6 or More Ways of Ensuring Better Password Security
Preceding my work at Security Compass, the pursuit of my Masters of Computer Science led me to conduct research on user authentication, passwords and, more specifically, the study of human selection of long text-based passphrases. The research was done under the supervision of Dr. Julie Thorpe at the University of Ontario, Institute of Technology (UOIT).
Research into text-based passwords is a hot topic as this method of authentication is still the dominant form of end-user authentication on the Internet. Unlike a password, a passphrase is a string of words, like a phrase or sentence. Passwords created by users are plagued with numerous problems; however, the issues cannot be solely blamed on the users. The creation policies that websites deploy in order to enforce strong password conception tend to result in the reverse effect by making the passwords completely unusable or unmemorable, and therefore weak.
Primarily, my research focused on determining an ideal creation policy for passphrases that balance both usability and security. To test the passphrase policies, a 39-day user study was conducted involving over 30 users to study the human selection of passphrases. The memorability and security factors of the collected passphrases and user surveys were then analyzed.
When I began authoring this blog, my intentions were to compile and provide a concise summary for all steps of literature review, design, execution, and analysis of my user study. Following both peer and self-review, however, I realized that it’s not possible to condense a thesis to just a few pages. If you want to read the full thesis, you can do it here. Instead, I will give practical information taken from the research and will provide some methods to improve your own passphrase usage.
What the Research Tells Us
Let’s get to it. How can you improve your password or passphrase habits? Well, ideally you should be using a password manager. A password manager is a tool that creates and helps to organize your passwords. It isn’t feasible to create secure passwords for all of your online accounts and then assume that you will remember them. With a manager, you only need to remember one password or passphrase to lock the password database, allowing you to utilize only a handful of strong passwords.
I (shamelessly) recommend that you use a passphrase for your password manager. Below is the passphrase creation policy that I helped developed for the user study and it serves as a good guideline for creating a passphrase. The requirements outline what’s needed in order to achieve a significant level of security against brute-force enumeration attacks and the recommendations are there to encourage you to further improve security and usability.
- At least 7 words, separated by spaces
- At least one proper noun
- Exclude common 3, 4, or 5 word sequences (“all of it”, “there seems to be”)
- Use non-dictionary words, such as slang (“wazzup”, “selfie”)
It’s not as complex as it may seem. Take a look at some examples:
- isomorphically aged scarlet wheels rolled bravely across the SecurityCompass floor
- softly treaded dreams exist without sorrowful love or Bronfenbrenner’s remorse
- vestigial hamburgers slide gracefully from McCoy
- Panasonic microwaves create micro waves to superheat soup
The key points for making a strong passphrase are:
- Ensure sentences conform to the rules of grammar
- Use at least 6–7 words
- Use unique or distinctive word choices
- Have fun with it; you are more likely to remember the passphrase if you can laugh about it
Common Mistakes When Creating a Passphrase
In addition to the creation policies and recommendations above, you should avoid the two following common mistakes when creating your passphrase in order to maximize the security and usability of your passphrase. These mistakes were observed from the passphrases that were collected during the study.
- Using common words that can easily be reworded
Using common word choices such as dog instead of poodle, or soda instead of Coca-Cola, can cause issues when using the passphrase during login, as users can forget or reword their passphrase. Common word choices can also be easily enumerated in a brute-force passphrase attack.
- Using words that do not form a sentence and have no syntactic structure
Passphrases that are a string of related words with no sentence structure prove to be much more difficult for participants to recall than passphrases that have sentence structure. An example is “hotdog food ketchup relish mustard mayo”. This passphrase — while being fairly secure against a brute-force guessing attack — makes it difficult to remember the correct word order since it has no syntactic structure to it.
Examples of Proper Password Management
Like the ones seen earlier, I recommend that you create a passphrase for your password manager. By focusing on one passphrase for your password manager, you can create a strong, memorable passphrase that you do not reuse. Placing all of your passwords in one location, however, potentially makes it a single point of failure for all passwords. You should have a simple system in place to ensure that you have backups of the password database in addition to a method for recovering the password database, in case you accidently deleted the database or forgot the master passphrase.
For example, I use three passphrases that I can easily remember. All other passwords are created and organized in a password manager. I have one passphrase for my password manager, one for Dropbox service, and one for my primary email. If I lose my passphrase for my email or Dropbox, I have two factor authentication set up with my mobile phone that can be used to recover the passphrase. The password database is backed up on Dropbox, and Dropbox can be accessed from a computer or a smart phone. I have a USB key that I keep at my house and it has a master key file for my password manager as a backup in case I forget my passphrase for the password manager.
It’s not a perfect system, but it’s a simple one that is better than creating and remembering passwords for all of my online services.
The Final Word
The main thing to take away is that you really, really, shouldn’t be remembering all of your passwords. Passwords were never designed for the wide scale adoption that has occurred as a result of the Internet. If you are someone who keeps passwords in memory, it’s probable that you reuse the same passwords or use easily-guessed passwords and patterns that put you at risk for being compromised via stolen login credentials. Focus on a few, very strong and memorable passphrases. Let a password manager handle the creation and organization for the remainder of your passwords.