Since the advent of the Internet security has been an afterthought. Passwords have been one of the most visible problems. Early on you could get away with 6 or 8 letter words that were easy to remember. As time passed upper and lower case, numbers, special symbols, and punctuation marks were all added. Then mandatory password reset intervals were added. As a result, passwords became much more difficult to remember and use. If you had to log in at work – there might be a temporary delay as you are forced to come up with another new secure password and write it down somewhere.
Despite all these precautions – there are still people logging in with password, password123, Password123?, and so on. Secure passwords for many accounts are still seen as a nuisance. If you routinely check whether some of your logins are on the Dark Web – every time a business is hacked your account information is bought and sold on the Dark Web. In many cases those accounts are linked to email addresses that are no longer active. The business entities hacked are often no longer in business or at least you no longer do business with them. If those accounts were just used to track your activity and have no associated financial information – there is probably less to be concerned about. That is of course unless you use the same password across multiple accounts.
Internet crime in the US is big business for sociopaths. In 2024 there were $16 billion in losses and the rate of this crime was increasing at a rate of 33% per year. According to the Federal Trade Commission the 65+ crowd may be defrauded of up to $80B per year with most of it unreported. There are an endless variety of ways that criminals can defraud people that include hacking your accounts by stealing your passwords, creating phony technical assistance web sites, imitating relatives and people who you do business with, and creating false investment offers to get access to your account information. They can also place malware on your computer or phone that allows them to see all your account and login information. This essay will briefly focus on passwords.
The most basic consideration with passwords is how they are obtained. Can somebody trick you in to using your password on a fake site imitating your financial institution or favorite internet site? The most common phishing emails I get are from people imitating security, financial, and antivirus companies suggesting that my data has been compromised or that I owe them money and encouraging me to log in to a link they provide. According to warning from Social Security there are also fake sites asking for your SSA account information. If hackers know where you conduct business and they know your login they can go to that site and attempt to find the password. The human factor is the weakest link in Internet security. Even though hacking tools have been automated to facilitate hacking by criminals with less computer knowledge most of them would prefer that you just hand the information over to them.
In the case where password hacking is necessary, a common type of attack is a brute force attack where hackers try every existing combination they can from stolen data. They can also use dictionary attacks or hashing attacks that try every possible combination of words or hashes. Hashes are basically codes for passwords stored on the server that is being attacked so they can be matched rather than the exact password. Limited login attempts, Captchas, and external authentication can help prevent these attacks, but the best up-front protection is a good password.
How are passwords measured in terms of security? The current measure is Shannon entropy although they don’t seem to use that term. Claude Shannon applied the Second Laws of Thermodynamics to information theory back in 1948 and revolutionized the field (1). This innovation demonstrated that all forms of communication could be coded, statistically analyzed, and from there bandwidth and efficient channel capacity and coding could be determined. I first read this paper in 1974 when I was studying thermodynamics in physical chemistry.
During the evolution of required passwords complexity (upper case/lower case/numbers/special characters) was initially emphasized but those passwords are easily cracked by brute force attacks using current technology. Password length is the currently the most critical factor. Every increase in character length doubles the amount of time it would take to crack it. The problem with length is that passwords rapidly get to the range that they are not only impossible to memorize but even to keep straight while entering them. What follows are a few examples of the arithmetic of password length and a way to simplify the process.
The basic calculation for password entropy involves the equations:
Based on character set and length:
E = L x log2(R)
L = Length of password in characters
R = Pool size of character set to be used
Based on passphrases and
E = log2(W) x N
W = Number of words in your dictionary (usually 7,776)
N = Number of words in your phrase
Note: the 7,776 words here is based on the possible combinations of rolling a 6-side dice 5 times (65)
Doing a couple of examples:
Using a standard 95-character keyboard – let’s say a site wants you to use a minimum of 8 characters with the standard upper and lower case, number, and special character requirement.
E = L x log2(95) = 8 x 6.56 = 52.48 bits
Extending word length to 10 characters:
E = 10 x 6.56 = 65.6 bits
Using a 7,776 word dictionary and a 4-word pass phrase length:
E = Log2(7,776) x 4 = 51.68 bits
Extending the phrase length to 8 words:
E = 12.92 x 8 = 103.36 bits
The general trends from these calculations are obvious. Larger character sets and or password length leads to greater Shannon entropy and password security. What may be less obvious is how adding even one more digit to your password can greatly increase the time it takes to crack it. If the number of a large exponent doubling the amount of time required can add decades to the amount of time required to crack it.
An example from the graphic occurs at the 133-bit calculation. 2133 = 1.09 x 1040 combinations. Assuming a computer that can make a quadrillion (1015) guesses/second it would take and correcting for seconds per year yields a total of about 172.5 quadrillion years.
That is an impressive amount of security, but it also highlights some of the unspoken aspects security recommendations. It all comes down to available technology. In the above example – there are very few machines capable of make that number of guesses per second. Over time as the technology improves and gets less expensive more powerful processors will be able to crack passwords with higher combinations. Many federal agencies suggest that the 133-bit encryption is all that is needed in the foreseeable future – but when quantum computing comes online that recommendation may be a thing of the past. To protect yourself, you need to use the ideal passwords, eliminate human mistakes, and ne aware of what the technology is doing.
I decided to present this basic information on encryption primarily because I see the destabilization of financial systems as a significant future risk. Banks and financial institutions are likely to tell you “we have the top experts on it.” If you carefully read the boilerplate you must sign off on every year – it is not clear that you are protected in every case. If you are like me and make suggestions like blocking all wire transfers or requesting that withdrawals are made only in person with ID and biometrics you might be disappointed.
For those reasons and the fact that I am not an Internet security expert by any means – I am encouraging everyone who reads this to do their own research and become their own expert. When any company requires that you open an account with a username and password think about the information you are trying to protect and make that password as secure as possible. There are many web sites out there that take you through what you can do step-by-step. I have included an example of how to use dice generated passphrases to produce high security passwords from the Electronic Frontier Foundation word list (3). They provide detailed information on how to produce 133- and 256-bit encryption passphrases. There are also web sites that do the same with different character sets. Apart for the passwords or passphrases there are addition techniques to make them even more robust.
At this point many people have been on the Internet for 25 years or more. Do not let that lull you into complacency. Technology is always advancing and security is always lagging. Make sure you can protect what is necessary.
George Dawson, MD
References:
1: Shannon, C. and Weaver, W. (1948) The Mathematical Theory of Communication. Bell System Technical Journal, 27, 379-423, 623-656. http://dx.doi.org/10.1002/j.1538-7305.1948.tb00917.x
2: Vopson MM, Lepadatu S. Second law of information dynamics. AIP Advances 12, 075310 (2022); doi: 10.1063/5.0100358
3: Electronic Frontier Foundation. EFF Dice Generated Passphrases: https://www.eff.org/dice
No comments:
Post a Comment