Wednesday, April 20, 2011

Passwords v Passphrases v 2FA

Passwords suck.

Passphrases, on the other hand, suck less.

Two Factor Authentication (2FA) sucks the least.

Now, to give a bit more detail on this, passwords - a simple, usually less than 8-10 character word that someone uses to log into somewhere - are way, way too easily crackable and there are many "Top 100" or similar lists that have been published listing people's top password choices.  See this, this, and this to see just a few - possibly containg some of your passwords!  To see how the length and character set choice affect password "hackability", have a look at this page and also look at the calculator they offer - and 100,000 attempts/second isn't anything spectacular using modern computers.

So, if simple passwords suck, how do we address this properly?  Well, the best way is to forget you've ever heard the term "password" and automatically substitute "passphrase" where you read/see/hear this.  A passphrase is much more secure than a password because 1. It is longer, 2. It contains more character types than your average password (UPPER, lower, numbers, special characters (such as punctuation)), and 3. It is easier to remember (and often easier to type) than cryptic passwords that people think are secure.

A passphrase such as "On Thursday at 3:00 I put the cat out," or "After school finishes, I needa holiday!" are really easy to remember, will be typed faster than anything else you type after a short time, are very difficult to work out when shoulder surfing and have decryption times that make them unfeasible to crack before the information they protect becomes irrelevant.  They are even better for people who don't have cats or who aren't at school - yes, use a passphrase that's memorable, but not able to be directly associated with you.

Now, if you want even better security, combine the passphrase with some form of Two Factor Authentication.  This is where you need something to remember (the passphrase - the first factor) and something you have (a token, smartphone that receives a one-time code, or some software that talks back to a server and generates this one-time code - the second factor).  So, when you go to log in, you're prompted for your username and passphrase (as normal) and in addition to this, you're prompted for a one-time code that is generated, used, then discarded - the code is normally delivered on a key fob token or smartphone (app or SMS/text message).  This increases the security of your passphrase rather significantly - if someone manages to get your username and works out your passphrase, they also need to steal your key fob and/or smartphone to be able to log in.  That's what makes this a much more secure authentication method.

(Your "hole in the wall" card from your bank is a form of 2FA - you need your PIN (something you know) as well as the physical card to swipe (something you have) - one without the other isn't all that useful.

In the SMB world, functional 2FA basically means the RWW Guard and AuthAnvil products from http://www.scorpionsoft.com/ - and no this isn't a paid advert.  For that matter, Dana doesn't know I'm writing this blog entry and I don't think he even reads my blog.  I mention it here simply because it works and works well.

Also, as you should use a different passphrase for each different login, you may want to look at something like http://www.RoboForm.com/ to store these all in.  I've been using it for years now and find it a lot better than http://www.LastPass.com/, http://keepass.info/ or others, but whichever you choose, make sure it has a secure passphrase to protect it.

So, basically, forget passwords as they suck.  Use passphrases of decent length and complexity and you'll be orders of magnitude more secure.  If that's still not enough, combine this secure passphrase with some form of 2FA.  And remember - social engineering is still going to work in *way* too many cases.  Password crackers may have gotten a lot more sophisticated, but these massive password leaks prove that people's password choice sure hasn't!  :(


Regards,

The Outspoken Wookie

No comments: