Welcome to MacTalk Australia

the largest Australian community for Apple discussions and topics

Join the discussions, Register Now!
Results 1 to 16 of 16
  1. #1

    Join Date
    Jul 2009
    Location
    A data centre in Canberra.
    Posts
    1,003

    Default A Password Security Theory

    <p style="text-align: center;"><img class="size-full wp-image-9233 aligncenter" src="http://www.mactalk.com.au/wp-content/uploads/2010/08/keychainlogo.png" alt="" width="128" height="128" /></p>
    A good password is difficult to come up with. You want it to be memorable, but not easy to guess; fast to type, but not easy enough that someone watching can figure it out; short, but long enough that cracking it would take a long time. Its often a tradeoff between convenience and security - so how can we better manage this? <!--more-->

    We all have our own idea of what a good password is - but when it comes to choosing a password, you usually have to adapt to someone else's rules. Some common ones are:
    <ul>
    <li>Minimum number of characters (usually 6 or 8 characters)</li>
    <li>Use of characters - must have at least one of each uppercase, lowercase, numbers, symbols</li>
    <li>Can't be a dictionary word</li>
    <li>Can't contain your username</li>
    <li>Can't be a previously used password</li>
    <li>Must be changed every 90 days</li>
    </ul>
    You can't use the same password for everything; sooner or later complexity requirements will make your password invalid. You don't want to remember 50 different passwords, and you don't want to write them all down. Perhaps a tradeoff is the way to go.
    <h2>Password Security Zones</h2>
    You can probably divide your logins into a few distinct areas. We'll look at three example "password security zones" to see what they might be used for.

    If each zone has its own password, we can limit the number of passwords we need to remember, and maintain higher levels of security for important things, and lower levels of security for the less important things. It's a good compromise between having a separate password for each account, and the same password for everything.
    <h3>High Security Zone</h3>
    Your most important services live here. These will be services that could cause financial loss or major problems if they were compromised. You need to think "What is the worst case scenario if someone got into this account?". In this zone, you'll want a strong password (see below), and I wouldn't recommend saving the password in your browser. You also shouldn't write the password down anywhere - you need to memorise it. Depending on the account, this might be the one time its worth having different passwords for each account - or at least variations.

    If the provider offers it, use a <a href="http://en.wikipedia.org/wiki/Security_token" target="_blank">Security Token</a>. These add complexity, but ensure nobody will be logging into the account without physical access to the token.

    When accessing the account, make sure you're using a trusted computer. If you think the computer might have a virus or malware of any kind, don't log in. Malware can be used to harvest account details - so using an untrusted computer is like shouting your ATM PIN out loud as you enter it into the machine while a group of suspicious looking characters watch.

    Accounts in this zone might include:
    <ul>
    <li>Online banking</li>
    <li>Share trading</li>
    <li>PayPal</li>
    </ul>
    <h3>Medium Security Zone</h3>
    This is where your day to day accounts belong. Again, you have to consider the worst case scenario. These services probably have some personal data, but nothing you couldn't get out of a phone book or by doing some basic investigation. There probably won't be enough here to cause you any serious trouble if someone maliciously gets into the account, but it would still be a problem for you. You might log into these accounts from any old computer, but you'd want to log out of the site afterwards.

    Accounts in this zone might include:
    <ul>
    <li>Email</li>
    <li>Apple ID</li>
    <li>Shopping sites with saved shipping/contact details</li>
    <li>Facebook</li>
    <li>eBay</li>
    </ul>
    <h3>Low Security Zone</h3>
    Low security accounts are the ones that don't contain anything of any value. The consequence of losing the account is minimal. These are the accounts where you wouldn't even bother logging out, and would let your browser save the password. You'd use them on any computer without much concern, and probably wouldn't care if someone watched you type in the password.
    <ul>
    <li>Forum site accounts (except MacTalk, of course)</li>
    <li>Digg/Reddit/YouTube accounts</li>
    <li>Throwaway email accounts</li>
    <li>Miscellaneous sites that force registration</li>
    </ul>
    <h2>Creating Strong Passwords</h2>
    Things you'll want to avoid in a password:
    <ul>
    <li>Any dictionary word</li>
    <li>Any variation on a dictionary word (including substituting numbers for letters)</li>
    <li>Patterns of characters (for example, alphabetic patterns "a1b2c3d4e5" or key placement patterns like "qazwsxedc")</li>
    <li>Names, places, birthdays and ages</li>
    <li>Usernames or part of the username</li>
    <li>Repeating characters</li>
    </ul>
    <a href="http://www.mactalk.com.au/wp-content/uploads/2010/08/sitgsem.png"><img class="alignright size-full wp-image-9240" src="http://www.mactalk.com.au/wp-content/uploads/2010/08/sitgsem.png" alt="" width="208" height="153" /></a>

    That rules out most basic passwords - so what next? Phrases. The trick here is to come up with a meaningful phrase, then cut it down to a jumble of characters that can form a password. The logic behind this method is that a meaningful phrase is easier to remember than a random jumble of letters. Let's try some examples:

    Phrase: Seinfeld is the greatest show ever made
    Password: sitgsem

    The problem here is the password is all lower case letters, and is only 7 characters in length. It's a pretty lousy password, and the Mac's built in Password Assistant tool agrees (see right).

    <img class="alignright size-full wp-image-9242" src="http://www.mactalk.com.au/wp-content/uploads/2010/08/Sitgs3m..png" alt="" width="208" height="153" />

    Let's add some numbers and punctuation, and a capital letter. The more randomness of characters we can add, the less predictable a password will be.

    Password: Sitgs3m.

    On paper, this password is pretty meaningless. For the owner (and anyone that knows the phrase we based it on), it's meaningful. The Mac's Password Assistant tool tells us this is considerably better.

    <a href="http://www.mactalk.com.au/wp-content/uploads/2010/08/1atvmoamMG.png"><img class="alignright size-full wp-image-9245" src="http://www.mactalk.com.au/wp-content/uploads/2010/08/1atvmoamMG.png" alt="" width="208" height="153" /></a>Let's try something more secure still by simply making the original phrase longer. Longer passwords take more time to crack - since each additional character could be any one of

    Phrase: I am the very model of a modern major general
    Password: 1atvmoamMG!

    These passwords aren't perfect, but they're certainly a good compromise. They're at least 8 characters, mean something only to the person that created them, and contain a mix of uppercase, lowercase, numbers, and punctuation.
    <h3>Variations</h3>
    Even with a strong password, you'll sometimes find a site that doesn't allow you to use certain characters, or might insist on having two capital letters. This is where things start to get messy. Generally, an 8 character password like above will be fine for the majority of sites - but if you have to satisfy another password requirement, a variation on the existing password might help you out.

    Variations allow you to stick to the same password (which you remember) and add something extra just to satisfy the password complexity requirement.

    For example, a site that requires at least two capital letters, or a 10 character password:

    Password: SItgs3m.
    Password: Sitgs3m.01
    <h2>Checking Your Password</h2>
    Unsure how strong your password is? Mac OS has a built in tool for generating and checking password strength (as seen in the examples above). You can access it a number of ways, but the easiest way is to open Keychain Access (found in /Applications/Utilities/), and select File -&gt; New Password Item. Next to the Password field, click the key icon. The Password Assistant window will appear. Enter your current password to see an indication of its strength, or generate a random password using the popup menus and length slider.
    <h2>Storing Your Password</h2>
    With all these passwords and variations, you're probably tempted to start writing them down. Before you do this, consider <a href="http://www.mactalk.com.au/2010/07/23/discovering-disk-images/" target="_blank">creating an encrypted disk image</a> of text files instead.

    This might seem like a bad idea, but if you do things right, it should be reasonably safe. The disk image should have a High Security Zone password, and be kept on a trusted computer. Create a text file for each account, and add any account details. Don't store the password, but rather a reference to it and any modification you've made.

    For example, a text file with your eBay password might contain:

    eBay Username: billsmith
    Password: medium + EB

    As long as you remember your medium security zone password, you can figure out what this means. If you forget to unmount the disk image, or someone manages to get a copy of the file, its fairly useless unless they know the password the hint was based on.

    Again, this is a compromise - but if it comes down to writing your account details on a series of Post-It notes, or having them in an organised secure disk image, I'd consider it a win for security.
    <h4>Further Reading</h4>
    <a href="http://en.wikipedia.org/wiki/Password" target="_blank">Wikipedia - Password</a>

    <a href="http://en.wikipedia.org/wiki/Password_cracking" target="_blank">Wikipedia - Password cracking</a>

    <a href="http://www.lockdown.co.uk/?pg=combi" target="_blank">LockDown - Password Recovery Speed</a>s

  2. #2

    Join Date
    Oct 2005
    Location
    Gold Coast
    Posts
    1,027

    Default

    Brilliant article.

    Good advice with keeping online banking and email address passwords different to general purpose forum accounts, etc. That's what I do.

    I also like the idea of an acronym on steroids.

    Now... If only there were a way for the iPhone to NOT display the last character of my password for what seems like a million years before it transforms into a dot.

  3. #3

    Default

    Thanks for the great article David. Very helpful, especially to someone whose password is password.

  4. #4

    Join Date
    Aug 2004
    Posts
    1,339

    Default

    I haven't fully finished reading this, but something that stuck out to me straight away was putting your e-mail in a medium security zone. Fine, however if that e-mail account is linked to one of your high security zone accounts, then this by proxy reduces that security as e-mail can often be used to recover passwords for accounts.

  5. #5

    Join Date
    Jun 2004
    Location
    Geelong, Victoria
    Posts
    1,384

    Default

    Quote Originally Posted by dev_enter View Post
    I haven't fully finished reading this, but something that stuck out to me straight away was putting your e-mail in a medium security zone. Fine, however if that e-mail account is linked to one of your high security zone accounts, then this by proxy reduces that security as e-mail can often be used to recover passwords for accounts.
    Thus the "theory" part of the title :P

    But this is a valid point... I suppose the danger of having it high (and using the same password as other high sec. accounts) is that its the sort of thing you'd use all over the place... work/home/net cafe/hotels, etc.
    In this case, the question is whether you risk the email address exposing your other accounts, or risk exposing your high security password by having to use it somewhere potentially insecure.

    Seems the solution would be to give the email account its own separate high security password.
    ...because the people who are crazy enough to think they can change the world, are the ones who do.

  6. #6

    Join Date
    May 2008
    Location
    Brisbane
    Posts
    1,232

    Default

    Nice work. This has inspired me to change my passwords to something a little more secure. And order a security token from my bank.

  7. #7

    Join Date
    Apr 2004
    Location
    Perth
    Posts
    3,102

    Default

    Quote Originally Posted by palais View Post
    Thanks for the great article David. Very helpful, especially to someone whose password is password.
    Not for MacTalk it's not.

    I mean.... surely.
    .
    Times are bad. Children no longer obey their parents, and everyone is writing a book.

    - Cicero (106BC-43BC)

  8. #8

    Join Date
    Apr 2008
    Location
    Melbourne
    Posts
    5,933

    Default

    Great article. You've basically described my own password regime. Sadly I still have too many passwords but as you suggest they are grouped into what you call "zones" though I may have more than three (eg I have what you'd call a "Work Zone").

  9. #9

    Default

    Quote Originally Posted by tintinaujapon View Post
    Not for MacTalk it's not.

    I mean.... surely.
    Whoops.. changing now.

  10. #10

    Join Date
    Jul 2008
    Location
    Adelaide
    Posts
    845

    Default

    This is basically how I use to run my passwords. It gets a bit complicated though when you start changing them regularly which I think is also an important part of security. These days I just use 1password and have a totally secure and random password for all sites. The only websites I don't use 1password with are the ones using multifactor identification which you touched on with security tokens. SMS is also another one which banks use regularly. Verisign also have an iPhone app you can use for tokens with sites such as eBay and Paypal.

    Overall any article that promotes better security is a good thing. Well done.
    Last edited by Jaste; 7th September 2010 at 06:58 AM. Reason: spelling
    Note: Any advertising image that may appear in my post is placed there automatically by this site and is not endorsed by me personally.

  11. #11

    Join Date
    Oct 2005
    Location
    Gold Coast
    Posts
    1,027

    Default

    1password sounds like a great idea, but what if you want to log on to a site away from home? Doesn't it rely on storing all your passwords on your mac?

  12. #12

    Join Date
    Jan 2004
    Location
    New Hampshire, US
    Posts
    1,492

    Default

    Quote Originally Posted by MTBlogBot2000 View Post
    Don't store the password, but rather a reference to it and any modification you've made.

    For example, a text file with your eBay password might contain:

    eBay Username: billsmith
    Password: medium + EB
    Thanks for the article. A small comment on the technique, quoted above.

    Some remote sites and applications have a limit on the number of significant characters stored, or checked, in passwords. Thus el3fantEB, el3fantAM, and el3fantMT, may each appear to be the same password if a (fictitious) site limited its checking to (a woeful) 7 characters; if this was a shared/common password, the consequences could escalate.

    I like (and use) the technique, but I'd suggest using EBel3fant.
    Last edited by chrism238; 7th September 2010 at 01:02 PM.
    It's better to burn out than it is to rust.

  13. #13

    Join Date
    Sep 2009
    Location
    Outback Queensland
    Posts
    2,061

    Default

    Quote Originally Posted by Edd View Post
    1password sounds like a great idea, but what if you want to log on to a site away from home? Doesn't it rely on storing all your passwords on your mac?
    Depends.

    It can sync across multiple Macs and also onto any IOS device (iphone, ipad, etc).

    It also has the ability to be accessible from the web - I haven't looked at this yet as I've always got at least one iDevice with me when I'm away from my Mac.

  14. #14

    Join Date
    Jul 2008
    Location
    Adelaide
    Posts
    845

    Default

    Quote Originally Posted by Edd View Post
    1password sounds like a great idea, but what if you want to log on to a site away from home? Doesn't it rely on storing all your passwords on your mac?
    The 1password website says it better than I could:

    Quote Originally Posted by http://agilewebsolutions.com/products/1Password/user_guide

    Take Your Data With You

    There are several ways you can take your 1Password data with you so you always have access to your information:

    * If you have an iPhone, you can sync to 1Password for iPhone.
    * You can use 1PasswordAnywhere to decrypt and view your Agile Keychain if you can access it on Dropbox or store a copy on a USB flash drive
    * If you carry a Palm Treo or Centro, you can sync with the 1Password for Palm application
    * You can export your 1Password data as an encrypted web page (File > Export All) that can be opened with a password using Firefox on Windows or Linux
    * You can print all your data, or better yet, save the printed data as a password-protected PDF and take it with you on a USB flash drive
    Note: Any advertising image that may appear in my post is placed there automatically by this site and is not endorsed by me personally.

  15. #15

    Default

    Great article folks

    One small question on 1Password which I use, how do I get 1Password to appear and generate a password for applications other than those appearing within Firefox.

    I want to change passwords with apps like iTunes but the only way would seem to be to copy and paste from 1Password to iTune and when you do this you don't get to see the password at the iTune end to confirm what you paste. Sort of scary when you paste a password and you cant see it cause once you say done then thats it and you cant actually get a "clue" to what the password is.

  16. #16

    Default

    WOW thanks for sharing the theory with us and if you want a simple way to solve your password question you may try this Password Manager

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •