your bank insists you follow: no more than 12 characters, spaces not allowed, etcetera. At the bottom of all this is the truth that passwords, as a method for keeping our most private data secure on the internet, are fundamentally broken.

Password guesses
When I asked veteran security researcher Bill Cheswick if there was a way to solve the problem once and for all, he thought about it, then suggested: "Burn your computer and go to the beach." But although the system may be in chaos, there are things you can do to stay safe and sane. It is just that they are not necessarily the things you have been told.

Password-hacking takes many different forms, but one crucial thing to understand is that it is often not a matter of devilish cunning, but of bludgeoning with brute force. Take the example of a hacker who sneaks on to a company's servers and steals a file containing a few million passwords. These will (hopefully) have been encrypted, so he cannot just log into your account. If your password is "hello", which of course it should not be, it might be recorded in the file as something like "$1$r6T8SUB9$Qxe41FJyF/3gkPIuvKOQ90". Nor can he simply decode the gobbledegook, providing "one-way encryption" was used. What he can do, though, is feed millions of password guesses through the same encryption algorithm until one of them – bingo! – results in a matching string of gobbledegook. Then he knows he has found a password. An additional encryption technique, known as "salting", renders this kind of attack impractical, but it is unclear how many firms actually use it. This is where the length of your password makes an almost unbelievable difference. For a hacker with the computing power to make 1000 guesses a second, a five-letter, purely random, all-lower-case password, such as "fpqzy", would take three and three-quarter hours to crack. Increase the number of letters to 20, though, and the cracking time increases to six-and-a-half-thousand-trillion centuries.

Then there is the question of predictability. Nobody thinks up passwords by combining truly random sequences of letters and numbers; instead they follow rules, such as using real words and replacing the letter O with a zero, or using first names followed by a year. Hackers know this, so their software can incorporate these rules when generating guesses, vastly reducing the time it takes to hit on a correct one. And every time there is a new leak of millions of passwords – as happened to Gawker in 2010 and to LinkedIn and Yahoo this year – it adds to a massive body of knowledge about how people create passwords, which makes things even easier.

The least hackable password, then, would be a long string of completely random letters, numbers, spaces and symbols, but you would never remember it. However, because length matters so much, the surprising truth is that a longish string of random English words, all in lower case – say "awoken wheels angling ostrich" – is actually much more secure than a shorter password that follows your bank's annoying rules, such as "M@nch3st3r". And easier to remember: you have already formed a memorable image of some noisy wheels waking up an ostrich fishing by a riverbank, have you not?

It gets worse. Because passwords are too hard to remember, we have added account recovery processes involving security questions that are far too easy for hackers to answer. That is how Sarah Palin's personal email was hacked in 2008: the intruder correctly guessed information about her postal code and high school. A related weakness in account recovery was also to blame for a vicious hacking assault on Wired magazine writer Mat Honan in August. Hackers managed to commandeer his Google account, send racist messages under his name on Twitter and remotely wipe all the data on his laptop, phone and iPad. All this happened, one of the hackers later told Honan, because Amazon's customer services line was happy to give out the last four digits of his credit card number, which was what Apple's customer services needed to reset access to his Apple iCloud account.

Some websites will let you use a pass phrase, like the one about the angling ostrich. But many will not  and in those cases, several security experts agree, you should defy your bank and write the password down.

"I have 68 different passwords," a Microsoft security specialist named Jesper Johansson told a conference several years ago. "If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password for every one of them."

Security calculation
Cryptographer Bruce Schneier, another advocate of writing down passwords, points out that most of us are pretty good at maintaining the security of small scraps of paper. Whether you can trust your spouse or your housemates is the kind of security calculation you are qualified to make. Whether your bank account might be at risk from a Russian hacking collective really is not.

When I put this argument to Neil Aitken, a spokesman for the United Kingdom Payments Council, which oversees, among other things, interbank transfer systems, he did a remarkably good job of remaining calm. The problem, he explained, was that the laws on fraud imposed certain responsibilities on bank customers. If somebody swipes money from your account, you will have a harder time getting it back if you are deemed to have been "grossly negligent" in protecting your passwords. The council strongly advises British consumers never to write down or share their passwords.

Both sides have a point. That is the problem with security: it is always a matter of trade-offs. More convenience means less security; more protection from remote attacks means less protection from a sneaky housemate. Would you rather run a slightly higher (but hard to quantify) risk of losing your money, or condemn yourself to years of password-related hassle? It is a question almost as perplexing as "What's your least favourite car?"

Cheswick is far from alone in believing that we, as a society, are descending into password chaos. What makes him unusual is that he is willing to accept responsibility for being partly to blame. In 1994, as a member of AT&T's fabled research division Bell Labs, he co-wrote a book with the evocative title of Firewalls and Internet Security: Repelling the Wily Hacker. (He also coined the term "proxy server", one of several things that makes him, in internet circles, a minor deity.) The book laid the foundations for modern online security. But now, he said, when we met in a Manhattan coffee bar, passwords had become "a pain in the ass. Who can keep track of all these things?" Cheswick labels these "eye-of-newt" rules because they resemble recipes for magical potions, although sometimes, when getting carried away giving speeches, he has been known to call them "password fascism" too. "I have 25 different accounts, so now I have to remember 25 different eye-of-newt passwords? That's not gonna happen!"

Besides, he said, the focus on making passwords more complex was rapidly becoming irrelevant because the more serious threat is from key- loggers, software surreptitiously installed on your computer via the internet that monitors the keys you are pressing.

"I don't care how good your password is; if I'm watching you type I have got you," he said. You can reduce the risk by using a Mac, or by upgrading from the insecure Windows XP to Windows 7 and installing antivirus software. But the only real guarantee is never to visit the kinds of sites where such "malware" resides. And "if the grandkids come round and the teenage son types in one bad address? You're done." Hardly less sinister are "phishing" attacks, the topic of much media hype, in which an email or website that resembles something reputable, such as the log-in page of your bank, tricks you into parting with your password. The basic anti-phishing advice is to check your browser address bar, to hover over links with your mouse to make sure they are what they claim to be and never to provide your password in response to an email.

One day, we may not have to worry about any of this. There are innovations in development that might replace passwords entirely. But do not hold your breath.

In the meantime, he recommends doing what I did, after thoroughly scaring myself researching this article: install a piece of software known as a "password wallet", such as LastPass (lastpass.com) or 1Password (agilebits.com/onepassword). These generate fiendishly random passwords for each of the sites you visit, storing them all behind a single master password. I installed LastPass and chose a fairly long sequence of English words with digits. I am now in the disorienting position of not knowing and never having known the password to my email, for example, but it does not matter: LastPass provides it whenever it is needed.

It is not a perfect solution. LastPass is secure to an almost problematic degree. Because it conducts all its encryption and decryption on users' own computers, my master password is unknown to the company, which means no one will be able to help me should I forget it. There is no recovery process based on security questions either. And so – yes – I have written it down, in coded form, on a scrap of paper I have carefully hidden. There is no such thing as total security, let alone total security plus total convenience, but this feels like a workable compromise. I had just better not forget where I hid that piece of paper. – © Guardian News & Media 2012