1 May 2015

Strong Passphrases to withstand brute force attacks

Single case alphanumeric passphrases consist only of small letters and numbers, and are particularly useful when you need to make, copy and write down a strong passphrase.

Here is an example:

6j1i kfmp 6k8v lwz5
    • Copy the passphrase. Keep the passphrase safely on a piece of paper and/or on your computer. DO NOT STORE ONLINE.
    • The characters are written down in groups of four for convenience. IGNORE THE SPACES WHEN TYPING IN. You type in this: 6j1ikfmp6k8vlwz5
    • The passphrase consists of 16 random characters. All the letters (a-z) are lowercase. The numbers (0-9) are in bold to help distinguish them from the letters. IGNORE THE BOLD WHEN TYPING IN.
    • The passphrase has more than 82 bits of entropy. (A cracking programme working at 350 billion guesses a second would take 400 000 years to work through the permutations)

How to make a strong single case alphanumeric passphrase

Here's what to do to make a passphrase which will be strong enough to protect you from a brute force attack - i.e. from a hacker trying millions of possibilities a second to crack your passphrase.

1. Take two dice. Throw the dice together onto a flat surface. The dice which lands further to the left is deemed dice 1 while the dice lying further to the right is dice 2.

2. The number shown on dice 1 determines the choice of the horizontal row (numbers in bold), while the number shown on the right-hand dice determines the column (numbers also in bold). From each throw of two dice the selected row and column intersect at a character, which is either a lowercase letter or a number. The character should be recorded on a piece of paper.


3. Throw the pair of dice 16 times and generate 16 alphanumeric characters. Write them down in groups of four to facilitate copying.

Example: 6j1i kfmp 6k8v lwz5

Writing down your passphrase

Writing down your passphrase onto paper means that it cannot be hacked, so you should do this. As Bruce Schneier, the security and cryptography, expert point out:

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

I wouldn’t go so far as keeping passwords in my wallet, but the point is well made. But when when writing down, please pay attention to the following:

Avoiding mistakes when writing down the passphrase: This is all too easy to do. It helps that it is already divided into 4-character chunks for copying. Write the numbers much larger than the letters so they are distinguishable. Put a small upward sloping line on on your 1, cross your 7, and place a diagonal line through your O. For the letters, put a big dot over your i, loop your l, write your o very small, round the bottom of your u, point the bottom of your v, and write your z small.

Losing Your passphrase: Loss can best be prevented by possessing a duplicate. Have a memorable place, not necessarily easily accessible, where you keep a backup copy; e.g. written onto the back of an old receipt in a box in the garden shed. Always ensure that there are two copies; it is unlikely that both will be destroyed or mislaid at once.

Others finding your passphrase: Avoid desk drawers, or anywhere near your computer. If you have thousands of books, writing it onto page 138 of one of them would probably be safe, unless a whole team of police are searching your house for it. The passphrase is also of no use to a finder if it is not known what it is the passphrase for.

Additional security: if you are worried about family, friends or colleagues stumbling across it, then you can can have a secret, non-written affix to your passphrase. If your passphrase would be 6j1i kfmp 6k8v lwz5, you can add, for example, a memorable word so it becomes catfish 6j1i kfmp 6k8v lwz5. You write down and store the passphrase without “catfish,” and remember what you have done. Non-specialists could never use your passphrase, even if they found it. And doing this also adds massively to strength of the passphrase.

Typing your passphrase

You may choose to store your password electronically, so when you wish to use it you can copy and paste. Theoretically, it could be hacked, but if you keep it in a passworded file (e.g. Word, Excel) on your computer - or on a memory stick, then it is pretty safe from hacking, unless the hacker is specifically targeting your passphrase on your devices. But remember that computers can break, get lost, be stolen or be confiscated, and once out of your possession the passphrase is accessible to someone else and no longer to you unless you have backup copies. Storing your password anywhere online is a big mistake, unless of course it is encrypted. When typing your passphrase into a file for safekeeping, it is a good idea to write the numbers in bold, so they are clearly distinguished from the letters.

What makes a passphrase strong?

The strength of a passphrase depends on how many combinations or permutations there are in which to hide the key. Let us take the example of a combination padlock with three dials, with each cylinder containing 10 digits (0-9). There are exactly one thousand permutations. If the lock had four dials there would be 10 000 permutations.

To make a passphrase stronger on a computer we can do three things:

1. Increase the number of characters of the passphrase (i.e. passphrase length).

2. Increase the range of characters we are using. Using only numbers alone (0-9) we have ten permutations per character. If we add in small letters (a-z) we have 36 permutations per character, and if we also use capital letters we have 62 permutations per character - and so on.

3. Make absolutely sure that the characters are random. That means that the choice of any character is not determined by any other. If there is a pattern (e.g. 2, 4, 6, 8) the passphrase is weak and can be cracked more easily. The human brain does not produce good randomness; it has to be achieved by throwing dice or using well shuffled cards.

How to measure the strength of a passphrase

The strength of a passphrase is measured in units called bits of entropy. If the passphrase is one of two permutations the passphrase strength is one bit of entropy: if it one of four equally possible permutations, then it is two bits of entropy strength. If there are eight permutations, then the entropy is three bits. A billion (1000,000,000) different possibilities to choose from is 29.9 bits of entropy.

How many bits are necessary for a safe passphrase?

At the present time, it is the opinion of experts is that a passphrase of 80 bits is sufficient for all practical purposes. It would take several linked computers running for decades to crack such a passphrase, not something that a hacker or even the state would undertake.

How many random characters do you need for an 80 bit passphrase?

The answer depends on the range of characters you use: if you use just numbers (1-0), then you need 25; if you use numbers and a single case, e.g. small letters (1-0, a-z) then you need 16; if you use both cases (1-0, a-z, A-Z) with numbers, you need 14 and if you use all the characters on the keyboard (e.g. =, + ?, etc), then only 13.

What is most convenient for you is a matter of choice, but I believe that using a single case alphanumeric passphrase is the most effective because a 16 character passphrase is manageable, and it not worth making it shorter by two or three characters, if the cost is having to use the shift key repeatedly and having to search the keyboard for special characters.

Is it certain that an 80 bit password is sufficient?

Well it is unless two things happen. First, computers become a lot more powerful than they are at present. And second, your adversary is willing to spend a great deal of computer power and time (that is months and years) on cracking your passphrase. So what can you do to make your passphrase stronger still?

First you can make the single case alphanumeric password longer by throwing more dice. Twenty-five characters takes you over the 128 bits, which is claimed to be an ideal. Second, adding an unusual word affix to the start of your passphrase adds around 10 bits of entropy. And/or you can add a few special characters in the password. Don’t add letters because you might make dictionary words which will lessen the entropy.

But when you enter the territory of 80 bits plus, your weakest link is not likely to be your passphrase any more.

No comments: