Time to Reset Your Password? Get Out the Dice

In the past week, I have been prompted several times a day to change my network password. And I’ve been putting it off each time I see that annoying pop-up window.

AD-expiration

Why? Because I’m sick and tired of coming up with a unique password! And who isn’t? But I’m getting close to my 90-day password use limit, and yes, I’ll have to do something about it soon.

There has to be a better way to select a good password. One that’s easy to remember but hard to crack.

You see, the rules for generating complex passwords are well known. Any programmer worth his or her salt can figure out how to crack passwords given such common rules as

  • Always include a mix of upper and lower-case letters, numbers and symbols
  • Never reuse passwords
  • Avoid common words
  • Don’t write them down anywhere or you’ll be sorry!

Passwords are a drag…

Passwords are a pain to come up with and are depressingly easy to crack. But we still need them. For now, we can’t live with them, and can’t live without them.

The Ponemon Institute found 24 percent of data breaches in 2014 were due to compromised passwords.

Add in breaches related to “trusted insider (inadvertent)” and “trusted insider (malicious).” Those both involve compromised credentials, which always includes passwords. Now we are at 70 percent.

My colleague Lisa helped paint the picture. Compromised credentials are the most common vectors of attacks leading to data breaches.

I’ve been telling everyone to eschew passwords for more secure authentication methods, wherever possible. Tools that use industry standards like SAML and multi-factor authentication.

…But passwords are a necessary evil

I’m sure passwords will someday become an odd and sad relic of our time. But it’s still 2015, and most of us need to have at least one password (shorter), or better yet, a passphrase (longer). We need them for things like PGP, a password management system, or for authenticating into Active Directory at work.

How about we leave it up to chance?

diceIt seems almost easier to take a random roll of the dice, just pick a few words, and hope for the best. It turns out, that’s a pretty good method.  It’s called Diceware, and was developed in 1995 by a man named Arnold Reinhold.

Rolling real dice in the real world can produce random sets of numbers, assuming we aren’t using loaded dice.

diceware

Combined with a list of unique words each assigned to a 5-digit number, we can generate a cryptographically secure passphrase comprising six or seven random but ultimately memorable words. Compared to “strong passwords,” a strong diceware passphrase according to Reinhold is:

  • Known only to you
  • Long enough to be secure
  • Hard to guess — even by someone who knows you well
  • Easy for you to remember
  • Easy for you to type accurately

It’s not that big of a deal to roll one die 30 times, or six dice five times, to generate six 5-digit numbers. But for fun, I decided to outsource it to an 11-year-old kid.  This kid, Mira Modi, started her own business generating 6-word passphrases by hand. She promises to send back a letter via the US Postal Service. She’s gotten a lot of press lately, so I’m curious to see how long it will take.

Now, the likelihood of a computer cracking a 6-word passphrase  is much lower than an 8-character “strong” password. That’s because the diceware method introduces some entropy. Entropy is a degree of disorder or randomness in a system, or numerical measure of uncertainty.  We can introduce entropy to a chosen passphrase by increasing the length of the passphrase, and using a random method to choose words. You know, like a roll of the dice.

I’m still a bit leery of letting a kid choose a unique passphrase for me. What happens if I need to limit the number of characters, or the types of characters used?

Or what if my envelope never arrives? I’ll be two bucks poorer.

Or what if six random words, with an estimated 77.5 bits of entropy are simply not enough?

I can always add in another random word, and get 90.4 bits of entropy, or choose a word from a diceware list in Japanese or French.

Meanwhile, I’m running out of time. I guess I’ll roll a few times, and generate a new passphrase on my own before I get locked out of my work account.