The Anti-virus Times

Wednesday, April 3, 2024

In one of our previous Anti-virus Times issues, we talked about password managers — special utilities designed to make working with passwords simple and, most important, secure. The article also mentioned the disadvantages of these programs—the main one being the risk of a master password getting compromised and potential vulnerabilities being present in a particular product. And yet, password managers are a working solution, especially for those who use multiple systems and services that require authorization.

Even now, in the era of biometrics, two-factor authentication, tokens and other modern technologies, passwords remain one of the basic means of protecting information from unauthorized access. Likewise, the problems associated with unstable, non-unique or unreliably stored passwords are not going away. Often, users either use the same password to access many different systems or write down or store secret words in plain text; or they use extremely simple combinations that are easy to figure out or guess. In a worst-case scenario, both can happen. And that's because strong passwords are very inconvenient to remember. For many users, the desire to save time and mental energy is more important than being vigilant, and attackers around the world exploit this for their benefit. In our article about password managers, we also specified the requirements for a strong password. We recommend that you read it to get a better understanding of the problem.

In today's article, we will talk about the ways you can improve how you work with passwords without relying on third-party programs. Code words will most likely be protecting our data in the digital space for a long time — which means that it will be very useful to know how to use them correctly. After all, a good password should increase one’s security and not become a weak link.

Start with an analysis

When developing your own password policy, you should be prepared for the fact that passwords for the most important systems you need to access will have to be unique and sufficiently reliable, and you will need to keep them memorized. But, you should start by analyzing the services you use when working at your computer and on the Internet, and group them according to the level of importance. To do this, it is enough to ask yourself the question: which accounts would harm me the most if they were to be compromised?

So, the most important systems include banking and financial services, email, cloud storage, and systems that store a large amount of your personal data. In addition, it is worth mentioning systems that implement a single sign-on technology—i.e., when one password is used to access all of that space’s services. Access to all these resources must be protected not only with a password but also, at the very least, with two-factor authentication. And the passwords themselves should meet the security requirements that we have already mentioned. Finally, we do not recommend saving the passwords used to access these systems in your browsers.

In second place, you can put services that are tentatively of an average level of importance. These can be systems that contain a portion of your personal data or certain information that allows you to identify yourself. Or anything else that also seems significant to you. Everything is very individual and depends on your need to maintain your privacy. If any of these systems allows you to enable two-factor authentication, it is better to do that. It is also advisable to use strong and unique passwords. But, even if you use, for example, different variations of the same password, they should not overlap with the passwords used for your important services. The fact is that any password can be compromised on a website. And from there, it is likely to get into all sorts of databases of "leaked" code words and put the rest of your accounts that have a similar password at risk.

Finally, the systems that are least important to you can be relegated to the third group. These can be, for example, forums that you do not plan to use constantly, thematic sites or entertainment resources. In this case, the number of passwords that you will need to remember may exceed a comfortable limit. Therefore, for convenience, you can save such passwords in your browsers or come up with a set of easy-to-remember code words, but with the proviso that they are not also associated with the passwords used for your more important systems.

Generating strong passwords. Passphrases

Now that we have determined the criticality of the protected data and assessed the risks, we can go directly to the problem of remembering complex passwords. The main characteristics that determine a password’s resistance to cracking or guessing are its length and its alphabet — the set of characters that a combination can consist of. That is why authorization systems are often asked to come up with not only long, but also case-sensitive passwords containing special characters. Also, a password consisting of random characters is considered to be stronger due to its unpredictability and its absence in the dictionaries that attackers use for cracking codes.

What are passphrases? This is a password consisting of an arbitrary sequence of words. For example, iliketodrinkteabutiprefercoffee. Passphrases are less unpredictable, but this disadvantage can be compensated by length. Our example consists only of lowercase characters, and it is quite strong since it consists of 31 characters. But the most important advantage is that it is easy to remember. In real life, many verification systems will not accept such a password, but if you add uppercase letters, a number and special characters, you will get a working version and keep things convenient for yourself. Again, this is just an example, and in practice, it is not worth using it.

Passphrases are easy to remember, but they must be long enough, as well as atypical — that is, you should come up with them yourself. Proverbs, sayings and famous proverbial phrases in variations of all kinds are probably in hacking dictionaries and in attacker databases.

Another important point: individual words from the passphrase should not be directly related to the user or their personality so as to avoid having a password cracked during a targeted attack. You can use meaningless combinations; the main thing is that you can easily remember them. Finally, avoid the temptation to use the same passphrase as the password for all your accounts, even if it is long and strong enough.

Generating strong passwords. Mnemonic passwords

You can learn how to generate and remember strong passwords consisting of random characters using mnemonic techniques, i.e., associations. The idea is to remember not the password itself as an abstract set of symbols, but an association or image for subsequently recovering it in your memory. There are many different ways to do this: for example, you can generate a password using the first letters of a phrase and then replace certain letters with symbols. Ultimately, when sufficiently transformed, the resulting password looks like a random set of characters, is quite stable, and, at the same time, is relatively easy to remember.

We're going to talk about the generation method, which is when, to recover a password, you need to remember one word and an algorithm or the rules for constructing a code word from it. The rules must be unique and set by the user. Let's start with an example of a password generated this way: “4Am2CDadd!!c@sh#".

The rules for generating this password are based on a knowledge of musical chords coupled with associations. The word you need to remember is the name of a song or the name of a singer. The user, knowing their own personal algorithm, picks a song they know very well to be the association that goes with the password Next, the user goes through the following procedure to recover the password from memory:

1. 4 – the number of letters in the song’s title.
2. Am – the first chord of the song.
3. 2 – the duration of the first chord in fractions of a beat.
4. C – the second chord.
5. Dadd!! – the third chord, whose name contains numbers that have been replaced with the corresponding special characters.
6. c@sh – the singer’s last name, in which one letter is replaced with the corresponding special character.
7. # – the closing symbol, used instead of the number 3, which indicates the number of chords in the verse of the song.

The formula seems difficult to reproduce, but for the user who came up with it, it is clear, and the encryption procedure is quite fast.

However, this method also has disadvantages. The first is the fact that a certain algorithm is present, and it can potentially become known to an attacker. However, to identify it, an attacker has to compromise multiple passwords to reveal the connection between them, and also know the search word. The probability of getting both factors simultaneously is in reality very small. The second disadvantage is that well-known words and simple rules are being used. Therefore, the best choice is to develop an algorithm that includes some special knowledge and atypical associations.

We’ve already mentioned the fact that passwords for important services should be unique. In this case, it may be tempting to use the name of the service itself or the corresponding association as the search word. We recommend that you never do that since binding such things together greatly increases the risk of a password getting cracked. But how then can users match the word and the resource for which a password is created? Using a fairly complex generation algorithm, users can store the "service-word" pair in plain text or, for example, in secure notes on their phone. For example, the combinations: "cash-bank" and "pepper-email" are uninformative for outsiders, but at the same time, they will give clear information to the user.