Since the beginning of the IT security industry, security professionals have hated passwords. And for good reason too – a 2019 Verizon study showed that most breaches had some component of password theft or misuse. For example, Verizon found that up to 90% of breaches in the education sector had a root cause of password theft (Page 39)!
Hackers don’t always spend a lot of time using technical prowess to steal passwords. Lastpass found that up to 95% of people will share passwords with others, often with little to no prompting. We can do quite a bit to mitigate this. Things like multi-factor authentication and quality security awareness training do a lot to reduce the risk of password theft, and now with the improvement of Biometric Authentication it’s more likely we will see biometric log-ins for devices, secure facilities, systems, and networks that will further secure an ever-growing IT connected world. However, not everyone can afford expensive hardware tokens or specialized consultants. So what can we do? Can we still generate secure, hard-to-discover passwords? Make it a little harder for hackers to gain access to our system? Absolutely! In the below article, we at Keyqo Security outline three easy ways to generate a secure password.
In IT security-speak, “Diceware” refers to password generation with the use of random numbers. Most commonly, it refers to the rolling of a certain number of dice and associating the values you get to a wordlist, which becomes part of the new password.
Let’s illustrate this with an example, using the Electronic Frontier Foundation’s diceware wordlist available here. We’ll start by grabbing five dice and rolling them on a table. Let’s say we get the following five values: 1, 5, 3, 6, 6. If we combine these values, we get a single five-digit number, 15366. If we go to our wordlist and look up this number, we see it’s next to a word, “charcoal”. Great, we now have the first part of our password! Let’s repeat the process six more times, rolling five dice and looking up the words associated with the value we rolled.
When done, we’ll have a string like “charcoal driven verbalize polo salsa fever driven”. That’s our new password!
You may not feel it’s secure since it’s so memorable and easy to generate. However, we can prove mathematically that this password meets all security requirements. At a high level, the amount of bits we have in a given password determines its strength. The more bits, and the more random the bits, the stronger the password. Each bit of randomness (known as “entropy”) doubles the amount of guesses needed to crack that password. Each bit has two values, 0 and 1. With seven words, the password has roughly 90 bits of entropy. So our combined password strength equals 290 – an attacker will need to make 290 (1.2 octillion) attempts to crack it. At 100 million password crack attempts per second, the attacker will need to wait 392 million years before cracking it. Talk about a waste of time!
We can add more words as needed; each additional word adds ~13 bits of entropy. Just make sure that you generate seven or more words per password, because otherwise hackers could possibly steal it.
The Schneier Scheme
Cryptography expert Bruce Schneier suggested the following trick to create secure passwords. Rather than using common words or strings, create a personally-meaningful sentence in your head. Use that sentence to derive a new password. Some ways to do that include using the first letter of each sentence (including numbers and punctuation), abbreviating the first half of the sentence, and switching common letters with numbers or symbols.
Let’s run through an example or two:
Sentence: I graduated from the Scholl College of Podiatric Medicine in 2000, then moved to California.
Method: Use the first letter of each sentence without changing the case.
Sentence: I love to travel, including to places like New York City, Los Angeles, Paris, and London!
Method: “Leetspeak” the phrase, then randomly capitalize the first letter of each remaining word. If the “leetspeaked” word is less than three characters long, we can use it as-is.
Each password looks pretty unique. If an attacker doesn’t know your source sentence, they’ll have to guess this password at random. That takes a ridiculous amount of time, like before.
For example, let’s take the second password we generated, “Iluv2T,i2plNYC,La,P,aL!”. This has 126 bits of entropy, which leads to a security of 2126. Assuming an attacker can guess 100 million passwords a second, that’ll take over 421 quadrillion years to break! That’ll keep your attackers busy for a while!
Finally, we can rely on a string generator to make passwords for us. Sites like GRC’s Perfect Passwords will generate random, cryptographically-secure strings that you can then use in your applications. For example, the GRC site linked above uses several cryptographic techniques (detailed at the bottom of the page) to generate 64-character strings. Depending on your needs, you can use the hex, alphanumeric, or alphanumeric+symbols strings. Each of them has a maximum strength of 2512. That’s effectively impossible to crack with any known or theorized hardware.
While hackers will always try to steal your passwords, we can do a lot to make their job a lot more difficult. Anything we can do to make our passwords more random, keeping them out of pre-cracked password databases, will help. The three methods outlined above will ensure that your passwords remain effectively uncrackable, even by the NSA.
If you want to add even more security, you can do some of the following. You can use method three (random strings) to generate your passwords for each site. You can use a free and safe password manager like Bitwarden or KeePassXC to store them. That’ll save you a lot of effort in remembering a bunch of tough passwords. You can then set your password manager’s master password to something generated via method one (diceware), so you only need to memorize one list of seven words. Combine all that with other methods of security, like multi-factor authentication, and you will have taken a massive step forward in securing your practice’s valuable data.
Note: Don’t use any of the fake passwords we’ve generated here! Attackers have probably already taken them and added them to pre-cracked password lists, completely invalidating our hard work.