Peter Cochrane: The road to password heaven or insecure hell?

Peter Cochrane looks at how to make stronger, better passwords that you can actually remember

I periodically conduct a general security review in the face of growing malware, phishing and other forms of online threat. This embraces passwords, multi-factor and biometric authentication, while also taking into account the reciprocal protection of companies using location, machine, and behaviour-pattern checks.

To say the least, the security measures I now have in place are in a different league to those I used just five or 10 years ago. But, I still worry about the fundamental access security of my devices, networks, apps and services.

My starting point is the standing ‘threat status' and the projected rate of change. The key question is, how strong are my passwords and other access methods today, and how strong will they be in another three years? So, beefing up any security systems entails striking a balance between any strength gains versus operational inconvenience.

A key security feature is the requirement for passwords that can be algorithmically constructed rather than having to be memorised and stored. In turn, we have to address the implications of the overall security risk:

Risk = Threat x Attack surface x ConsequencesDefensive strength

Where: Defensive strength is proportional to a number of independent measures. So:

(Firewall x Malware protection) x Passwords x PINs x BiometricsHuman fallibility

Here, ‘human fallibility' looms large! We are the last line of defence when it comes to phishing and browsing errors, not to mention keeping our operating system and apps up to date.

A useful way of addressing password creation is to consider factors embedded within this formal (or similar) setting:

Modern computer attacks demand at least eight character passwords with combinations of upper and lower case, numbers and symbols. Singular nouns are easy to crack, along with the top 100 commonly used passwords that include these dangerous examples: 123456, QWERTY, 123123, 111111, 000000, password, Iloveyou, 666666, James007 and so on.

Concatenated random nouns, slices of poetry, and literature are rich sources of combinatorial complexity, while old English, and regional words and dialectic expressions, add a further level of defence. How come?

In a word: entropy. The higher the degree of disorder and unexpected change the better. Using a password strength meter, let's put this to the test:

You might remember the William Wordsworth poem that starts: "I wandered lonely as a cloud…" A very simple rule set/algorithm allows us to create a really strong passwords that are easy to construct.

lonely as a cloud >> LonelyasaclouD >> Lone1yasac1ouD >> L0n31ya5ac10uD ….etc

But how about a favourite film?

Or profession:

The examples give relative comparisons as they were generated by a password strength meter - and there are many different types - and this one assumes a network of PCs attacking a site with no a-priori knowledge about the user. A super computer would drastically reduce the stated times, of course.

Obviously, locking down a mobile device would probably require a simpler password as a human will be tapping the keys, but your cloud account needs something much stronger as (networked) machines are running the numbers. It almost goes without saying, of course, using one password/PIN for everything is not advisable.

Some password generators and secure storage are built into apps and machines, but the weak link is where we (ordinary folk) have to get-in to the loop, design, decide and remember. My prognosis; password and access automation will enter the scene over the next decade. It is the only way we can get out of the continual password loop/nightmare.