The majority of cyber attacks against organisations and peoples start with general data about their targets, or very specific data, about one individual who can be used as an access portal to everyone, and everything! Sadly, the majority of attacks appear to be founded on known and published, or simple/very weak passwords that here easy to guess or crack with modest tools.
“I think we can safely assume; ‘Joe Public’ has little knowledge of cyber-security and even less inclination to engage in good security practices. And so, we have a ubiquitous security risk at every level of society with no hope of curing the problem through education and training”
This is compounded by vast libraries of professional papers, web sites, and industry studies that proffer a somewhat confusing range of guidelines and advice largely invisible to, and unhelpful for, the lay population. Probably the ultimate long term solution, in the face of an enemy that is becoming more sophisticated, powerful, and determined by the day, is the full automation through built in biometrics based on face, hand, finger, voice, typing patterns et al. plus a PIN and simple password/’n' factor authentication.
For sure we need an industry based fix; and probably in the form of ‘security as a service’. In the meantime, this presentation addresses what it takes to create ‘fit-for-purpose’ passwords at a device level and on up through Cloud Working. The techniques and guidelines give an assured security spanning trivial documentation through to financial services and state secrets applicable for 2019/20/21. For 2021/22/23 it would be prudent to reassess the advance in attack technologies and techniques, and the change in the success statistics of the Dark Side. It is quite likely that passwords may need strengthening by the addition of additional characters in some cases.
Links to associated/related/earlier slide sets are also provided.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
How to Design Passwords
1. H o w To D e s i g n
pA55w0rDs:-)petercochrane.com
ABC12345def
Prof Peter Cochrane OBE
Sentient Systems
2. THE nIGHTMARE!
*A different password for each account
*Change your passwords regularly
*Don’t keep a documented record
*Don’t embed them in a browser
*Don’t write them down
*Don’t tell anyone
*Don’t share
Guidelines and lots of useful advice
that is often impractical and/or
impossible:-
Make them > 11 characters that include
a mix of alpha numerics - upper & lower
case plus punctuation marks and special
characters…
3. Public Reality!
A fundamental incapability to deal &
cope with the complexities and many
challenges of IT…
Industry needs to produce, deliver and
maintain inherently secure products - to
get the users out of the Realm of Risk
management, including password hell!
4. OMG - Really !
YES, people are indeed silly
We need to do
much better
than this!
5. THE Threat
Omnipresent
Highly motivated
Growing by the day
Smart
Adaptive
Resourceful
Well organised
Global
24 x 7
People
Machines
Networks
AI, Apps, Clouds
+++
“Never
underestimate
the enemy - and never
. assume you are smarter
than they are”
6. Passwords in ‘diaries’
Passwords in ‘eMails’
Passwords on ‘post its’
Passwords in ‘open docs’
Passwords on ‘white boards’
Passwords shared ‘between apps’
Passwords shared ‘between peoples’
Passwords shared ‘between web sites’
Passwords used on spoof web sites/services
+++++
The Gullibility Threat
Social engineering - persuasion - observation - bribes ++
Passwords extracted by ‘smart’ conversationalists,
friends, family, associates, colleagues, co-workers ++++
7. Welcome to password &
two factor hell!
We need to do
much better
than this!
What do you do when
there is no mobile signal
or there’s a loooong
delay or network fault?
You need at least: a net
sync’d app embedded on
your machine, but ensure
it does it imply more risk?
8. 12 Characters, Minimum: There’s no minimum or standardised password
length; but in general go for >12 to 14 characters
Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types
makes passwords harder to crack
Dictionary Words/Combination: To be avoided as much as possible - any
isolated word is bad, and word combinations are also high risk
Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e
or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al
Number Strings: at the end, beginning or in the middle are also ‘obvious’
Industry Advice
For a strong password you ‘at least’ need..
9. 12 Characters, Minimum: There’s no minimum or standardised password
length; but in general go for >12 to 14 characters
Mix Numbers: Letters, Symbols, Upper & Lower-Case: Many different types
makes passwords harder to crack
Dictionary Words/Combination: To be avoided as much as possible - any
isolated word is bad, and word combinations are also high risk
Avoid Obvious Substitutions: Eg, replacing an ‘o’ with ‘0’ is obvious - a 3 for e
or E, 2 for z or Z only slightly better - and DO use “, ; -} ] ) et al
Number Strings: at the end, beginning or in the middle are also ‘obvious’
Industry Advice
For a strong password you ‘at least’ need..
Machines are fast
intelligent exhaustive
with extensive libraries
One size does not fit all
people and machines
present different risks
people are slow and
get exhausted and
use different methods
10. For a strong password you ‘at least’ need..
The snag is you are one click away from losing everything!
And so another much bigger security fail/fail pops up and kills you stone dead!
“The secret to good security is to design (in) ‘fail-safe’ and ‘fail-gracefully’ with
‘layered’
protection and multiple routes to recovery
“All your ‘eggs’ in one basket is the dumbest and riskiest solution of all “
Strong Advice
A password generator and management system
11. Password Managers
D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s
Mostly Software embedded in browser plugins/web services to automatically
manage user credentials
They auto-paste (names/ID/email addresses) passwords into login forms, or
simulate typing them, and generally support:
•Printable characters
•Passwords >64 characters
•Pasting username and password
12. Password Managers
D e l e g a t i n g t h e n i g h t m a r e t o m a c h i n e s
Mostly Software embedded in browser plugins/web services to automatically
manage user credentials
They auto-paste (names/ID/email addresses) passwords into login forms, or
simulate typing them, and generally support:
•Printable characters
•Passwords >64 characters
•Pasting username and password
don’t
rely
on
one
app
alone
m
ake
sure
you
engage
a
degree
of
diversity
13. Password Managers
D e l e g a t i n g t h e c o m p l e x i t y t o m a c h i n e s
Also, choose embedded password generators with many user choices:-
Length
Upper Case
Lower Case
Numbers
Symbols
Special Characters
Similar Characters
Generate on Device
Generate on Server
Auto-Select
New Password
https://digital.com/blog/best-strong-password-generators/
14. Password Managers
W h y y o u n e e d / s h o u l d a l w a y s u s e o n e !
W h a t c o u l d p o s s i b l y g o w r o n g ?
•Yo u r d e v i c e / m a c h i n e i s s t o l e n / b r o k e n / f a i l s / d i e s
•A s o f t w a r e u p g r a d e s c r a m b l e s e v e r y t h i n g
•Yo u r b a c k u p / r e c o v e r y p r o c e s s f a i l s
•M a l w a r e f r e e z e s e v e r y t h i n g
•T h e A p p / B r o w s e r f a i l s
………………..
15. REALITY CHECK
Diversity-essential to survival
Confounding the enemy by the
reduction of habituality - and
the introduction of the new,
unexpected, surprises, and
a reduction of discernible
patterns…
At best you will
prevent a break
in, and at worst
you should slow
and impede the
Dark Side to
cost them time
and $$$$
Vary your methods
and measures as
much/frequently
as is reasonably
possible. Maximise
the total Entropy
of your defences
16. REALITY CHECK
Diversity-essential to survival
Beware of ‘Common Mode Failures’ due to an
over reliance on one technology choice/route,
or by being blind sided and/or overconfident in
you choices, products, and engineering
solutions.
“Fortresses tend to remain relatively static
whilst methods of attack always evolve”
Get someone to attack and test your defences
and solution(s)…never be so sure that you got it
all right first time around…or indeed that it all
exhibits longevity!
17. Use a password and/or document/
file/folder encryption…
Strongest Advice
For protected documents that may be accessed
The concatenation by layers can add exponential
difficulty for any attacker
Obscuration by volume and location is also an
effective mode of protection
Password protect at every layer
18. Strongest Advice
Use every weapon of defence you have available
Do not rely on any one technique
Respond rapidly to surprises
Be prepared to be adaptive
Use all available options
Keep on top of new attack
technologies - adapt and
evolve on the fly…
19. CrEating your own
Making life very difficult for The Dark Side
IcannaTellythee
Thi5i5th3b35tIcand0
Non-standard/Novel solutions can be hard/expensive to defeat
20. Degrees of Freedom
Exploiting as many as possible @ the same time
26 Letters - Lower Case
26 Letters - Upper Case
10 Digits
36 Other } 96 Options per password character
21. Password Entropy
The more disorder the harder it is to crack
Password Entropy = log2(Nn
) = n log2(N)
Where N = Number of character options (ie ~96 for standard QWERTY keyboard)
And n = Number of characters in the password
Recognisable words and phrases + repeated characters +
similar characters represent degrees of order that increase
the likelihood that a password will be cracked.
The bigger the Entropy/Disorder the stronger the password!
22. Dominant Component
T h e e n t r o p y o r d e r / d i s o r d e r b r e a k p o i n t
Password Entropy = n log2(N)
The ‘breakpoint’ is at n = log2(N)
ie the password length ’n’ overtakes the number of possible character
states ’N’ as the dominant factor
All ‘viable’ passwords lie in the range n >> log2(N)
23. viable length
F o r a g i v e n a p p / p r o t e c t i o n
In the proximity of the break point:
N = 10 then n > 3 = 104
symbol states <<< 1s (n = 4)
N = 26 n > 4 = 1.2 x 107
<< 1s (n = 5)
N = 52 n > 5 = 1.2 x 1010
< 1s (n = 6)
N = 62 n > 5 = 5.7 x1010
< 1m (n = 6)
N = 98 n > 6 = 8.7 x1013
< 10m (n = 7)
Relative
Computing Time
to Crack
24. Ball Park Guide
The entropy order/disorder breakpoint
Password Length/Strength experience to 2019:
4 = Very Weak - puts you at risk
5 = Weak - just about OK for device password
8 = Fairly Strong for secure network access passwords
10 = Strong for secure access to company websites and data
16 = Very Strong for securing commercial and financial data access
22+ = Hyper Secure for encryption
While a password with ~50 bits may be deemed ‘semi-safe’ in 2019, it is only
a matter of time until more powerful GPUs, will see password cracking
accelerate!
25. E n t r o p y G u i d e
The entropy growth linearity…
Length: 15, 16, 17, 18, 19
Strength: Strong (>16) - Safeguards sensitive information like
financial records
Entropy: 92.6 bits, 100 bits, 106.7 bits, 113.9 bits, 121.9
Empirical Security Threshold ~ 100 bits
26. T H I N K F U T U R E
The ‘clicks/nulls’ are easy to find
Beware of the dummy
clicks on some of the
later models - they can
throw you off the track
to eventual success !
It is easy to teach a
child to crack locks
of this kind!
27. No Feel or sound
Owners have the upper hand at this point
But the enemy only needs a
weak or silly password to
b r e a k i n a n d a s s u m e
full control…and
t h e n t h e f u n
really starts!
M o s t b r e a k - i n s a t t h i s l e ve l
a r e d o w n t o t h e o w n e r / u s e r
n a i v e t y, l a x i t y, a n d / o r i n f o r m a t i o n
g a i n e d f r o m s o m e e x t e r n a l s o u r c e …
28. cracking Challenge
Access limited to the keyboard and screen only
Human typing speed
What can be guessed
Try all common passwords
Brute Force Trial and Error
Phishing/Spear-Phishing
Social Engineering
Prior Observation
WiFi Break-in
BlueTooth Break-in
Identical browser data ?
Same password for all ?
Similar format for all ?
Common key storage ?
All BlueTooth Linked ?
Public Data ?
Social Nets ?
Family Data?
Publications?
Hobbies?
Likes ? Finger
Face
Print
Spoof
One device hit/
stolen: then all
c a n b e l o c k e d
d o w n w h e n o n
line + location
& pics of thief
can be tracked
/recorded
Additions include
3 s t r i ke f re e ze -
outs for 5, 15, 60
min, followed by
p ro v i d e r g e n e ra l
security alert
29. I n v i s i b l e t o u s !
Network, site, service and app attacks
Wa y b e y o n d h u m a n
s c a l e a n d m e n t a l
a b i l i t i e s , b u t w e
m u s t s t a r t w i t h a
level of fundamental
security based on a
s t r o n g p a s s w o r d
p ro t e c t e d c o re a n d
connected devices
Concatenated complexity can
be employed to confound the
e n e m y…ve r y h a rd f o r t h e m
a n d ve r y e a s y f o r u s !
30. cracking TASK
A prime driver of Password design
Secure Comms
Encrypted Vault
Encrypted File
Private Key
Public Key
E-Commerce
Bank Account
Financial Apps
Network Apps
Websites
Documents
E-Mail
Personal Computer
Work Station
Mobile Device
Bicycle Lock
STRENGTH
Password
Name/ID
Factors
Very-Low
Medium-High
Optional
Low-Medium
Optional
Extreme
No Exceptions
Very-Strong
No Exceptions
Extremely
Dynamic
Static
Mechanically
Set
Dynamic
Choice
Discipline
Changed
Occasionally
Regularly
Randomly
NEED
Risk
Exposure
Driven
Centuries
Millenia
Decades
Years
Minutes
Time to
Crack
31. Making it Safer
C o n c a t e n a t i o n o f t h e s i m p l e
C u s t o m e r N u m b e r, P a s s w o rd +
invisible biome tri cs and ID/app
checks+++
T h r e e f a i l e d t r i e s w i t h a n y
i n c o r re c t o r s u s p i c i o u s e n t r i e s /
information and the u s er is th e
frozen out for a period. The
‘ f r e e z e o u t ’ p e r i o d i s t h e n
progressively extended on every
repeated log-in attempt: security
d e p a r t m e n t i s a l e r t e d a n d
c u s t o m e r s a r e a s k e d t o s t a r t
from a new log on process
32. Password Libraries!
Extensive collections built from successful hacks
There are organisations collecting & marketing
Passwords, PINs, ID and Card info on a business
basis across the internet…and ‘The Dark Side’ is
a prime mover and key player…
Libraries are now a
key component of the
leading edge password
attack engines/machines
The Dark Side are not
the only ones using
such libraries !
Criminal Hackers
Rogue States
State Security Services
33. Always use A Checker
T h e y g i ve ‘ B r u t e F o rc e’ c ra c k i n g t i m e e s t i m a t e s
B e w a r e t h a t t h e y a r e
based on computing power
t o d a y, a n d n o t t h e f u t u re !
NOTE : ‘Brut e F orce’ im pli es
e x h a u s t i v e s e a r c h i n g w i t h
no a priori sophistication….
ie, t he use of lib rari es i s
not the norm here!
Dozens available: and it is
worth testing a range…
34. For M o dest Security
C h o o s e s o m e t h i n g e a s y t o re m e m b e r & m o d i f y
VerseProseDatesPlacesNames
++++++
35. I wandered lonely as a cloud
That floats o’er vales and hills,
When all at once I saw a crowd
I w l a a c Wa a o I s a c
I w 1 a A c Wa 1 2 D a y s
I w 1 a A c Wa A o 4 Ye a r s
I w 1 a A c Wa A o I 5 4 C
I w 1 a A c Wa A o I 5 a C 3 2 7 C
I w 1 a A c Wa A o I 5 a C £ $ 1 0 K C +
Wordsworth
F a v o u r i t e P r o s e / P o e m s
T h e t r i c k i s t o d e s t r o y /
d i s g u i s e / o b s c u r e l e t t e r
p a t t e r n s t h a t m i g h t
h j e l p m a c h i n e s i d e n t i f y
s e n t e n c e s a n d v e r s e s
U s i n g o n l y t h e f i r s t o r
l a s t l e t t e r i s a s t a r t ,
b u t u s i n g e v e r y o t h e r
l e t t e r p l u s s y m b o l
o b s c u r a t i o n i s b e t t e r !
36. Do not go qentle into that good night
o t o e o t d t
o t o e o t d t 1 2 D a y s
O To e 0 t d 7 4 M o n t h
O To e 0 7 d t ! 4 Ye a r s
O To e 0 7 d t ! 6 9 3 3 Ye a r s
£ O To e 0 7 d t ! 6 9 4 C
P a s s w o r d g e n e r a t i o n b y a n
a l g o r i t h m o f y o u r f a v o u r i t e
v e r s e a n d o n e m e m o r a b l e y e a r s
DYLAN THOMAS
37. M o s t s m a r t a t t a c k e n g i n e s w i l l
e v e n t u a l l y d e c o d e p a s s w o r d s
b a s e d o n p ro s e a n d v e r s e f o r a l l
c o m m o n l y re a d t e x t … b e s t c h o o s e
s o m e t h i n g r a r e / o b s c u r e … s p e c i a l t o
y o u a n d y o u r l i f e r e m e m b r a n c e s …
S m a r t m a c h i n e s
Awa re o f Wo rd s wo r t h & T h o m a s e t a l
38. E n h a n c i n g S e c u r i t y
S t a r t f ro m a c a t a l o g u e o f t h i n g s o n l y y o u k n o w
Layering
algorithmic
complexity
to
increase
the
Entropy
39. All about you
Known by you and you alone
WHO WE: Are; Know; Met; Loved; Married; +++
H O W W E : L e a r n e d t o D r i v e ; We re E d u c a t e d ; + + +
W H Y W E : D e c i d e d ( Y ) ; P u r c h a s e d ( Z ) ; + + +
WHAT WE: D o ; D i d ; L i k e ; B e l i e v e ; Re a d ; + + +
WHERE WE: L i v e d ; V i s i t ; P ro p o s e d ; M a r r i e d ; + + +
40. algorithmic vectors
Carpenter
Space Shuttle
Constructing; not remembering passwords
Something you:
- Do
- Did
- Saw
- Are
- Said
- Were
- Know
- Admire
- Possess
- Possessed
- Remember
- Understand
Hillman Imp
Drill
C r S e D l H n I p
C r 5 3 D 4 H n 1 p ! !
4C to
Crack
login vectors
Constructing - not remembering
Carpenter
Space Shuttle
Algorithmic construction by
the concatenation of elements
only known by you…
41. Enhancing login vectors
Perhaps a line from a song:
“Its a kind of magic”
15akd0fmc!
<4 Years to Crack
Plenty strong enough for a laptop log-in
or document password
Perhaps a line from a book:
“It was the best of times”
1tw573bt0fts
<4 C to Crack
Something you like to sing and/or listen to…
Algorithmic construction by
the concatenation of elements
only known by you…
42. Enhancing login vectors
Something between lovers or parent
and child:
I will always be here for you no
matter
How I love thee more than life
itself
H w 1 4 3 7 e m 3 t n 4 e i f ! !
1 w 1 a s b 3 h e f r y u n 0 m r !
>10kC to Crack
>10kC to Crack
Something unique you said or promised within your family
Algorithmic construction by
the concatenation of elements
only known by you…
43. Concatenating numerous
very low cost biometrics
is extremely powerful…
- Eye 10
-3
@ < $5
- Face 10
-2
@ < $2
- Hand 10
-3
@ < $2
- Voice 10
-3
@ < $2
- Typing 10
-3
@ < $2
- Habits 10
-2
@ < $1
- Devices 10
-1
@ < $1
- Locations 10
-2
@ < $1
- ++++
Password ++
The typing rhythm at an
ATM is unique and very
cheap to recognise…
Morse Code experience
was the pre-cursor to
this solution…
Error Probability
<10
-8
@ < $6
Obscuration by ’n' layers
44. Automate the process
Choose a (or >1) reputable password generator
Ensure that it is fit for purpose
and that you choose sensible
settings by application and by
need
45. Overview
A proportional view
Device > 6…defeats humans
Web Site >10…concatenate
Document >12 - 16
Encryption >14 - 32
Membership >14…concatenate
Social Networks >14…concatenate
Financial Services >16 - 32…concatenate
Concatenate = May Include: ID/PIN,Password/Questions/3 Try Limit/
BioMetrics/Random CheckBack/
2/3 Factor Authentication/++
46. l a y e r e d S e c u r i t y
Ex p onent ially increasing the entropy challenge
6 Digit PIN > 8 Character
Password Name/ID
> 10 Character
Password
Name/ID
> 14 Character
Password
Name/ID + PIN
>16 Character
Password
BackEnd
BIOMetrics
Up Front
BIOMetrics
47. T h e r e i s a l w a y s a t h r e a t
R E M E M B E R
I t i s s m a r t :
S h a r i n g
R u t h l e s s
D y n a m i c
L e a r n i n g
A d a p t i n g
C o n s t a n t
M o t i v a t e d
N e t w o r ke d
+ + +
B e yo n d T h e L a w
F o r M o r e G OTO :
https://bit.ly/2F0y6in
https://bit.ly/2SuwVzL
https://bit.ly/2FcCtqR
https://bit.ly/2SxHsKv
https://bit.ly/2QsmBWb
https://bit.ly/2MBED7v
https://bit.ly/39mJNxB