Is there such a thing as a perfectly secure password?

An interview to mark World Password Day 2017

Just to get this straight from the outset: There is no such thing as total security, and picking a strong password is not the end of the story in today’s interconnected world. However, there is a lot more that people can do to ensure the best-possible security for their mail communication and data.

We spoke to our cryptography- and information security expert Karsten Ness about how to chose a good password and what other measures users can take to improve security around their account.

Hi Karsten, thanks for taking the time to talk to us. Can you tell me what the requirements are for choosing a password at mailbox.org, and what you think makes a good password?

If somebody creates a new account at mailbox.org or changes their password, there are already a number of minimum requirements that will be enforced through the web interface. The system will accept a password only if it is at least six characters long, does not appear in a dictionary, and uses a mix of lower- and upper-case letters, as well as numbers. But these are just the basics that anyone should pay attention to when choosing a password. In my opinion, a good password is made up of at least 12 characters, and in addition to the mix of letters and numbers mentioned above, I would also recommend adding some special characters, such as the asterisk or dollar sign, for example. Doing this makes it a lot harder for any potential attacker to find out the password by chance.

I should also mention that there are critical voices about mechanisms that enforce a reasonably complex password to be chosen. There are some studies out there that claim imposing strict requirements actually results in bad passwords to be picked by the users; and suggest a more liberal approach may be better. However, such claims are not really consistent with our practical experience. We are convinced that for the vast majority of ordinary users, the requirements set by mailbox.org do actually increase password security overall.

If the various sources on the Web can be believed, the average user has to handle up to nine different passwords at the same time. How can a single person remember so much information, especially if these are all “good” passwords?

All security experts agree that using the same password for different accounts is a very bad idea. There are different opinions about how to sensibly manage a large number of complex passwords, though. Here are two suggestions:

Using a password pattern

Some security experts recommend using a shared pattern for different passwords, where the pattern itself is easy to remember. Such a password would consist of a fixed, invariant part that is the same for all accounts, and a variable part that can be easily derived from the kind of service or product that the account is for.

Just to give you a simple example:

Let’s say the fixed part of your pattern is „Tp1etr.“ („This-password-1s-easy-to-remember.“)

For the variable part, just add four capital letters referencing the type of web service, placed within square brackets. So, for example, we might end up with the following passwords, which are all easy to remember once we have memorised the fixed pattern:

  • Tp1etr.[MAIL]  (for use with mailbox.org)
  • Tp1etr.[FACE]  (for use with Facebook)
  • Tp1etr.[TWIT]  (for use with Twitter)

This way of managing passwords has the advantage that there is no need to write them down or to use special software.

Using a password management software

Another way of handling many complex passwords is to use a password manager, in other words, a piece of software. The advantage is that a user only needs to remember a single master password, which is then used to encrypt the other passwords and pins stored by the software.

Modern browsers such as Mozilla Firefox or Google Chrome, and e-mail clients like Thunderbird have built-in password management modules that can keep passwords for different services in one place. By default, the information will be stored as plain text on the local machine. Only once a master password has been set will the information be encrypted.

If you use password managers like these I think it is really important to enable the master password, because we have seen an increasing number of cases in the past five years where viruses specifically targeted the password databases of browser software.

Are all password managers equally safe to use?

Unfortunately not. Although there are various programs that offer a password management function, not all of them feature a master password option to encrypt the information – as is the case with the instant messenger client Pidgin, for example. I can not recommend using any password management software that does not encrypt the passwords it stores.

What more can people do to protect their personal information?

User behavior is actually a significant risk factor when it comes to password security. It is one thing to pick a strong pass phrase, but when you then go and log on to services using an non-secure computer – like in an internet café, for example – then your security may still be compromised. Who knows if the software used on that machine is up to date, vulnerable to attack, or even infected already by viruses, etc.?

Phishing attacks have also become more and more notorious. The fake e-mails that are used to obtain login credentials from unsuspecting users are getting more and more sophisticated and will often look like the real thing nowadays. This makes it very hard for users to tell apart what is legit and what is not – a healthy level of suspicion is absolutely required here in order not to get conned!

Do you have any practical tips for our readers?

I can recommend a number of things – if adhered to regularly and consistently, these measures can really help to improve everyone’s personal data protection:

  • Never use your username and password combination on computers that are potentially unsafe to use.
    Tip: Sometimes, this cannot be avoided (e.g., when travelling). Having a two-factor authentication method in place will be really handy to stay on the safe side.
  • Do not save any of your passwords electronically without encryption and never write any password down on pieces of paper.
    Tip: Use a password management software that stores your passwords with encryption or  use a personal pattern to memorise your passwords without the need for additional software.
  • Do not click on links or buttons in any e-mails that ask you to log on to a service. The people who sent these e-mails are likely trying to “phish” for your login credentials.
    Tip: Always access the login pages for any services you may use via browser bookmarks, or type the URLs manually into the browser’s address line.
  • Make sure that any web pages you have accounts with use SSL encryption.
    Tip: When visiting a web page, look at the browser’s address line to double-check: Does the page use the “https://” protocol? Also, there should be a green padlock symbol displayed in front of the URL.
  • Pay attention to the password reset procedure employed by the services you use, and how these are configured. It is all very well and good to have picked a strong password if the weak spot is the password recovery mechanism. For instance, often the only barrier for resetting an account is a security question, possibly asking for some piece of information that may be easy to guess or retrievable from the Web.
    Tip: Configure password reset mechanisms to use an alternative e-mail address, a phone number, or a postal address, rather than personal information that could be possibly found on the Web.

You mentioned “Two-factor authentication” earlier. Can you explain what that is?

With two-factor authentication, or 2FA, a simple password is not sufficient for getting access to a system. Instead, there are two independent “factors” required for authentication. Most people already have experience with this mechanism from the way ordinary ATM / cash machines work. There, you need a 4-digit PIN (“something you know”) in combination with a specific token, in this case the bank card (“something you have”) in order to authenticate against a specific bank account and withdraw money from that account.

We at mailbox.org offer 2FA for logins to the web interface in the browser, using so-called one-time passwords (OTP). These passwords are made up of letters, numbers, and special characters and can only be used a single time, after which they expire immediately. Similar to the bank card mechanism described above, you need “something you know”, in other words a PIN, and also “something you have”: a small device that can be used to generate one-time-passwords on demand. These two factors together replace the password with the authentication credentials required to log in to your account.

 

Does this mean two-factor authentication is perfectly secure?

Well, it’s pretty good. Even if an attacker manages to intercept the combination of PIN + OTP entered during login, they will be unable to use that for obtaining access to the account. A possible scenario where this might happen is when someone uses a random PC in an Internet café where the computer has a key-logging program installed.
When using 2FA, the captured information is useless to the attacker because they lack “something you have” – the token required to generate another one-time password for the next login.

How does a token look like?

There are different types, shapes and sizes but it may look like a USB pen drive, for example. This contains the security key, which is then used by an algorithm on the device to create a unique password. Because additional security is provided by the need for an actual piece of hardware – such as a USB token – we also call the device a “hardware token” and the method “hard OTP”.

YubiKey 4 by YUBICO
YubiKey 4 by YUBICO
YubiKey 4 by YUBICO
YubiKey 4 by YUBICO

Where can people get a USB token and can you recommend any that work well?

There are various vendors offering USB tokens. For mailbox.org, we recommend using YubiKeys or Nitrokeys.

By the way: Our knowledge base contains a comprehensive article about how to set up and use two-factor authentication with mailbox.org.

 

What if someone does not like the idea of having to carry with them a separate hardware device all the time?

In that case there would be an alternative in using a software token, in other words a software program or mobile application that can generate one-time passwords on a computer or smartphone. Even though this is a “soft” method of implementing two-factor authentication, it’s still better than not using 2FA at all!

Note that certain techniques may not be available for software tokens: For example, we are currently working towards offering the option of a better, more modern 2FA mechanism at mailbox.org, which is called FIDO U2F (Universal second factor authentication). The users will be able to use that just like the current system but for now, it is only available in hardware, and not as a smartphone app.

What about using biometric data as a factor, like fingerprints for example?

Actually, security experts no longer really recommend the use of biometric methods for authentication, such as fingerprint matching, iris scans, or voice recognition. The main reason is that these characteristics cannot be changed once they have been compromised by an attack.

When biometrics were introduced as a factor, people assumed that this kind of data cannot be imitated as it presents a physical attribute of the actual person (“something you are”). However, we now know that all of the above can be faked, in fact.

 

I see. Now finally, can you give us a few concrete examples of cases where insufficient password security had serious consequences?

Certainly, there are quite a few I can remember on the spot:

2008 – „Sarah Palin Hack“

Sarah Palin was a candidate for the US vice-presidency at the time. Her personal Yahoo! e-mail account was hacked because the information required for a password-reset (e.g., DOB) could be simply retrieved from search engines or web pages such as Wikipedia.

2011 – „HBGary Hack“

Computers of the US security firm HBGary and its spin-off HBGary Federal were taken over by hackers because most of the employees were using the same password for different accounts. Flaws in the company’s web page led to some of the passwords to become public, after which the hackers were able to compromise a number of e-mail accounts. The contents of about 600.000 company e-mails were subsequently published on Wikileaks.

2015 – „TV5Monde Hack“

An employee of the French TV station TV5 Monde wrote the password for accessing the company’s servers on a piece of paper and stuck that onto a computer monitor. Unfortunately, that piece of paper was visible inside the frame during a broadcast – the attackers just had to watch the show to get the login information.

2016 – „John Podesta Leak“

John Podesta was the campaign manager of the democratic party in the 2016 US presidential election. He made the mistake of clicking on a link in a phishing e-mail. This led to his Gmail account to be compromised and contents of his e-mails to be published on Wikileaks. Experts say this incident may have had significant impact on the outcome of that election.

As you can see, data protection is so important as even small mistakes can have far-reaching consequences. Everyone should take the time to carefully choose a good password and make sure it is kept safe. It’s really worth it.

 

Thank you very much for your advice, Karsten!

PS: Would you like to find out if your password or any of your personal information was hacked at some time in the past?
Just visit the “Leak-Checker” website of the Hasso-Plattner-Institute in Germany. This site maintains a database of compromised information:
https://sec.hpi.uni-potsdam.de/leak-checker/search?lang=de