Tuesday, September 30, 2014

How strong and safe is your password?

Image Reference: SC Magazine
Do you or someone you know do any of the following?
·         Write down your non-temporary passwords on sheet of paper, sticky note, or in carry-on notebook
·         Save your passwords in a plaintext format or even excel spreadsheet with password protection only
·         Store your password file in manila folder with the rest of your confidential folders on top of your desk, under your keyboard, taped to the back of your monitor, unlocked cabinet drawer or similar convenient place
·         Use the same username and password for each personal and professional login account
·         Have a hard time remembering passwords for different accounts and dread changing them
·         Use password following only the minimum password requirement of 8 characters, at least 1 number, and upper case letter

If you answered “Yes” to any of the statement, it’s OK because you are not alone. Username and password is still the most prevalent form of user authentication to services and resources to this day whether we are at home or at work. This article will touch on two important password related challenges: 1) password strength and 2) password management.
1) Password Strength:
The ITS department has a standard policy of requiring that passwords used for University services are at least eight characters long, have at least one upper case, and one number. Passfault is a free password analyzer designed by OWASP, organization consisting of private and public sector information security professional and dedicated to improving information and web application security, as a freely available password strength analyzer making us aware of the guessability and complexity. Before you jump to try your own password strength against the Passvault service keep in mind that it’s recommended to use an iteration of your password pattern not your actual password. We can never be sure who may see or store what we types in the password strength analyzer fields on a webpage despite any disclaimer and privacy policies.
The Passvault service is located at this URL: https://passfault.appspot.com/. To give you an idea about password strength of a typical Windows NTLM password refer to the table below:



Guessability Method

Guessability Time

Total Possible Combinations


Alphanumeric, upper, lower, and number; total 8 characters

Everyday computer

< 1 day

1 billion


Alphanumeric (upper, lower, number) and special characters; total 14 characters

Everyday computer

1 decade, 6 years

3 quintillion


Alphanumeric (upper, lower, number) and special character; total 18 characters

Everyday computer

347105 centuries

22 septillion

The take away from the table above is that the more unique characters and longer password we have, there may be a better chance that its strength may increase and the guessability factor may decrease. Some systems may have different password length and character usage requirements. Pay attention for signs, warnings, and information snippets regarding password length requirements.  Banner, for example, has very specific password requirements and may not allow certain characters. Consult with your tech support person. Password phrase like “Love the Life you Live” in combination with letters and special characters can be a better choice than a single dictionary word.  
 2) Password Management:
 What can we do to make it easier to manage and a bit more secure to store passwords? The ITS services team has made significant infrastructure changes to streamline network services account management. In addition to these changes, what we can do to help us at home and at work is to utilize password manager. The password manager is like a centralized place or safe for your login information in a digital format. There are many commercial and free open source software solutions. One option is to use a product called KeePass as it is:
·         Free open source software with continuing development efforts
·       Offers zero install, self-contained version, which be saved to and executed even from a USB device without the need to install
·       Allows full end-user control of where the password database is stored and assures confidentiality as opposed to having it stored on the web, like LastPass, where we don’t who can access, see, and use our saved information
·         Cross-platform software as it have iterations for Windows, Linux, OSX, etc.
o   Windows KeepPassX 1.27 -
o   OSX KeepPassX - https://www.keepassx.org/
·         Checks and warns about password strength
·         Has a drag and drop functionality and allows to copy and paste username and passwords from the local database to any web form
·         Offers random password generator based
·         Allows to import and exports passwords from different formats
·         Uses AES, used as a standard for the U.S. government, to encrypt the contents of it’s database and SHA-256 cryptographic function for the user defined password hashes
·         It allows for two factor authentication requiring authorized users to provide both a password phrase and a specific key file, generated during the initial setup of KeePass, before unlocking the password database file
The challenge with password safes is putting all of our eggs in the same basket. It’s not a solution for user negligence, and it is not a solution to all of our password challenges. However, it can be a better alternative to writing our password information on a sticky note or typing it in a plaintext file saved on the desktop or USB drive.
Additional References:

https://passfault.appspot.com - here you can use an iteration of password to check its guessability and complexity strength

http://keepass.info/help/base/firststeps.html - here is how to setup KeePass step-by-step

http://keepass.info/help/v2/setup.html - here you can find information about the installation and portable setup of the KeePass password manager

http://keepass.info/help/base/keys.html - here you can find information how to setup two factor authentication with a password and a key file

http://downloads.sourceforge.net/project/keepass/KeePass%202.x/2.27/KeePass-2.27.zip - here you can download the latest version of the Windows version for KeePass Professional Edition

https://www.keepassx.org/ - here you can find more information about the KeePassX version for OSX and Linux

https://www.keepassx.org/releases/KeePassX-0.4.3.dmg - here you can download the Apple 10.4-10.9 OSX alternative version of the KeePass called KeePassX, which is much easier to setup and run than the KeePass 2.x version available from http:// http://keepass.info

 Written by
Velislav Pavlov,
Technology Services Coordinator,