Hackers are into lockpicking. Every year at DEFCON there are lock picking contests and demonstrations, and you can buy the various tools (picks, bump keys, etc.) at Black Hat and DEFCON and many other such events. Now, Timo Hirvonen tells me that this is a legitimate extension of learning Penetration testing, and I believe that that he is absolutely correct. I actually took up lockpicking in the summer of 1965, long before I ever dealt with a computer, but that’s a story for another day.
This is actually relevant, so you might want to stay with me, here.
Take a look at the typical key pictured above. This is a key to a pin tumbler lock, and is currently the most common kind. Notice that each of the little notches in the key is at a different depth. The key would insert into the keyhole, which is in the part of the lock called a cylinder.
When all the notches on the key line up properly, the pins line up so that the cylinder can turn. They have to be very accurate. Our example here is a five pin lock, so this key would only need notches cut in five places. The pins each have a number of discrete settings, and just to make it easy, let’s imagine that there are five different settings for each pin.
So how many possible combinations is that? Five times five is 25, but that’s not it. Neither is five times five times five, or 125, correct. This would be a very simple lock, but it would carry a grand total of 3,125 combinations (five to the power of five). If each pin had six possible positions, you could raise that to 15,625 different combinations.
With a pin tumbler lock, like the one shown here, there is also a restriction that the key has to be the right keyway (that’s what they call all the channels and grooves that let the key fit into the lock). Each brand of lock uses a unique keyway which is why the key shop has hundreds of different key blanks hanging on a big rotating display.
This is a very close model of an internet password. The number of pins is equivalent to the number of characters, and the number of possible positions is equal to the number of possible characters. This is why people keep telling you that a password is either strong or weak. Let’s look at it.
Imagine a very short password of only two characters. If you use only numbers, then there are only ten possibilities for each character position. (0-9) so with that limitation, a two digit password using only numerals in base ten would give you only 100 possible combinations. If you had to type that in by hand it might be too much trouble, but a computer could feed those hundred combinations in less than a single second.
The same two character password, if it used alphabetical characters, instead of numbers, would give you 676 possible combinations, instead of a hundred. Going to more places, or more pins, would give you an even greater combination, such as noted below.
|(numeric)||(alpha)||(alpha + numeric)|
So, as you can see, it becomes much more difficult to crack a longer password, or a password with more available characters. That is not the end of the story. If you use a password made up of words that can be found in any dictionary, then a hacker could attack your password with a dictionary. Really. It’s actually called a dictionary attack. So the best password would be gibberish. How would you ever remember such a thing?
Well, you don’t have to. You can get a program known as a password manager. The one we make here at F-secure is called KEYS. We will take a look at that in just a little bit. First we want to make a couple of things clear.
1. Passwords are extremely valuable, they are the online version of your keys, and eventually your car will start and your door will open to a password, rather than to a physical key. (I am very tempted to run off on a tangent, here) You need to pay some attention to your passwords, because they are getting stolen left and right and because they open the door to your email, to your reputation and to your bank account.
RUNNING OFF ON A TANGENT
Car keys have gotten much more complicated over the last decade. First we added electronic door locks to the car, and the key acts as a remote control. Other functions come with that, including trunk release, and some kind of an alarm system. On top of all that, there is a secondary locking mechanism included with your key, where the car will only open for a key with both the proper physical keyway and tumbler pattern (( as described above)) AND the proper electronic signature. So, in my car, for example, a new key needs to be cut and then programmed, and a new key costs almost $300! Now they tell you that’s because it takes extra programming, but it’s really because you NEED a car key, and based on the brand of car you drive, and I drive a Lexus, they hit you up for the highest price the traffic will bear. The circuitry isn’t worth nearly that much, and neither is the ‘programming’. This is indicative of the state of the world. Drive a 1961 Buick, and you can buy a key for a buck, drive a 2001 Lexus, and the key is $300—the newest models skip the physical key entirely, and cost even more. They only charge what the traffic will bear.
2. It is very important that you not use the same password for everything. If you do, when somebody cracks one of your passwords they can find all of them. Some people use simple, same passwords for things they don’t really care about (your Cookie Bakery discount code coupon, for example) but use stronger, unique passwords for more important things, like missile launch codes.
3. Do not use passwords that can be derived from the names of your pets, or the name of your spouse, or your boat, or anything that could ever be found out about you from a thorough analysis of your Facebook page.
4. Back up your data! I use two different backups on everything, and a third backup on the most important data. I back up to a NAS (network attached storage) device, and to the cloud, and the third method is secret. Never put yourself in a situation where somebody could hack into your account and steal or delete anything you are going to need.
Having said that, I want to say that too many things are authenticated these days (that’s what a password is all about, authentication–it’s when you prove that you are you) If you are doing a lot online you might actually be known via hundreds of passwords and who can possibly keep up with that? Nobody, that’s who. It’s just another example of FUTURE SHOCK, brilliantly predicted in 1971 by Doctor Alvin Toffler.
My point? Maybe we are authenticating too much. Does your nephew’s Bar Mitzvah really need me to get a password to reply to the evite? Do I really need a strong password to protect my registration to a trade show? The universal and always increasing demand for new passwords kind of cheapen the image they have to the public. If you need to keep track of a hundred passwords, then you might not put so much effort into managing them.
Huntington Beach, California 10/29/2014