spm-BMP_PRODUCT_BIGMay we suggest a New Year’s Resolution for 2014: I’ll start using a password management program so that I am not always using the same password just because it’s the only one I can remember.

Hardly anywhere else is there such a disconnect between knowledge and behavior as with the topic of passwords. Every internet user has them, and everyone knows that secure passwords are
important — yet hardly anyone really takes proper precautions with them.

For most internet users, a password is only an obstacle to the actual goal. Passwords protect e-mails, payment data for online shopping, access to Facebook and much more.

Despite this, many people choose very simple passwords like 123, or they use the same password multiple times. In the best case, two or three different passwords are used.
Even users who lock their doors or take advice from police about how to protect themselves from break-ins abandon their healthy sense of secuity consciousness as soon as they sit down at a
computer.  Why is this?

One reason for this poor “password hygiene” is that the dangers of insecure passwords are not sufficiently known; “I have nothing to hide” is the prevailing attitude.

Laudably, online banking is perhaps the one exception where appropriate security measures are taken. But: it is the banks that set security standards so high, by sending TAN lists without which transactions cannot be completed. Additionally, one increasingly sees “two factor authentification”, which means nothing more than that a second level of protection has been added.

For example, upon entering the password at login, one receives a numeric code sent to one’s mobile. These are measures taken by the providers, because passwords alone are not enough protection — largely because so many people use the same passwords multiple times.

The Risk of Password Recycling

So, why is it so dangerous to “recycle” passwords? Let’s suppose you use the same password for PayPal and Adobe Cloud. We are using this example because Adobe Cloud fell victim to data theft in 2013, as a result of which e-mail addresses and user passwords went missing. As you can see, even well-respected providers are not immune to hacker attacks. The data bank in which your password and mail address are saved together (a combinations also known as “credentials”) can be downloaded on the relevant pages with minimal effort. Meaning: your password is floating freely through the internet. The next step is simple: a hacker only needs to keep trying out your credentials with the major web services; if you use your password in multiple places, it will be found somewhere.

Mentally go through the list of sites and services in which you register. Think about Dropbox, Facebook, Google Mail, your insurance policies, Amazon, iCloud, train services, perhaps your own blog, travel agencies, PayPal, dating sites, your Microsoft ID, Spotify, Skype, LinkedIn — the list goes on and on. In the case of PayPal, a hacker — with your credentials — can now order things in any online shop that accepts this method of payment.

Of course vendors try to detect and prevent such fraudulent practices before damage is done. For example, the Facebook Login Alarm goes off when a user who has just logged in from tge USA tries a few seconds later to log in from Germany with the same access data. Using the IP address that is transmitted as the sender of every data exchange, Facebook can detect from approximately where a data package has come. Since nobody can change countries so quickly, Facebook flags such login attempts as potentially fraudulent and requires the entry of more data to authorize the login.

For this reason, it is important not to use the same password again and again. Even if one considers a particular service to be benign in relation to the data obtainable, we cannot recommend using a password multiple times. Something that one considers unimportant now can become critical later, and suddenly one has entrusted sensitive information to a seemingly harmless vendor. Just think of the ubiquitous synchronization of services with address books. Modern routers often function as simple telephone systems or as base stations for cordless phones. These routers can cull the Google address book in order to display telephone numbers. One does not want to imagine what could happen if the router at home is not protected with a good password. Many providers also „talk“ with each other nowadays over program interfaces — so called APIs. Through these APIs, Facebook or Twitter are often used as authorization services. Simply put: it is virtually impossible to know which ways your data travel. For this reason, varied and good passwords are a must.

The Myth of the „Safe“ Password

What is a good password? The decades-long enduring requirement is that it should look something like A3jNk$1d — in other words, it should not be a word out of the dictionary and should contain numbers, symbols and upper- and lower-case letters. But this is only partially right. In order to determine what a good password is, one needs to know how many variations of passwords are even possible by the respective providers. For example, a provider that only allows passwords containing numbers makes it easier for hackers—not more difficult, as presumed. In this case, they can eliminate anything without numbers when running through passwords.

For simplicity, we will consider in this blog passwords for authorization (such as with Facebook) and passwords that are used as keys for encryption (such as with Steganos Safe) together.

The cartoonist Randall Munoe, known for his math cartoons on xkcd, demonstrates that passwords created from simple English words are better to remember and are more secure than complicated chains of characters like A3jNk$1d. However, his calculation has a flaw that makes the chain of characters harder to see than they need to be. What is the flaw?

The more variation the password creation process allows, the better it is. This is called entropy, and the higher it is, the more variations possible. Thus, a word out of the standard German vocabulary that includes around 75,000 words has an entropy of 17 bits. In other words, one needs a maximum of 75,000 attempts to „guess“–the 17 bits are just a more concise representation of otherwise very large numbers. If one chooses a single word from the entire German vocabulary, he will come to a selection of a half a million different terms, which corresponds to an entropy of 19 bits. There may not seem to be a large difference between 17 and 19 bits, but that is deceptive.

Supposing one wanted to crack a password with 17 bits through random attempts and has a program that runs through 1,000 different passwords per second (which is not unrealistic), he would be finished in just over two minutes ( 217 / 1.000 = 131 seconds). With an entropy of 19 bits, one would need almost 9 minutes, with 20 bits over 17 hours.

9 Minutes or 714 Centuries

Critics now argue that a password that consists only of a German word has a very low entropy and that one would be better off choosing a meaningless string of characters with letters, symbols and numbers, such as the abovementioned A3jNk$1d. But is this really the case? A password that consists of three real words from German vocabulary strung together (for example carbooksausage) has an entropy of around 51 bits, whereas a password like A3jNk$1d has an entropy of only 49 bits. Surprisingly, the easier-to-remember password in this case is also the better one. In both cases, however, we are dealing with dimensions in which the data to be protected are likely to have lost their sensitivity; 49 bits corresponds to 178 centuries of attempts, 51 bits to 714 centuries.

Now, one must of course put these enormous numbers into perspective. It cannot be ruled out that under certain circumstances not only can 1,000 different passwords be tried per second but maybe also 10,000 or even 100,000 (when, for example, it’s not a slower web service to be cracked but rather a locally present piece of encrypted data). Even with 100,000 attacks per second, we are still talking about a search time of 714 years. For very important data, one could connect several computers in a row and let them search in parallel. We don’t know exactly what resources the NSA has at its disposal, but if one such intelligence agency left 1,000 computers to crack our 51-bit password, then it could bring down the time to under one year; with 10,000 computers, one would already be in workable dimensions.

This is also the reason why 51 bits is simply not enough for really sensitive data. In Steganos Safe, a 384-bit long key has been used ever since the revelation of the Snowden leaks. With this, the number of variations exceeds the unfathomable 3,940 novemdecillions; this is the name for a 115-digit number.

Let’s go back to the xkcd. Munroe tries to demonstrate that the complicated string of characters Tr0ub4dor&3 is a worse password than the easier-to-remember correct horse battery staple. Tr0ub4dor&3 is a variation of the already unusual and misspelled english word “troubador”. Then he replaces an “o” with a “0” and an “a” with a “4” and adds two additional characters. The result is a seemingly random word, but only seemingly. Because his password is based on an already-existent English word, his entropy is only 28 bits. No wonder that the much longer password with the horse ranked better, with an entropy of 44 bits. If one were to really randomly select a password with upper- and lower-case letters, numbers and symbols, one would create an 11-digit password with an entropy of a significantly higher 68 bits.

Reliable Password Manager as Solution

Because it is almost impossible to remember such numbers of passwords, the use of a password manager is recommended. These programs encrypt and save your passwords; you need only remember a single password—namely the one for your password list (sometimes also referred to as the “keychain”). The password manager enters your passwords automatically when a website requires them. This is not only convenient but also increases your security since the password manager creates good, long and complex passwords that you needn’t remember because they are entered automatically.

The Steganos Password Manager allows the automatic creation of really secure passwords, and displays their entropy so one has an idea how safe they really are. The selection of a password manager should be done carefully, as you are after all entrusting the key to your sensitive data to this program. Respectable vendors encrypt and save your passwords on your computer and only transfer this data to a cloud server if you have expressed the wish to do so.

Even then, data should only be saved to the cloud if it has been encrypted and is thus not visible to the cloud provider. This is the case with Steganos Password Manager.

Tips for Secure Passwords

    • Long passwords are better than short ones because they have a longer entropy, even if they are created from real words
    • It is only worth using numbers and symbols to increase entropy when the password is short
    • Passwords should never be used over and over, even with seemingly harmless services
    • Ideally, one should use a password manager which encrypts and saves the passwords locally on your computer
    • The password manager should generate passwords itself — that way, one does not have to wrack one’s brain and gets significantly better passwords
    • Passwords for your e-mail provider and payment services like PayPal should be changed at least every three months; this also applies to cloud providers like Dropbox or iCloud

Even if we have by far not covered every aspect of password protection, we hope to have given you some insight into and understanding of this complex topic. Please post any questions in the comments section, and have a great and secure start to the year 2014!