blog | Cyber and Physical Security

Why You Should Always Roll the Dice

Today, our physical lives are so entwined with our online presence, a lack of digital security is a threat to everything important to us. That means our social lives, financial health, even our homes can be compromised due to careless passwords. Because a breach of our online security can be so devastating, utilizing a trusted strategy for your passwords is essential
Passwords are often our most direct connection to online security. The immense amount of work done by experts in the background, as well as the impact from a failure in those systems, often hangs on the strength of the end-user’s password.

Passwords are the near-universal means of preventing unauthorized access to services online and even sometimes offline. With connected homes and social media, online activity has an increasing impact on physical safety and security. The lasting effects of systems put in place to protect humans are the reason behind BranchPattern’s vision of improving life through a better built environment.

Although humans are widely diverse and unique, we think in linear, consistent patterns. Password creation is no exception to this predictable consistency. Because of this, the keys to our entire online life are predictable and guessable just because humans think in consistent ways.

The problem grows quickly if one password is used for many or all services. Though it is extremely difficult to hack Facebook, less-secure websites or even a lost wallet can reveal a password which allows access to your Facebook, email or even bank accounts.

Exposed passwords may not be your fault. Federal Agencies have exposed sensitive information through leaks and data breaches by no fault of the users. To mitigate this loss, it is critical to use a different password for every account.

The keys to our entire online life are predictable and guessable just because humans think in consistent ways.

Where do I start?

It is impractical to use unique passwords for sometimes dozens of online accounts but password managers, such as Encryptr or Bitwarden, offer a reliable solution. With a strong password manager, you only need to remember a handful of passwords for certain accounts, including the manager itself, and you can safely forget the others. This is especially convenient because it is good practice to change passwords on a regular basis in view of the eventuality of data leaks and breaches.

The term “strong password” usually comes up when we create a new account or change a password. But what exactly does that mean? The consistency of humans and development of technology has resulted in several popular methods for attacking passwords. The strength of a password reflects its resistance to these most common methods of attack.

“Dictionary” and “Hybrid” attacks are designed to attack common and predictable passwords and patterns. Passwords like “letmein”, “password1”, and “p@ssw0rd” are broken by these attacks in seconds. Less obvious passwords and the methods we use to add special characters usually follow our pattern of predictability and only slows these attacks to minutes or hours rather than seconds.

How do websites keep my password secure?

To know if we’ve entered the correct password when we sign in, websites and online services store an encrypted version of our password called a “hash”. A hash is the result of applying a complex algorithm to our password which is effectively impossible to reverse. When we sign in, the service applies the same algorithm to the password we entered and if the hash matches the hash on record it grants access.

These records of sometimes millions of usernames and passwords are valuable targets for hackers because they know many of those passwords will also work on other services. These captured files are what allow hackers to try so many passwords so quickly without manually typing or getting locked out.

These records of sometimes millions of usernames and passwords are valuable targets for hackers because they know many of those passwords will also work on other services.

How exactly are passwords compromised?

 

An attack method called a “Rainbow Table” was designed to discover hashed passwords. Rainbow Tables are created by running every word in Dictionary and Hybrid word lists through the same algorithms used by online services and storing the resulting hashes. A hacker only needs to search their Rainbow Table for a hash which matches a hash from their data breach and they have access to the account.

If these methods fail, the final attempt is often the “Brute Force” attack which tries every combination of numbers, upper and lower-case letters, and special characters until it finds a match. This method can crack any password but the time it takes to try every combination grows exponentially with the length of the password which is why long passwords are so important.

How do I make a strong password?

The solution to our human predictability is a password selection method called “Diceware” which relies on statistics, instead of human predictability, to create strong passwords. In addition to their strength against hackers, passwords created utilizing the “Diceware” method are easy to remember.

To generate a password, search online for a “Diceware word list” like this one. Then, find a six-sided die like you might use with a board game and roll the die five times. These five numbers correlate with the word list to give you the first word of your password. Roll five more times to arrive at the second word of your password. Each time you add a word to your password in this way, the strength increases exponentially.

The words provided by the list are common words that would be easily guessed by all four of the attack methods mentioned earlier so it is critical to select multiple words. If four words are selected, you have an easy to remember password, but a hacker has a 1 in 3,656,158,440,062,976 chance of guessing it even if they know it is four words and they have the exact list you used. Hybrid attacks are no more helpful, Rainbow Tables are unlikely to include hashes computed from your combination, and brute force attacks will grind away for thousands or even millions of years before they try every possible combination.

The key to this strength is randomness and the best way to arrive at random numbers for this purpose is a six-sided die. Do not use online generators or Excel because they use what are called pseudo-random number generators and are themselves mathematically predictable. For especially important accounts like the password manager, use a password at least five words in length. A password seven words long will be hard to crack even if you are directly targeted by large governments. This means your password will be secure for a long time to come, even as computers advance. Password managers are good for generating strong passwords that we don’t need to remember but it is wise to use the Diceware method for the password manager itself, your phone, and services like email.

You are the solution!

With Diceware, an appropriate, open-source password manager, and a deeper understanding of the online environment, you have made yourself a very difficult online target. Share with others you rely on or care about that passwords no longer need to be stressful or weak and help them browse online with educated confidence.

Remember, regardless of how serious you get with your password security, an often used and reused password risks you, your company and your community. Don’t be an easy target! Protect yourself.