Page 57 - Cyber Defense eMagazine - October 2017
P. 57

•  Uses specific patterns of letters, numbers, and symbols.
                    •  Limits  password  checks  by  length  and  character  constraints  advertised  on  the
                       web site.

               All of these techniques significantly shrink the key space that needs to be checked. A
               note  to  app  developers  –  if  you  are  publishing  password  length  and  character
               requirements on your web site, you are providing a recipe for more effectively attacking
               your passwords.

               The key space reduction principle was demonstrated gloriously in the 2014 movie “The
               Imitation Game”, about Alan Turing’s role in the cracking of the German World War II
               Enigma  code.  The  critical  scene  of  the  movie  takes  place  at  a  British  pub  where  a
               military  radio  operator  remarks  that  the  beginning  and  ending  of  all  German
               transmissions had common characteristics. Upon hearing this Turing suddenly realizes
               that these common patterns may be the key to cracking Enigma, and he exclaims that it
               “…just lost Germany the whole bloody war!”

               Turing was right. What was true then is just as true now – reducing the key space can
               transform  a  pragmatically  undecipherable  code  to  something  that  can  be  readily
               cracked.  Any mnemonic, personal detail, pattern, name, object, phrase, etc. used in a
               password can be used to reduce the key space, and can be the weakness which allows
               a password to be cracked.


               Why passwords fail
               If  the  approach  to  password  education  by  security  professionals  is  any  indication,
               security professionals need to reorient their thinking: not using strong passwords isn’t
               the cause of the problem – it is a symptom. What password a user chooses may be
               more  of  a  function  of  pragmatic  use,  than  it  is  a  problem  with  understanding  or
               willingness  to  cooperate.  Knowledge  of  a  strong  password  recommendation  probably
               isn’t  going  to  be  the primary  determining factor in  password  choice, but  here are  the
               factors that will determine it:


                   •  Passwords have to be remembered.
                   •  Passwords have to be repeatedly entered into data entry fields.
                   •  Users have to manage many accounts.
                   •  Passwords usually have to be changed with some frequency.

               If a user has a lot of account passwords that they need to remember, type, and change
               frequently, it quite obviously encourages the creation of short, simple  passwords, and
               password  reuse  wherever  possible.  If  password  education  goes  no  further  than  “use
               strong passwords”, then it might as well be restated as “complicate your life.” Password
               education  must  provide  a  better  answer  than  this,  or  user  behavior  will  remain  the
               same.


                    57   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   52   53   54   55   56   57   58   59   60   61   62