Tag Archives: password

A story about Password – The Wrong Formula

In this article I will first talk about some misconceptions regarding what is considered a secure password and then about how you can leverage different technologies to help protect your different credentials.

In the past few years there has been a sharp increase in websites being hacked and their users’ passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery or your electricity bill, access your bank account, connect to your work email, etc.

The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.

One way to counter that risk would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it down. However, the question is how secure your formula really is? How easily could it be reverse engineered? It may not be possible for an attacker to do it with knowing only one password, but what about 2? or 3? or more? would a pattern start to emerge?

Let’s take an example of a simple password formula, by taking the first letters of an easy to remember sentence tailored to a given site, www.google.com in this example:

I Love My dog And I Like Google since 1997

The password would be: ILMdAILGs1997

At first, this looks pretty good… especially if you start adding punctuations and special characters.

But if you use the same formula somewhere else, this time for www.yahoo.com, the password would just have one different letter: ILMdAILYs1997

Even if you were to make your password “expire” by changing the last number on a regular basis, I.e. each January, a pattern would still to be easily identifiable if an attacker gets hold of several of your passwords…

Of course, this means someone would need to get your credentials from different sources, Google and Yahoo in this example. But the point is that with the increasing number of websites we subscribe to, we are also increasing the chances that our credentials get stolen and patterns get discovered.

Passwords need to be unique to each system they are used on and they need to be as random as possible.

Not writing your password down but remembering it feels like the most secure solution. Until you look a bit deeper at how all your different passwords are constructed and realise they are not truly random and unique…

The best way to use unique, random and strong passwords is to save them into a password safe, a software that acts as a safe for sensitive information by storing it into an encrypted database. All your passwords are then protected by a master key/password.

Password safes are not new, in fact one of the most popular has been around since 2002.


But what is new is how you can achieve the following requirements, so you do not compromise on usability:

– Passwords need to be accessible from all your devices;

– Passwords need to be backed up securely;

– Passwords need to be easy to reset.

This is where Cloud storage can help you.

You can use PasswordSafe from Sourceforge to create an encrypted list of strong passwords and store that list onto a cloud storage service such as Dropbox. Then synchronize that Dropbox folder/file on all your different devices.

Because PasswordSafe and Dropbox can be used on most operating systems and platforms, including mobile devices, you will be able to access your passwords from anywhere. More importantly, you will also be able to synchronise any changes from anywhere, securely.

You do rely however on how secure the implementation of Password Safe is on the different medium you install it and if someone installs a key logger on your computer then you could lose access to all your passwords!

The only password you need to remember is the master password to your safe which should not be reused anywhere else.

Distributed Credential Protection

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server  (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview THERE

I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:

– Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise

– Why only applying this to passwords, what about documents/files?

– To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.

– Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)

It is definitely an interesting technology, which I hope to learn more about soon!

Windows 8 Picture Password, great but…

After looking at the new features listed for Windows 8, one in particular caught my attention: The Picture Password Login.
It is a very refreshing approach to authentication!

You are presented with a photo at log in and instead of entering a password, you have to touch the image according to the “allowed” touch sequence you registered your user with. In some respect it is similar to the existing gesture based authentication mechanisms you can find on some smartphones (anyone remember that feature on the Palm V?!), but I think it is taken to the next step.
Microsoft is maybe trying to do to passwords what Apple did to the Walkman.

By providing you with a photo of your choice (i.e.: your own family picture), and a restricted number of gestures (point, draw a line and circle) it is easier to remember a sequence, more natural and more personal. For exemple, you would circle the head of your best friend, touch the feet of your child and stroke your dog…
It is simple, yet secure because there is a very large  number of possible combinations. Or is there?

I can see the appeal but I wonder about the following:
a) Could someone who know about you guess what you are likely to touch on that photo first, second and third, etc
b) It would be visually very easy to remember, for you… and also for anyone looking over your shoulder!

I am therefore not 100% convinced, but it would make hardware keylogers more difficult to design (softwares one should just work as well as now by providing a screenshot with logged gestures). And it could actually improve security over a complex password on a post-it or a very simple “hello” password. However, how would this work in an open office environment where everyone can see your screen?

In any cases, well done Microsoft! as stated at the beginning of this article it is a very refreshing approach to authentication and a bold one!

More information can be found in that article and below is a demonstration video of this feature.

YouTube Direkt

I used to have one password…

I used to have one password. It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.

There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.

I would start with a different password for every login… and to change them from time to time.

GPU Password Cracking

Brute force password cracking has been around for a while but in the last few years a new way to use your brand new graphic card has emerged which brings high performance attacks against passwords much cheaper and easier.

This is because the “brain” of those graphical card, The Graphical Processing Unit or GPU, is designed to handle mathematical and repetitive tasks very efficiently.

There is a very good article about this topic on the ERRATA SECURITY blog with some interesting facts:

– Although GPU are now found in most electronic devices (i.e.: phones), dedicated PC cards are obviously better

– Radeon is better than GeForce

– Although you can use more than one GPU, the benefits are not exponential and most people only need 1 or 2 GPU.

– This is because past 8 Characters, a password become near impossible to brute force. It would take too long, regardless of the number of GPU you use!

– Some people actually slow the speed of the computer memory to reduce voltage and thus heat. All that matters is the GPU!

– What you would use a GPU against:

  • Bitcoin hashes match calculation (Bitcoin is a digital currency)
  • WPA Passwords, as you cannot really use Rainbow tables, brute force can be useful! in fact this is true for any “salted’ passwords.
  • Protected documents: ZIP, Office, etc

Some of the software you need if you want to experiment yourself can be found on the Golubev website.

Update 28/06:
It looks like you can even now have external powerful GPU cards for your notebook, and it is a Radeon!