in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Password Security: Are Passphrases More Secure Than Passwords?

The BYOD / Consumerization of IT trend means changes for the mobile workspace.  But, some things will stay the same for a while.  Like the need for mobile security tools such as AlertBoot, or the use of passwords.  Could the latter be improved upon?  For example, by using a passphrase?

The usual rules for creating a strong password are:

  • Use a mix of characters (upper and lower case letters, numbers, and special characters)
  • Make it as long as possible
  • Make it as random as possible -- no words found in dictionaries, for example

The use of a passphrase means that you can easily use a mix of characters (at least upper and lower case when separating words, as in ThisIsMyPassphrase) and easily make it long.  A password like iiSNsin3@3NS9SniSnglen (22 characters) is hard to memorize; a phrase such as ItWasTheBestOfTimesItWasTheWorstOfTimes (39 characters) is not.

Dickens, Tolstoy, London, Baum

The problem with passphrases is that people tend to pick something that's popular ("How Charles Dickens Helped Crack Your LinkedIn Password") and easy to remember as a passphrase:

Young wrote a program that draws passphrase strings from books such as Tale of Two Cities, War and Peace, The Call of the Wild and The Land of Oz. The program takes words from those books and creates phrases and concatenations such as "lionsandtigersandbears" and "ihavebeenchangedforgood." Both generated hits in the LinkedIn hashes.

For the passage "Tip was made to carry wood from the forest" -- from The Land of Oz -- Young's program will try the hash for "Tip," then "Tipwas," then "Tipwasmade" and "Tipwasmadeto" and on. The program could also be configured to add numbers, symbols in further attempts to match a hash.

The use of popular phrases is, from a password hacking point of view, no different from using dictionary words: these are readily available in electronic form.  The protection afforded is nominal.  Well, truth be told, it's more than nominal.  But as computers get more powerful simple, straightforward passphrases will lose their advantage over passwords.

It Helps If You're Bilingual and Touch-Type

I realize that this is not a solution for everyone, but I know of some people who take advantage of their fluency in two languages to create something of a "perfect" password.

For example, first, they think of a phrase in Korean.  The Korean language has a unique script / writing system, and computer keyboards reflect this.  Then, they touch-type the phrase using a "normal" English / Western keyboard.  So, "my name is Sang" ends up as wpdlfmadmstkddlqslek, an easily reproducible password.

Granted, this doesn't quite work if, say, you're bilingual in German and English: the keyboard spaces are virtually identical.  But, you could still use your linguistic fluency to create a pretty secure passphrase.  For example:

  • IchBinEinBerliner2IAmABerlinerAKAJellyDonut
  • IchBinEinJellyDonutSaidJFKNotReallyItsAnUrbanLegend

Of course, having published the above in cyberspace, you should not take the above as passphrases: they've probably ended up on some rainbow table somewhere.

A caveat on these passwords: what I pointed out about weak security when using passphrases "as is" is still true in the above bilinguo-passphrases.  Always take the effort to sprinkle in some special characters in odd places (that means somewhere other than where you would enter a space)

I've tried the above method, and it seems to work pretty well when creating a password for my laptop encryption.  The only problem presents itself when trying to use such a password on a device that gives you a virtual keyboard that you can't quite touch-type.


Related Articles and Sites:
http://www.computerworld.com/s/article/9227894/How_Charles_Dickens_helped_crack_your_LinkedIn_password

 
<Previous Next>

Canada Hard Disk Encryption: Manitoba Progressive Conservatives' Laptops And Desktop Computers Stolen

Data Security Breach Costs: Emory Healthcare Sued For $200 Million Over 10 CDs

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.