Building a Better Mousetrap: Two Factor Passphrases

The password debate never ends.  Instead, it seems to be increasing in intensity.  The problem is the use of passwords isn’t going away anytime soon.  The cost of replacing passwords with a more secure access control method is typically too high, making it impossible to sell related projects to management.  Even the use of strong passwords is often regarded as either less secure—because users inevitably write them down—or a hindrance to productivity.  However, there may be a middle ground which can help bridge the timeline between password use and multi-factor authentication.

Background

Before jumping into the how-to part of this article, I want to look at how security professionals view password risk and related management.  A recent post in the SANS Internet Storm Center Diary, along with reader posts, sums this up pretty well.

There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called “Phishing” and “Social Engineering” attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky (“Brute Force”)
(c) Obtain the encryped/hashed [sic] password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can’t break the password hash (c) within a couple days, he’ll likely just look for an easier target. Attack (b) is also out for quick wins – either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.

Source: Password rules: Change them every 25 years, Daniel Wesemann, 2 November 2009

For me, the two takeaways from this article are:

• There is more than one way to compromise and use a password access control, all of them tested and in wide-spread use
• The common account policy of requiring a password change every 45, 60 or 90 days is not a good security control

No, this doesn’t mean you should throw up your hands, assign the same simple password to all your accounts, and hope for the best.  If you can use a second authentication factor, if your organization or you can afford it for work or personal use, then implement it.  If not, I may have an alternate safeguard.

Two Factor Passphrases

First, this is not an original idea of mine.  I heard Steve Gibson discuss the concept on a Security Now podcast.  However, I’m taking it a bit further by extrapolating the concept into a complete solution.

I am not a proponent of strong passwords.  Users write them down or forget them, causing either security audit or productivity issues.  I also agree with Wesemann and his readers that changing a password frequently isn’t a good way of protecting  personal or organizational assets.  So I combined the use of random passwords with a memorable passphrase to develop a process I believe solves most—not all—problems with passwords.

1. Obtain a 13 character random password.  I used Steve Gibson’s random password generator for my example, and selected GSD6BtvzM4A0j.
2. Write down a phrase with 7 or more words.  I used, “Every Day I Look Better and Better.”  (I hope my wife doesn’t read this…)
3. Use the first character of each word in the phrase to arrive at an initial series of characters.  In my example, this works out to EDILBAB.
4. Change one or more of these characters to make the string a little harder to guess.  3D1LB+B.
5. Enter the 13 character random password into a text file and memorize the 7 character string from Step 4.

We now have two factors for authentication—something we have (GSD6BtvzM4A0j) and something we know (3D1LB+B).  Combining these two character strings into a number of different passwords is easy.

1. Go to one of your password protected sites.  I used my bank.
2. Change your password to a new two factor passphrase:
   1. Copy the 13 character string from your text file and paste it into the new password field.
   2. Insert your memorized 7 characters into the 13 character string.  I decided to insert it in the second character position, coming up with G3D1LB+BSD6BtvzM4A0j as my 20 character, sort-of random, password for this site.
3. Record the site and the character position in your password text file.  I list three password insertion points in Figure 1.

Figure 1

Note the Bank location is 3, not 1.  I inserted another layer in the process by adding 2 to actual insertion points.  This probably isn’t necessary, but I’m more paranoid that most.

Each time I step through the new/change password process, I try to select a different insertion location.  Yes, I will quickly run out of insertion points.  However, I will still have 14 strong passwords instead of one.

If every time I log in I copy and paste the 13 character string into the password field, most of the password is unreadable by typical keyloggers.  The only portion of the password a keylogger would see is the 7 memorized characters as I enter them.  Brute force attacks against those sites or networks without a maximum number of incorrect attempts set are very difficult when using passwords of this size.  In fact, the work factor required to crack my sample password should be high enough to deter anyone from getting to any data my computer or sites might have to offer.  This also solves the problem of strong passwords, since we are actually recording the hard-to-remember part of the password.

The final step is safely storing the text file with your password fragment and insertion points.  The easiest way I found of both protecting the file and having access to login information wherever I go is to use a TrueCrypt protected USB memory stick.  I use a long passphrase which I never use for anything but accessing mobile TrueCrypt data stores.  An attacker would have to gain physical access to the device to crack the password.  There would be plenty of time between the time I lose my USB device and the cracking of the encryption (if ever) to allow me to change my passwords.

The Final Word

No, this isn’t for everyone.  The complexity of this process would bring a normal user to tears.  However, this approach or your version of it can help protect,

• Network administrator accounts
• Accounts used to access highly sensitive information
• Your own accounts