Students

For extra security, try the pass phrase approach

There may actually be a useful purpose for those annoying song lyrics that get stuck in your head. Easy-to-remember phrases could be the basis of a much more secure method of protecting computer information and accounts. They can be used as pass phrases. Research conducted by two information systems professors at the W. P. Carey School of Business demonstrates that, while there is no foolproof method of password security to ward off hackers, a long pass phrase is the best defense. Each additional character in a security code, be it password or pass phrase, means that it takes exponentially longer for a hacker's algorithmic program to find the correct combination of characters and unlock the password.

2006-02-15

Song lyrics get stuck in your head and you can't get them out. You and your friends repeat lines from movies — or perhaps you read poetry, remembering your favorite couplets. Those easy to remember phrases are the basis of a much more secure method of protecting computer information and accounts. They can be used as pass phrases. Pass phrases are simply very long passwords, and it is their length that makes them inherently more secure — a catchy solution to the problem of computer security. Easy to type, but also easy to crack Hackers and system administrators are locked in a seemingly endless struggle over access to data, and passwords are the key. "(Passwords are) a critical vulnerability in our computer systems, but it's the only universal authentication mechanism," says Josh Wright, deputy director of training for SANS Institute, which does computer security research, training and certification. "Even though we know weak passwords are a problem, we have to rely on them. They are universally applicable and cost-effective." Hackers are tirelessly creative, using any of several techniques to figure out a security code. The most basic is simply to discover it lying on someone's desk. This vulnerability is a side effect of the continuous effort to create the most secure password possible — those that contain a random combination of numbers, letters in both upper and lower case and keyboard symbols. But these combinations are difficult to remember, so users often write them down. But choosing a password that is easier to remember also makes it easier to guess. People tend to use birthdays, pet names or the same password for many different accounts. This means that once a hacker or identity thief gains some information about an individual he can systematically test the common password choices — often succeeding. When following obvious clues fails, hackers employ password cracking methods. Hackers use specialized dictionaries that translate wordlists into encrypted code. Programs then compare the code marks — called hashes — in the word list to the hashes in the password file being cracked. If the hashes match, the dictionary reveals the word. These dictionaries even include the exotic, such as the fictitious Star Trek language of Klingon. Adding a number to the end of the word does not help much since cracking programs can append specified numbers of characters to dictionary words. The last resort is what's called brute-force guessing, which is pretty much what it sounds like. A computer program runs through all the potential passwords until it comes up with the correct combination. The U.S. government standard recommends a 95-character set from which to make up a password. But even a password of such gargantuan proportions is fairly easy to break. "This is still a fixed number," says Paul Steinbart, a professor of information systems at the W. P. Carey School of Business. "If a password is eight characters long, the number of possible passwords is 95 to the eighth power. A relatively fast computer running Windows XP can run through about 3 million character combinations a second." One solution — at least for now — may be to make it infeasible or exorbitantly expensive to crack a security code. "You want to force the bad guys to use the exhaustive approach, although eventually they will get the password," Steinbart explains. That's done by replacing simple passwords with much longer ones. "Mathematically, the programs will find the correct password after trying half the possibilities," Steinbart explains. "Increasing the length of a password or phrase dramatically increases the number of combinations the program would have to try before finding the right one." Each additional character in a security code, be it password or pass phrase, means that it takes exponentially longer for an algorithmic program to find the correct combination of characters and unlock the password. In fact, increasing the length of a password is more important than increasing the size of the character set that can be used, as the following example shows. A little over 218 trillion (218,340,105,584,896) different eight-character-long passwords can be created using a 62-character set consisting of only numbers and letters (case-sensitive). Increasing the size of the character set by approximately 50 percent to 95 characters results in a 30-fold increase in the number of possible passwords to over 6 quadrillion (6,634,204,312,890,620) different combinations. In contrast, increasing the length of the password by 50 percent to 12 characters, while still using only a 62-character set, increases the number of possible passwords to more than 3 sextillion (3,226,266,762,397,900,000,000), which represents a 10-million-fold increase in the number of possible combinations. The benefits of the longer pass phrases are obvious. Experts are recommending that users adopt phrases rather than words. That's because phrases — like those song lyrics — are easy to remember, yet they are not vulnerable in the same way as single words. "I encourage song lyrics," says the SANS Institute's Wright, "They won't be in the dictionary and slightly modifying it makes it even harder to crack." Another suggestion is movie titles and the year of release. Deciding whether to use upper case letters and spaces between words adds another dimension. But even that isn't foolproof if the user does not keep his password to himself. "The caveat is: Don't tell your friends what your pass phrase selection method is," Steinbart says. Convenience versus safety Despite the obvious benefits of pass phrases, most computer accounts are still secured by randomly generated, difficult to remember strings of eight characters or pet names. Why? Steinbart and Information Systems colleague Benjamin Shao teamed with doctoral student Mark Keith to design a research project that sheds some light on that question. Students in an undergraduate class at the W. P. Carey School of Business who needed to log on to an account to retrieve class assignments were divided into three groups. The first used a password of their own choosing, the second were required to follow stringent guidelines for password creation and the third were asked to use pass phrases. The experiment, Steinbart said, was designed to discern the ease of use of each security scheme. For several months researchers monitored the behavior of students as they logged in to determine how often they made typos or forgot their passwords and had to ask a network administrator to let them back into the system. At the end of the experiment, they surveyed the students about their perceptions of ease of use. "The study shows that long pass phrases are no harder to remember than any of the passwords, however, their use increases the chances that you're going to make a typo," Steinbart reports. About 20 percent of the time that pass phrase users tried to log on, they failed because of a typo. Password users were plagued by typos only 4-5 percent of the time. However a week-by-week analysis of the data showed that by the fifth week the rate of typing errors between the three groups was similar. "People thought it a lot harder to use, so they were less excited about using it in the future," Steinbart says. He concludes that "until people get used to it, they aren't going to run out and be overjoyed if security people tell them to use these longer passwords; they'll have to be sold on them." Benefits of pass phrases persuade users The study did not take into account how the students would have felt had they been educated about why the pass phrases were so important, Steinbart points out. The results suggest that managers would encounter less grumbling if employees were informed of the reasons for the longer sign in. "People respond well to impact examples," the SANS Institute's Wright explains. "There's no shortage in the media of identity theft stories. Those examples go a long way toward convincing people to be more secure." Another advantage of pass phrases is that they don't have to be changed as often. Many companies mandate changing passwords at regular intervals. "If you have to change your password every 45 days, it will cause confusion for a week or two with people mistyping, forgetting, etc., but after that it becomes easier," Wright adds. "With pass phrases, typing memorization may be a little longer, but it's no longer necessary to rotate your password every 45 days." Steinbart says the human component of high-tech security adds a little-studied dimension to the problem. "People are the most important part of security. Most academic research has been on the technology side, but in the past few years managers are recognizing that we need to look at how people use security tools," he says. While pass phrases may be a better security method, there are still many questions about their use left unanswered. "There's a lot of research left to do," Steinbart adds.

KnowIT