Friday, July 21, 2017

Remembering Your Password Can Put You at Risk – How to do One Time Passwords for the Non-Geeky

A long time ago an engineer invented a technology for computers called PCMCIA. To the best of my knowledge PCMCIA stands for People Can’t Memorize Computer Industry Acronyms.  Yeah, people also can’t remember 15 good passwords for 15 different sites with the rules they have to follow today. You have to use upper and lower case letters, numbers, and special characters when all you really need to be safe is a few words (passphrase).

Here is an example of a passphrase: boat plane dog cat fish. That passphrase can be memorized in a short amount of time although a real sentence, such as “I would sure like a ham sandwich!” is easier to remember. Both of these passphrases are far better passwords than “1Xrv24%/&4Zb.” The reason they are better is math. There’s a point where longer and simple is harder for a computer to figure out than short and complex.

So why won’t your system administrator let you stop using numbers and special characters? It’s tradition. Back in the days when passwords were limited to 8 or 12 characters it made a difference – a huge difference. It still does at some sites that only allow short passwords.

I have some good news. There is a growing shift in perspective on the subject. Standards are being set that only focus on length. You don’t even have to change your password very often, if at all, with these new standards. Passphrases are even encouraged.

I still have problems with passphrases though. It is a problem of remembering which of my 15 passphrases went with which site. You still need to use a different password or passphrase at every site you visit. I suppose I could do something like “dog cat rabbit squirrel facebook” and know that that one is for Facebook, but if someone gets that password it is the same as using the same password at every site. dog cat rabbit squirrel gmail, dog cat rabbit squirrel linkedin, etc. You are really using the same password everywhere.

Your bank has a great solution for bad passwords that rarely or never change. The solution is a onetime passwords (OTPs). You probably call them verification codes. OTPs are great for security. You get an email with a few numbers, type in the numbers and forget it. 123321 can be a really good password if someone only has two minutes to find it and guess it, and then figure out your other password. Your bank knows how to set up the system so that all you have to do is get a text and type in a few numbers, but you don’t have the bank’s resources or technical skill. What do you do? Simple, you make your own one-time passwords because for you it is free and easy.

Before I proceed I need to make a brief safety announcement.


Now that we have that out of the way, let’s do it. Go to a website and create an account, or reset your existing password for an account you already have. Now open notepad and start banging away on the keyboard like a chimpanzee.  I am serious. Completely randomly bang away for 2 or 3 seconds until you come up with something like this f43wejao;argnhol;vh;oweiuowfgrfikonarhgjo3245garfgnfr42. Don’t even think about what keys you hit, just hit a bunch of keys. Forty characters is more than enough. 30 characters is fine too. Don’t worry, you are only going to this password once and you are just going to copy and paste it anyway, so you don’t even have to type it in again. If you need to go back to the website and log in again, well that’s what password resets are for. By the way, the chimpanzee method may result in tabs and enters you will need to remove. A few places may allow tabs, but the enter key (new line) probably won’t work. Get rid of those.

This is my reset passport philosophy:
 “Reset password” is not there to help you if you forget your password, it is there to encourage you not to remember your password in the first place!
Let me repeat that.
Goto This is my reset passport philosophy
Sorry, the goto thing is geek humor.

Before we get to the part about “I don’t want to reset my password every time I log in, give me a few sentences.

Unlike the bank’s verification code, these OTPs are valid forever and still safe. The length and complexity of the password is such that one of three things will happen before a hacker cracks the password.

1) The website is gone. The company changed it or went out of business. Whatever.
2) You log in again. You just reset the password and the forever clock too.
3) You die. You will not care about that password, forever. It’s not your problem.

Now to address the complaint that it is a hassle to reset the password each time you log into a site. You are right. I usually will use this method when it is a site I rarely visit. It isn’t worth remembering another password when an occasional reset it really isn’t a big deal. I don’t do this for my email account, although it would be super secure.

For sites I use a lot, I use a password manager. Why would I use the chimpanzee password reset method it I have a password manager? I do not want to clutter up my password manager. If I sign up for a mailing list and then only log in once a year, I don’t need to have yet another entry in my password manager. If you only use less than a dozen sites then clutter isn’t a problem for you. I sign up for webinars, and all kinds of things that I wish I didn’t even need a password for. My password manager has too much stuff in it now because I didn’t think of what I just taught you until after it was cluttered. I’m getting rid of many passwords now. I’ll just reset them if I even need them again.

For the sites I do visit more frequently I use a password manager because it allows me to use very long, complex and unique passwords for each site, and they last a lifetime if the site doesn’t make me change them. I’ll get to data breaches momentarily.

Companies spend a lot of money to set up OTP systems because they can add a lot of security. You can do the same thing for free.

An important instruction for safe password manager use and then a note about data breaches.

The most critical part about using a password manager is having an extremely great, fantastic, stupendously wonderful password. The password manager holds a lot of eggs in one basket. I would recommend a passphrase that is very long. Let me show you.

My dog ate all of my books and bit my teacher.

This is an awesome password. A person I knew at Microsoft reputedly used a 75 character password. That is well beyond insanely long. It can be very easy to remember, but it’s a lot to type for me.

I can remember “Mary had a little lamb, little lamb, little lamb. Mary had a little lamb its fleece was white as snow” I’ just not going to type it in. Of note, the commas made the passphrase even stronger.

It really is best to make up your own sentence rather than a well-known one.

Now for the data breaches. There are times that a company did something wrong, really wrong, and your password was compromised. You may have to change a password. It depends on what it is. If it is an email account, a social networking account, etc. you need to change it right away. There are a few cases where it doesn’t really matter at all, but pretend like I didn’t say that… just change it.

Randy Abrams
Independent Security Analyst

1 comment:

  1. I too use this technique! A built-in OTP, and I think it can also protect from interrogation -- whether the government or terrorists (criminals), plausible deniability, you don't even know your password!