Information Security

Password Security – Primer

Passwords have always been one of the weakest links in information security. Good passwords are hard to generate and remember. Added to that it’s not good practice to use the same password for multiple sites. So one has to use completely random, reasonably long, password that contains upper and lowercase letters, numbers and special characters (phew). As if all this is not enough, several sites – like those of financial institutions – require you to change your password regularly.

All this can make it very difficult to generate, remember and maintain passwords and store passwords in a secure fashion. In this article, let’s tackle the problems with passwords one after the other.

Hopefully, I’ll cover everything that needs to be covered. If I’ve left off something, kindly point it out and I’ll edit the article to fix it as quickly as possible

Generating Passwords

Passwords need to be reasonably long and complex. By this, I mean it should be infeasible to brute force a password by trying out all possible combinations of alphabets, numbers and special symbols in any reasonable time span. Also, passwords need to be sufficiently random to be resilient against dictionary attacks. It goes without saying that you shouldn’t use phrases that are related to you like your birth-year or the name of your pet.

XKCD #936
Password Strength by XKCD #936

To generate random pronounceable passwords on my Linux machine, I use a program called apg like so:

$ apg

Please enter some random data (only first 16 are significant)
(eg. your old password):>
ivDeufVeyt2 (iv-Deuf-Veyt-TWO)
EkKocIn4 (Ek-Koc-In-FOUR)
priWawEj2 (pri-Waw-Ej-TWO)
FoytjiUd1Ot (Foyt-ji-Ud-ONE-Ot)
CevTelUdtem2 (Cev-Tel-Ud-tem-TWO)
IlmASloth6 (Ilm-A-Sloth-SIX)

apg is really good at generating pronounceable passwords. You can use the -M switch to choose what characters must be present in your password. Here’s how I generate passwords that contain symbols, capital letters and numbers that are at a minimum 24 characters long:

$ apg -m 24 -s -M CNSL

Please enter some random data (only first 16 are significant)
(eg. your old password):>
arcUnnar2ovoshUchisUkOd)
Dyfrejfi,blioslodPajBev7
wawnUloiskomnurj*Teehyt1
PridWas3otagCidtachdyif@
WedchewhegIgEtyig2Frilk@
TynRifunVeltevReoj~wruj3

Pick one of these for your system passwords. Don’t whine about typing these in during SSH sessions because you really shouldn’t be using password-based logins via SSH. Use SSH keys instead.

Another neat way of generating passwords is diceware that lets you generate long, easy to remember pass-phrases: http://world.std.com/~reinhold/diceware.html

Remembering passwords (and securing)

Our brains are not designed for remembering arbitrary, long, complex strings. We only remember what is absolutely necessary and our brain actively erases memories that it thinks are to be purged (http://www.iflscience.com/brain/scientists-discover-process-regulates-forgetting). So we need to use a tool that can securely store our passwords and we secure the tool itself with one giant master password.

Simple, use a password manager.
Simple, use a password manager.

I have two tools to discuss in this regard, one is KeePassX and the other is ccrypt. KeePassX is a multi-platform graphical tool that lets us store and organize passwords in an encrypted database. You can install it using your systems package manager from the repositories or use the official installer files at https://www.keepassx.org/.

Using KeePassX – (OpSec)

Step 0: If you haven’t already, install KeePassX (duh)
Step 1: Select a file to be used as a key. This could be a photo or any random file. One way is to create a file containing a hash of a passphrase. Something like this:

$ echo "Darth Vader was a good guy" | sha256sum > grumpy.kitteh
$ cat grumpy.kitteh
c1338b1f64c634afbea0ffda3c7d01410e60b5930e3514fff487de64c6def439  -

or

$ echo "Darth Vader was a good guy" | sha256sum | hexdump > grumpy.kitteh
$ cat grumpy.kitteh
0000000 3163 3333 6238 6631 3436 3663 3433 6661
0000010 6562 3061 6666 6164 6333 6437 3130 3134
0000020 6530 3036 3562 3339 6530 3533 3431 6666
0000030 3466 3738 6564 3436 3663 6564 3466 3933
0000040 2020 0a2d                              
0000044

There are other, more secure ways of creating a key like dd (highly recommended) since they don’t rely on phrases containing “Darth Vader” or meaningful shit like that.

$ dd if=/dev/urandom of=./grumpy.kitteh bs=512 count=10

Pick filenames that are completely boring. A file named KEEPASS.KEY or SECRET.KEY would only speak badly about your sense of security. grumpy.kitteh is bad too, btw.

Now that you have a file, let’s move on.

Step 3: Open KeePassX and hit Ctrl+N for a new database. Under Password, type a secure password like this (or better, use diceware): OgVuzHyeHod3knetmajErrocIcAcKud]. Do not forget this.

Select Key File and give the path to the key file you generated. Then hit OK.

Setting a pass-phrase and key
Setting a pass-phrase and key

Step 4: Select File –> Database Settings and select an algorithm of preference from the drop-down for encrypting your database with. Both Rijndael and Twofish are very secure, time-tested algorithms with no demonstrated attacks. I personally prefer Twofish (successor to Bruce Schneier’s Blowfish) since it makes brute-forcing very expensive and slow. But that’s me.

Step 5: We need to increase the count for the number of rounds (the number of times the algorithm scrambles the original string) for the algorithm so that it takes around one second to decrypt the database. Simply click on the clock symbol to the right of Encryption Rounds and the number of rounds for the algorithm to take one second to decrypt the DB will automatically be calculated for your system.

AES ROUNDS TWOFISH ROUNDSThis makes cracking the encryption by brute force infeasible.

Note: As the database grows, decryption gets slower and slower. Sometimes as slow as three seconds or even more. You can live with it.

Step 6: Save the database by hitting Ctrl+S. Again, give a nondescript, non-interesting name for the database. Like feeblesound.kdb. The kdb part kinda gives it away that it’s a KeePassX database. So you can leave that out if you choose to.

Step 7: Go to Extras –> Settings. Then choose Security on the left selection pane.

Set clipboard expiry
Set clipboard expiry

Choose a conveniently small number of seconds for the clipboard to be wiped. So once you copy a password, you have to paste it within 15 seconds of copying in the above example. The database will be locked after 30 seconds of inactivity and you will have to supply the master password again to unlock it. This is good operational security when using KeePassX. Save the database again (CTRL+S)

You can use Extras –> Password generator to generate secure long passwords.

Generating Secure Passwords
Generating Secure Passwords

Using KeePassX – (General)

Let us now create a password for Facebook and use it.

Step 1: Under Groups, select a group. Then press CTRL+Y or Entries –> Add New Entry
Step 2: Give an identifier title and supply the user-name
Step 3: Click on Gen button to generate a password. In the password generator window, adjust the length (32 characters minimum recommended) and the character groups allowed, then click Generate button. Then click OK.

The little eye button displays your password in plain-text if you want to verify it.

Step 4: Click OK then save the DB.

Let us now use the credentials on Facebook.

Step 1: Open Facebook login page while KeePassX is open.
Step 2: Click on the correct password entry. Click CTRL+B to copy the user-name or CTRL+C to copy the password
Step 3: Paste the copied entity into the appropriate input box and login.

More advanced usage like browser auto-fill are also available. Refer the documentation. Also refer: https://ssd.eff.org/en/module/how-use-keepassx

But, but I use a headless server…?

So you might be using a headless server with no GUI or X running. How do you manage your passwords there? You keep encrypt them with symmetric key algorithms, of course!

Encrypt all the things!
Encrypt all the things!

We are going to use AES 256 bit encryption to encrypt passwords in a text file using the ccrypt utility for headless nodes.

Using ccrypt to encrypt a password text file:

Step 1: Put all your passwords in a text file on an air-gapped machine.

$ cat gooby.txt

Facebook | robertdjr | wyabbacvipabKakk)QuaidIpsIjVivab9
Google   | robejr334 | ReenMatyincutbetjewujbyg-Gryawg7
Mail     | robbiej88 | dasOwapGhoGropwityinIjyayk1oksh@

Step 2: Install ccrypt apt-get install ccrypt or similar
Step 3: Encrypt your password database text file using ccrypt. Use a strong encryption key (duh).

$ ccencrypt gooby.txt
Enter encryption key: 
Enter encryption key: (repeat)

You will be left with a file that has cpt extension. This is your encrypted data file.

$ file gooby.txt.cpt
gooby.txt.cpt: data

Step 4: To decrypt use, ccdecrypt command which will leave you with the text file again.

$ ccdecrypt gooby.txt.cpt
Enter decryption key:

But you don’t have to decrypt the whole file and encrypt it each time. You can use the ccat command to just show the decrypted contents of the DB without decrypting the file for good. You can even grep through this to find what you want.

$ ccat gooby.txt.cpt | grep Google
Enter decryption key: 
Google   | robejr334 | ReenMatyincutbetjewujbyg-Gryawg7

You can choose whatever text format is suitable for your scripting needs if you want to automatically copy passwords to the clipboard without using a mouse.

Note: Beware of the special symbols in the password that might be messing up with your script like pipe, ampersand and parantheses.

So, there you have it. Basic password management. Let us know your questions, comments and feedback in the comment section. Ciao!

Advertisements

3 thoughts on “Password Security – Primer

    1. That would not be a very wise idea. Since there are dictionaries available for most languages with a written form. An adversary with enough resources will find it relatively easy to crack passwords using dictionaries of languages that you might know for example. It’s easy to find out peoples heritage and ancestry on the Internet these days. =)

      1. That is indeed true. Once upon a time my Twitter account was hacked although the password contained a phrase in Old Turkish: “QizilQara”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s