The deal about passwords

In August 2017, the National Institute of Standards and Technology (NIST) issued new recommendations on passwords that received significant play in the popular press.

The core of the reportage focused on two points:
• Scheduled change of a password should not be enforced.
• Passwords do not need to be complex if they are long.

That means you can use a password like “Now is the time for all good folk to come to the aid of their party.” instead of “Kk*Uw#eAsk ”. And you don’t have to change it ever.

But removing strict requirements does not mean you have to stop using them. The good practices you’ve already been following are still good.

Is a memorable phrase still memorable when you have a dozen of them for a dozen different sites? And is it really easier to enter 60 letters and spaces perfectly with your thumbs four or five times a day than 8-12 random characters?

Background

We must remember that NIST writes standards for government agencies. If organizations outside the government find their standards useful (such as the amount of coffee in a pound), they are free to adopt them. But NIST password recommendations apply primarily to large organizations whose users log into a small number of services with unique identities.

In reality, most consumers of this news need passwords primarily in the course of business, research, commerce, or social networking on the internet. In a family there may be some sites (such as mail accounts) where every member has their own identity and others (such as a magazine subscription) where they all share a logon. For an active family, the number of identities could add up to hundreds.

Still the best recommendations

The old security rules still apply:
1.    Identify whether a site needs high security or low security.
2.    Identify whether a site’s password needs to be memorable or can be looked up in a secured list as needed. There may be other special needs depending on the use.
3.    Use a unique password for every site that deserves any security.
4.    Every high security password needs high entropy.
5.    Humans are very poor at creating good randomization.
6.    The best practice is to use a well rated password manager.

The “Technology Interpreted”

The popular press, for the most part, are getting it right … as far as they go.

• Requiring ordinary users to change their password every 180 or 90 – or even 60! – days has always been a boneheaded policy. These may be often-used passwords that the users must remember. In that case, the new password is frequently a derivative of past passwords easily deduced from social engineering.

• Choosing a memorable sentence instead of complexity is merely trading the method to achieve the same level of entropy.

There’s that word again: “entropy.” In the context of stealing a password, the assumption is that the only way to crack a logon is by brute force. This is the measure that is given in the discussion of password haystacks (https://www.grc.com/haystack.htm). That is, try every possible combination of passwords from “a ”, “b ”, to “z ”, and then “aa ”, etc.

In fact, a brute force password crack starts with “123456 ”, “password ”, “12345678 ”, etc. It continues through a dictionary of words, sorted by their frequency of use from previous cracks. As the new guidelines and examples come into use, you can be sure the dictionaries will add combinations of words and common phrases to the list. Soon, “now is the time for all good men to come to the aid of their country ” will be in the test right after “monkey ”.

What we really need in passwords

Effective use of a password depends on who’s using it and the effort to enter it. A skilled typist on a full keyboard could enter a 15-word passphrase in 10 seconds. On a phone that same phrase could take excruciating minutes with every character and capitalization another opportunity for error. Worse, in most cases, characters are blacked out so there’s no way to discover and edit errors.

Some logons require a memorable password while others only need to be available for a look up. You want the code to abort the bomb on the tip of your thoughts. But you can trust your video device to remember your streaming account and only reenter the password when the power blinks.

It is critical that every high-value site have a unique, strong password. Ideally, low-value sites should also be unique. The reason not to share passwords is because sites have been known to be sloppy about protecting your password. If a blogging site loses its database and hackers see that John.Doe@doe.com has the password 1qaz2wsx (the #15 most common password for 2015 – where’d that come from?); they might also try those credentials at banks and stores.

Two-factor authentication is a system where you enter a second, one-time credential in addition to or in lieu of a password. The most common form of second factor is for a website to send a code to a previously verified text, email, or voice account. You then enter the code to proceed. If you choose to use two-factor regularly, the least secure method is to receive an SMS message on your phone. The best method is with a time-based system such as Google Authenticator.

Final recommendations

• Short or long, choose a password that is appropriate to what you’re protecting.
• Never reuse a password you’re actively using elsewhere.
• If you hear that a site has been hacked or otherwise think a password has been compromised – change it now.
• Use a well-rated password manager and take advantage of all its features.

There are more notes on this topic. Download the document at:
https://zaitech.com/downloads/TheDealAboutPasswords_notes.pdf

---------

. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

"Your connection is not secure"

A user asks …

« From time to time I update my notebook, Windows 10, with the usual Windows random updates and some others like Firefox and now I seem to be locked out of accessing most of my favorite sites by Firefox. I can get to them through Internet Explorer and Edge, but I don’t know how to move my favorites file over to either of those two browsers. Anyway, I want to correct my Firefox if I can. I have attached a print screen file to show you what I am getting. »

--- Techy alert – How we know a connection is secure ---

First, some background. More and more websites are available with https secure connections. This is good. At its most basic level it prevents anyone (such as your ISP or the government) between you and the website from seeing what you send out (a search on a touchy topic) or getting back (the newest unreleased tune or TV episode). This is desirable because it protects the privacy of good people as well as bad. It’s even better because when you’re communicating with financial, shopping, medical, legal, and other sites; the enhanced version of https verifies not only that no one can eavesdrop on your conversation, but that the owner of the website is who they claim to be.

Some browsers have announced that they will soon flag any non-https website as potentially risky. They also will scare you if some component, such as a picture, of a truly secure site is not delivered by https. This is a nuisance for many websites, such as my blog, that are not dealing in money matters or confidential information. Fortunately most servers are now able to install basic https with no cost and minimal skill.

When you connect to an https site, you receive a certificate from the site that is validated by a Certificate Authority. If the CA is not built in to your browser from when the browser was installed, you will get a message that the certificate is not recognized. The certificate also has to match specifics to the web page and have appropriate valid dates. For example, if the certificate is issued to website.com and you browsed to www.website.com, it may not be accepted. Similarly, if it expired yesterday, it may be appropriate but not valid.

Certificates also could be counterfeited, giving you confidence in your session while it’s being managed by a Man In The Middle. The MITM would typically involve malicious action starting at the first connection between you and the internet. For example, an ISP, a business, or a bogus “free WiFi” connection could be reading your session while the lock on your screen is for their own certificate. Protect against this potential privacy leakage by checking the certificate fingerprint you get against a known unspoofable fingerprint from GRC at https://www.grc.com/fingerprints.htm.

--- end Techy Alert – Back to your question ---

Funny thing about that. Welcome to nanny computing. Software from Windows to Notepad to my new car all want to tell you what to do and protect you from skinning your knees. Of course, the first thing they’re going to do is put squirrel guards up so you can’t climb any trees.

I had no problems getting into the website with Firefox 54.0.1 (32-bit) by typing the exact address you had. I also got to their secure (https) homepage by typing website.com in the address bar and hitting Enter. Try starting from that point and working your way to the signin screen. You may need to re-save your bookmark to the screen before signin because for many sites that is not a real web destination, but created on-the-fly for your environment.

By the way, if you click Advanced on the blocked page, you may be able to see why Firefox thinks this site is not good and decide to override their restriction. You want to override only if it shows a trivial error. I consider “trivial” to be something like a recently expired certificate if you trusted it previously or a slightly different domain name such as connecting to www.website.com and the cert is for website.com. Do not trust it if you’re looking for website.com and the cert is for a different extension like website.cn!

You can also double-check the cert fingerprint to protect from a Man In The Middle. Go to https://www.grc.com/fingerprints.htm and enter the exact address between “https://” and the next “/”. Read the details on the page to learn how to find the fingerprint from your session. Sadly Edge does not have an interface to show details of the certificate. Microsoft’s “solution” is to view the cert with Internet Explorer on the same computer. (Opera and Google Chrome use the same certificate store as Edge/IE so, if they say it’s OK, it’s OK in Edge.)

1a) All browsers have some means to export and import bookmarks (favorites), and possibly history and cookies, to and from a file. When you first install them, most browsers will also grab bookmarks directly from another browser in the same session without your needing to export them. Check your browser’s Help pages or your favorite search engine for instructions (always start at the publisher’s site before you go to third-party advisors).

However, most browser settings are user specific. If you’re moving to another computer or a different user on the same computer, you will have to go through the export to file process. Some browsers will sync their settings to other devices – if you’re willing to give a lot of personal information to the publisher.

1b)    While you’re playing with your browsers’ settings, go on and look through the privacy settings. In particular, enable Do Not Track (many browsers leave it off by default) and disable 3rd party cookies and allowing your browser to save passwords. Tracking and 3rd party cookies are just cowardly ways for browsers and websites to make money off you. Browsers have historically poor control over protecting stored passwords. Instead, opt to use a recommended password manager such as LastPass or PasswordSafe.

Open links:
Fingerprint    https://www.grc.com/fingerprints.htm
Me    https://technologyinterpreter.info
Last Pass    https://s.zaitech.com/SignupForLastPass
PasswordSafe    https://pwsafe.org/

---------

. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page - Blogs Home