The Password Trap: When People become the Risk Factor

The question today is no longer if, but when, a cyber attack will take place. Today, companies have to deal with the question of how to identify threats at an early stage and counter attacks with resilience. Along with technical measures and process adjustments, employees are the key factor in the defence strategy.

If they are not at all, or not sufficiently, prepared in this area, they become the first and easiest gateway for targeted and highly specialised attacks on the company. Intensive education and training of employees is therefore an essential part of a comprehensive security strategy.

An effective measure that employees can take to strengthen the information security in the company is the simple one of using sophisticated passwords. This is because the greatest human-induced vulnerability – apart from phishing mails and social engineering – is caused by the repeated use of passwords.

Although many experts have talked for years about the abolition of passwords, they are still very popular among developers and users: understandable to everyone, comparatively easy to implement, portable and changeable at any time. So let us assume that passwords will not be replaced all that quickly.

This article presents a way to remember an unlimited number of passwords in one's head, passwords that are both unique and complex. Click here for the video series:

Part I: Authentication
Part II: The essence of a good password
Part III: Step-by-step to a secure password

One at a time: Why should passwords never be reused under any circumstances?

If one and the same password is used on different platforms or in different systems, an attacker who steals passwords will have an "open door" to all sorts of services such as banking and finance, mail accounts or social media. But does that really happen? Yes! There are already billions of passwords in circulation today. Over 550 million passwords are stored in just one single public directory.

The actual number of stolen passwords is probably many times higher. Getting a password without permission is easy and financially, it's very attractive: by recording the data traffic in a network, by malicious software, by reading passwords from slips of paper and insecure notes (e.g. during TV recordings), by manual guessing of insecure passwords, by systematic trial and error (brute force), by reading while it is being typed (known as shoulder surfing), by insecure storage and various forms of social engineering.

Password managers are of limited help.

The often preached credo that everyone should make a point of not reusing their passwords can be conveniently implemented in practice by using password managers. But watch out! That kind of password management software puts all your eggs in one basket, and that can end badly: if the application does not secure the passwords sufficiently, all passwords are suddenly exposed to a high risk.

In addition, password managers do not help against the use of short or easy to guess passwords. And finally, passwords have to be accessible from all your own devices (laptop, tablet, smartphone) in order to really provide meaningful added value. In this case, the passwords usually end up in the cloud – ideally encrypted, but much more exposed.

So what are you to do if you don't want to trust a password manager? What if synchronised password managers are not allowed on the corporate network? This article presents a way to remember an unlimited number of passwords in one's head, passwords that are both unique and complex.

But first let's take a step back: simple and short combinations increase the risk

Although it should be clear to most people today that easy-to-crack passwords ought no longer to be used, the 2018 study conducted by SplashData shows that the combinations "123456" and "password" still rank first and second in the list of the most frequently used passwords. Even simple key combinations such as "qwerty" or "admin" are at the top of the users' list – a real treat for hackers. The often-seen advice to generate passwords derived from the first letters of a mnemonic such as "My grandma likes to eat cake on Sunday" offers a way to increase the difficulty of password combinations, but it solves only part of the problem: namely that of complexity, but not the issues of reuse and the danger of dictionary attacks.

In addition, there is nothing to beat the length of a password. Why?

The search space for hackers must be kept as large as possible. Suppose our passwords consist of upper and lower case letters (26 + 26 characters), special characters (33 characters) and numbers (10 characters). There are then 95 possible symbols for each position. With a password length of 8, the result is 95^8 = 6.7 x 10^15 different possibilities. The search space for systematically testing all passwords therefore consists of a number with 16 digits.

On modern systems, a password with 8 positions can be systematically cracked in just over a minute. If you use 9 positions instead, it takes 95 times longer, or about two hours. With 10 positions it is one week, with 11 it is almost 2 years. And with 12 positions, the number rises to almost two centuries. Passwords with 12 positions are therefore very well protected against brute force attacks – as long as the search space is not artificially limited by first names, cities or other terms that are in dictionaries, and it is not reused on different platforms.

The essence of a good password

To sum up: to keep the level of protection against data theft as high as possible, three basic principles must be observed when dealing with passwords: The password should contain at least 12 characters, be difficult to guess, i.e. should not allow any personal or general conclusions to be drawn (see list of the worst passwords), and be individual for each platform. So how can many different, and at the same time secure, passwords be generated without having to write them down? Here is a step-by-step guide:

1) Choose a strong and impersonal master password

The first step should be to generate a secure master password that has no direct and obvious relationship to the user (such as name, place of residence, date of birth, etc.). For this purpose, the character-string method mentioned at the beginning is suitable. The character-string is derived from a mnemonic, a quotation, a passage from a favourite book, a song text, etc. This makes the master password arbitrary, impersonal and memorable. To make sure that the final password has 12 characters, the master password should be derived from a long sentence.

Instead of abbreviating a sentence, you could also use the full sentence itself as the master password. In this case the sentence should be a short one, so that you can still enter it in a reasonable time on mobile devices. The following example is based on a quirky German sentence meaning roughly "The safest time to use a hair dryer in the bathroom is during a power failure". Taking the initial letters of the words in that sentence gives the master password shown below. For your password, you should choose a sentence that you will never forget, but will be difficult for a hacker to guess. You could perhaps capitalise all the nouns in your sentence to produce a mixture of upper and lower case letters.

BSidGgmdFzb

To increase the strength of the password, you should add at least one special character, e.g. an exclamation mark:

BSidGg!mdFzb

2) Create variations of the master password

The second step is to modify the master password for the individual services and platforms. The concept here is very simple: In the master password, arbitrary but fixed positions are supplemented with different letters and numbers, which vary depending on the platform.

Step 1: For example, we could always add a number after the 2nd position, creating a new 3rd position, the number being derived from the length of the name of the respective service. For LinkedIn this would be an 8, because "LinkedIn" consists of eight characters; for Google and Zühlke it would be a 6. The modifications can be varied depending on the level of difficulty required. For example, the number can additionally be multiplied by any fixed factor, or have any fixed number added to it. Assuming we add the number 3, the following intermediate passwords result:

LinkedIn: BS11idGg!mdFzb
Google: BS9idGg!mdFzb
Zühlke: BS9idGg!mdFzb

Step 2: The character at the x-th position of the intermediate password is replaced by a freely selectable but fixed symbol. For example, "x" for the position is the number of consonants in the name of the platform for which the password is being generated, multiplied by 2. So for LinkedIn, x would be 10 because "LinkedIn" contains five consonants, for Google it would be 6, and for Zühlke it would be 8. The replacing symbol could be an "@", for example. So you would get:

LinkedIn: BS11idGg!@dFzb
Google: BS9id@g!mdFzb
Zühlke: BS9idGg@mdFzb

Here too, there are numerous possibilities for variation, for example the position could be shifted a few characters to the left or right. Other characters or even character sequences are also possible.

Step 3: The number of vowels in the name of the service is added to the last position of the password. The number 1 could be subtracted for greater security. For LinkedIn, the number 3-1=2 would be appended, because the word "LinkedIn" contains three vowels.

LinkedIn: BS11idGg!@dFzb2
Google: BS9id@g!mdFzb2
Zühlke: BS9idGg@mdFzb1

Depending on personal security needs, further steps of this kind can and should be added. It is important that the steps in the derivation process depend solely on the name of the service for which a password is to be generated. The more complex the rules and the more variation they introduce, the more secure the resulting passwords will be. The addition, multiplication or subtraction of numerical values can be omitted if we look not for the number of consonants or vowels, but for other creative characteristics such as the number of "round" letters (o, p, b, g, e) or for letters that come after a certain letter in the alphabet (after the letter "r", for example, come s, t, u, v, ...).

There are numerous possibilities here, which increase the individuality and therefore the security of the system. The derivation rules may be written down and kept in a safe place – but never together with the master password.

Conclusion

This method offers an elegant and streamlined way to create a wealth of unique passwords from which no inference can be drawn regarding either the master password or the platform. Even if the passwords look similar at first glance, they are not exactly the same. In contrast to identical passwords, similar passwords do not usually represent a problem in automated attacks. Even if an attacker sees two passwords derived by this method, he cannot deduce a valid password for a third service.

In addition, both the master password and the variations – should they ever be forgotten – can always be derived from the original sentence and the key, without the final passwords themselves having to be written down somewhere. Even though the procedure may seem complex at first glance, if it is used regularly the password derivation takes only a few seconds in the mind and is therefore just as fast as a password manager – only more secure.

As simple as the use of sophisticated passwords may seem in the context of the company's own information security, it lays the foundation for an effective cyber defence, in which employees play a central role. If the people in an organisation are sufficiently trained and prepared, they are no longer a risk factor, nor the weakest link in the chain of defence, but rather the best possible shield against cyber attacks.