Maksim Kabakou - Fotolia

Security Think Tank: Use pass phrases and 2FA to beef up access control

In light of the fact complex passwords are not as strong as most people think, and that most password strategies inevitably lead to people following them blindly, what actually makes a good password – and when is a password alone not enough?

In 2015 the National Cyber Security Centre (NCSC, then National Technical Authority for Information Assurance – CESG) issued password guidance that recommended moving away from complex passwords.

It was based on the research of users’ actual password strategies and the problems caused by complex passwords. However, three years later, the mandating of complex passwords is still common practice, with the risks of this approach seemingly unrecognised, or even ignored.

Any password strategy needs to ensure that there is a degree of entropy in the “code” (i.e. numerous combinations), making it difficult to guess or brute force attack by trying every possible combination.

The premise is that an eight-character password will be randomly created from a set of 26 lower case characters, 26 uppercase characters, 10 numbers and around 32 special characters. This gives a total of 94 character possibilities making over six quadrillion (6x10^15) combinations. Unfortunately, the reality is people don’t create random passwords.

When talking to users, I find that most people when asked to create an eight character complex password that they can remember, the vast majority will start with a dictionary word, while some will even use the name of someone in their family.

They will then probably capitalise the first letter, because this is the natural thing to do, with a special character and a number added to the end. Typically, people use something that makes sense to them – 1%, or @2. When asked to regularly change a password, users often simply increment the number! While this is anecdotal, so not scientifically tested, the approach is frighteningly common.

Attackers are aware of this and will prioritise their search algorithms to focus efforts on these techniques. If we say a dictionary word is used, we can assume that this gives no more than 20,000 combinations as that is the number of words typically available to a native English speaker.

Read more from Computer Weekly’s Security Think Tank about password security

The capitalisation of the first letter adds nothing, because it is predictable. The special character and number at the end is from a limited set of 32 characters and 10 numbers, or vice-versa. This reduces the options to 640 combinations. As a result, there are only about 12.8 million possible passwords, not the six quadrillion expected. This calculation confirms complex passwords are often half a billion times easier to crack than previously assumed.

It must also be remembered that attackers will exploit any popular strategy by adjusting their approach. When cracking passwords, they will first search for the most common passwords (handily these are regularly published on the web). Simple dictionary words, names and other common strategies, such as substituting numbers and special characters for letters in a word e.g. P@55w0rd, are then targeted. The result is that most passwords, based on the combinations discussed, will be cracked in fractions of a second.

If you must rely on passwords, the key principle is that they should be created at random from a large number of possible combinations without the predictability described above. However, people are not good with randomness, so increasing entropy by using more characters is usually a better option than trying to create short random character strings which are unlikely to be remembered so may be written down.

One approach is to use three unconnected words. This, in theory, can give eight trillion combinations, but only if one cannot be guessed from another. Another is to use a passphrase. This gives a much longer password, so increasing the number of possibilities. Don’t assume common short words add much except making it easier to remember, but including uncommon place names and foreign words should help, as this increases the attackers search space.

An example (that now published should never be used) is “There is a farmers market in Abergavenny on Tuesdays”. I would only count the four main words here and while there is some connection between “farmers”, “market”, “Abergavenny” and “Tuesdays”, this still gives a strong password. However, because there are language dependencies between the words (i.e. it makes sense) it is difficult to calculate the entropy of a pass phrase, but there are probably at least a trillion pass phrases based on a minimum of four main words.

Calculating password strength

Calculating the entropy or strength of a password is not easy, because of the human element, but generally longer is safer. Also, while there are many “password strength testers” available on the net, they give varied and often inaccurate results dependent on the algorithm used.

As illustration, while one identifies P@55w0rd as being crackable in less than 0.01 seconds, another says it would take a week while a third scored it as “very strong”. The only thing the three agreed on is that pass phrases were strong.

Whatever strategy is used, there will always be occasions when poor passwords will be chosen, passwords will be written down, or typing overseen. When robust protection is required, it’s foolhardy to rely solely on a human generated password.

This applies for admin access to any domain server, file server holding sensitive data, or any other business critical system. Similarly where users, suppliers, or partners have remote access into systems, passwords alone are not enough as remote access VPNs typically bypass the internet firewall and other monitoring giving users access to the system as though they are directly connected to the internal network. 

In all these situations, two-factor authentication should be employed, so that a physical token as well as the password is required to access the system.

Read more on Hackers and cybercrime prevention