logo

Practical Computing Advice and Tutorials

Tue: 23 Jul 2019


Site Content

Programming
&
Development


Technical Knowhow


Command Line Interface


Security

Passwords

Passwords should not be treated as an inconvenience and are (I.M.H.O) one of the best ways of stopping other people from getting at things that you'd rather they didn't get at. I treat them in the same way as I treat the keys to my house: I keep them safe and I don't give them to anyone else.

Many different systems have been and are still being developed to replace the good old Password. I don't subscribe to any of them (that said, Taylor Hornby and Steve Gibson both have projects that are well worth keeping an eye on. I have links to both sites on this page) and I don't use any of the latter-day cloud-based Password Manager apps.

Coming up with a strong/secure Password is not easy and should not be done in a casual manner. In this feature, you’ll find a couple of links related to very good Password Generators.


Password Strength

To fully understand what makes a strong password per se, you need to understand how a password can be cracked. Short of fooling you into revealing your password or stealing it from you, the only way that anyone else is going to be able to crack it, is by brute force, that is by trying every possible combination, or by a so-called dictionary or word list attack. As a test, type your password into a Word Processor that has a spell checker. If the spell checker doesn't flag it as a miss-spelled word, then it's a very poor password and you'll need to come up with something way stronger.

Any good word list will also contain well know default passwords for Wireless Access Points. As an example, here in the UK, a very popular ISP ships its WAP enabled Home Routers with default Wi-Fi passwords of 8 upper-case alpha characters. Any good word list will have all of the possible combinations from AAAAAAAA to ZZZZZZZZ in them and it would not take that long to search the list and find something like FTUUDBNG. In fact, a custom list containing just that combination could be used to target a Wi-Fi network that is known to be one of these Routers.

To brute force the password 1234AbCd...bank, assuming 1,000 guesses per second, would take 1.49 hundred thousand trillion centuries.
[Courtesy of Steve Gibson from this link https://www.grc.com/haystack.htm]
{Thank you, Steve.}

That same password, given a well engineered word list, would be cracked in seconds! This is because it's both relatively short as well as being fairly predictable.

A secure password has to be both long and entropic, and either of the above links will help you to achieve that goal. That said, Length does trump Entropy, when it comes to making a password strong, so, This-Is-My-#1-Wi-Fi-Passphrase! is easy to remember, but a virtual impossibility to brute force.

We need to be employing these kinds of passwords so that we can secure the systems we use every day. Don't forget that it's not just your on-line stuff. You also need to be employing this technology on your Wi-Fi enabled system, on which you should have WPA2-PSK enabled security with a 63 character entropic passphrase.


Remembering Passwords

It's all well and good to have a password that nobody else can crack, but how, I hear you ask, am I ever going to remember f%1^G,:.0J&!,..Hgt5$.2!qq]+P;lkjjU7?

In short, you're not going to and in many cases, you don't have to. In fact, if you can remember a password, then it's not a very strong one, so make sure that you use plenty of padding as with the above example Wi-Fi passphrase. But, there is no substitute for a long (20+) random character passphrase if you want something really strong.

Password Chart, for instance, is all about not having to remember the password, rather, you have to remember how it was generated. For that, you need to devise your own policy, also the page can be saved and used off-line.

If you must, you can save either the details for your system or the results, or both, in a text file. If you do, you need a secure way of storing them. Steve Gibson, again comes to the rescue with the TrueCrypt Repository


The Issue

Of course, the biggest problem with passwords for on-line accounts is that you're entrusting another party with a shared secret and if that other party is compromised, your password could be exposed and consequently any account with which that password has been used will be vulnerable. This is why one should NEVER use the same password with different accounts.

Back in 2013, Steve Gibson came up with a very interesting idea to get around the issue of a shared secret, the idea being that you would only need to have one very strong password with which to secure all of your on-line accounts, and even if a party with which you have an account login lost control of its password database, because of the way in which S.G designed his protocol, none of the accounts that use the protocol would be compromised: Nothing shared, nothing lost.

I can't really explain how it works, and if I tried I'd get it wrong, but the details have been fully disclosed and can be found at https://www.grc.com/sqrl/sqrl.htm It addresses many, if not all, shortcomings of the general username/password system that we're all using {I note that not all websites have this generalised system, but most do} and seems to be a very secure way of logging into an on-line account.

The SQRL protocol is not that easy to get your head around (well, not for me anyway) but the more one reads about it, the clearer it becomes. I've been following the posts of grc.sqrl news group which is an active community of developers and testers. Anyone interested should take a look.

Adoption of SQRL by the Internet in general is the obstacle that will need to be overcome, once the project is finished, if we're ever to see SQRL as an optional login mechanism when we visit a site with which an account is needed. In the mean time, create unique passwords for the sites you visit. Doug Martin's Password Chart is a simple tool that can be used, but it does require the user to come up with and remember the policy that generates the strong password that Password Chart gives you.


MD5 & SHA256

One good way to generate a 32 character (256-bit) password would be to use a MD5 hash, because encoding the same sting of characters using the MD5 algorithm, always results in the same 256-bit hash output, but the MD5 hash is only as secure as the text with which it was generated, so that text needs to be as unpredictable and as long possible. This is where you'll need to come up with your own system or policy.

As an example, let's say that you wanted to have a 32 character password for example.com and you like the phrase The Quick Brown Fox Jumps Over The Lazy Dog. If we do a MD5 hash of that sting (example.com The Quick Brown Fox Jumps Over The Lazy Dog) we get 41b1b08eb35fb55487c8230bad168864, which could then be used as the password for example.com. It's relatively easy for you to regenerate the hash, and thus the password you need to login to example.com, so long as you can remember what your system is. It's also relatively secure, as long as you don't tell anyone else what your system is.

Now, example.com will, possibly, also perform a MD5 hash on your password, before storing it in its database, so what will be stored is a MD5 hash of...
41b1b08eb35fb55487c8230bad168864
...which is...
40b7185a6a56b130e939eb2f87c26177
...so even if example.com looses control of that database, there's no way to get back to...
41b1b08eb35fb55487c8230bad168864
...from...
40b7185a6a56b130e939eb2f87c26177
..., because hashing is a one-way function, thus your password will still be safe.

There are a number of on-line MD5 hash generators as well as being built in to some apps, such as Notepad++ [https://notepad-plus-plus.org/download/v7.5.html] and PSPad [http://www.pspad.com/en/download.php].

If you're willing to roll up your sleeves and do a little coding, this Python code could be adapted into your own MD5 generator.

import hashlib
print(hashlib.md5("example.com The Quick Brown Fox Jumps Over The Lazy Dog".encode('utf-8')).hexdigest())

The above code, is not very user friendly and would need to be changed for every site/passphrase combination you need, because, as it stands, that information is hard-coded into the function, although, there seems to be no reason why a strong passphrase should not be hard-coded, leaving the site URL as a user input.

I'm new to Python code, but here's something that's usable.

import hashlib
url = input ("URL ? ")
passphrase = "you need to put your own random gibberish in this section"
outhash = url + passphrase
print(hashlib.md5(outhash.encode('utf-8')).hexdigest())

You should come up with something that is both long and random for the passphrase part of that script. If you don't feel that MD5 is strong enough, replace md5 with sha256, within the Python Code. It'll work just as well, but will output a 64 character password, of which you could choose to use all of it (web site permitting) or simply use a section of it.

Another good technique is to block-chain hashes. So, you could first perform a SHA256 hash and then hash that result with MD5, the result being a very strong 32 character password that only you know how to regenerate. Yet another way would be to re-hash the results with SHA256 in a loop of 5000 (or any number that only you know about), each loop input being the output of the preceding one, then do a MD5 hash of that, resulting in a bullet-proof 32 character (256-bit) password.


Password Safe

While I've been using the built-in Password Manager that Firefox comes with, for years and I've never had any problems, I feel it's time to be a little more cautious and migrate to an external Password Manager, sacrificing some convenience for better security. I'm not suggesting that the Firefox password manager is in anyway insecure, in fact I can find no proof that it is anything other than a very secure system (caveat: use a master password). Maybe I've been lucky, maybe I've been careful, maybe it's combination of the two, but right now I want to have a system that offers a little more flexibility and probably more security.

I'm very suspicious of cloud-based password manager apps and as such I don't use them. I recognise the need for a password manager, but until now, I've not found one with which I'm completely happy, but if there's one person in this world I'd trust, it's Bruce Schneier. Today, I'm far more aware of his work than I was a few years ago, having started to read Applied Cryptography which was written by Bruce Schneier.

Bruce Schneier (along with others) has given us Password Safe. Link:
https://www.schneier.com/academic/passsafe/

As of July 2017, Password Safe is an open source project and the latest MS Windows version is 3.43.0. A Linux version is currently in beta.

This is the first Password Manager app that I've used, so I don't have any comparisons to make, but I have to say I'm impressed by what Password Safe can do and how it works.

I'm not new to Password Safe, having been introduced to it some time ago, but it's one of the many things that I simply tried and then abandoned; I saw it as an inconvenience. But now I'm a little more savvy and I've more knowledge about the way in which systems can and are compromised, I'm less comfortable with the build-in manager that Firefox has. I'm also more clued in about Bruce Schneier and his work.

This is from the help file that comes with the Password Safe app...

About Password Safe
Password Safe and the Twofish encryption algorithm it uses were originally developed and released to the public by Bruce Schneier and Counterpane Labs.

Password Safe is now an open source project hosted at sourceforge.net. The latest program updates, documentation, and news can be located at http://pwsafe.org.

Password Safe is freely available and distributable under the restrictions set forth in the standard Open Source Initiative (OSI) Artistic License 2.0. A copy of this license is included with the Password Safe installation package in the file named LICENSE.

Twofish is a fast, free alternative to the AES, DES and IDEA encryption algorithms. Details on the Twofish algorithm, including speed comparisons and an extensive list of products that use Twofish, are available at http://www.schneier.com/twofish.html

Please read the Readme.txt, Changelog.txt, and ReleaseNotes.txt or ReleaseNotes.html files in the installation package for the latest changes, bug fixes, and documentation addenda.

All other brand or product names are trademarks of their respective companies. No support or endorsement by these companies exists or is implied.

This app will store the logon details (url, username, password) as well as any notes that you may need to keep about the logon, in a safe and off-line database. The fact that it's off-line is important to me.

Password Safe comes with a very detailed guide, which you need to read. I'll outline some of the details of the app, on this page, but you'll have to read the help file that's included with the app as I can't do any justice to this app in this short introduction.

The first thing you'll need is a strong master password that you can remember. This unlocks the database. If you forget your master password, there's nobody you can go crying to! It's not so difficult to create a strong master password that you can remember and that will be resistant to a brute force attack, so don't use anything that you can find in a dictionary.

Padding creates unbreakable passwords that are also easy to remember and use. E.g:

My.Password.4.PW.Safe<(*_*)>

Be creative and come up with something that's unique to you.

That done, you'll need to populate your secure database with the login details of your accounts. On moving over to this app, I've taken the opportunity to change all of my passwords. Password Safe has a very good password generator with which you can have different policies. This is in fact a better system for me as I now don't have to use any other system to generate my random character passwords; it's all there in the app. I can choose how many characters to use as well as the combination. I can also set an expiration date if required.

There are a few different ways that Password Safe interacts with the login form that you need to use to get access to said site or service, such as Drag and Drop, Cut and Paste, and AutoType, as well as a simple copy-to-clipboard by double-clicking.

The bottom line is either you want control or you don't. Trusting a second party with your on-line details is a risk in and of its self, but you don't have to trust a cloud-based password manager as well, so why do it? Take the control and responsibility yourself and stop farming this out to others. Do you know that these cloud-based password managers are not accessible to the vendors or government agencies? I don't. That's why I've been using the systems I've detailed. Now Password Safe is my choice as I have control over it; it's off-line and I trust the work of Bruce Schneier.


My thanks to...

Doug Martin for Password Chart to Steve Gibson for Perfect Paper Passwords as well as other excellent tools on his site, including Password Haystack and Perfect Passwords, described as a Ultra High Security Password Generator. You'll also find many useful tools and projects, including a High-Security Offline Password Generator on Taylor Hornby's site: https://defuse.ca