Friday, August 18, 2017

Password family !!! Simple solution for password management.

Passwords are the weakest and most popular factor of authentication to access websites and systems. Now a day all systems demand specific criteria to set the password, for example, the password complexity which it should include capital letters, small letters, special characters, and numbers. Also, it should be expired after a specific period of time for example 60 or 90 days. Moreover, using the password history to avoid using password already used. And more criteria that make the user life difficult with passwords.

These rules and restrictions make the users abusing the password. For example, by using the same password in all accounts belong to them. Writing the password somewhere so they can come back for it when they need it. In that way, they make the job of the attacker much easier to hack their accounts and by hacking one password they will have access to all your accounts. 

How to hack the password? different techniques available. The most effective technique used currently is Social Engineering which is trying to hack the user him self by sending phishing email or trying to shoulder surf the user to see the password while they typing it. Another technique is by using brute force which is trying all possibilities of the password until the correct password match. For example, If the password used for your wifi router at home is 11223344 it requires to break it a couple of minutes and the password will be available for the attacker he can enjoy using your internet access for free !!!

One of the best solutions for this issue is to use a long password or passphrase. But, this will raise a problem for the user because it will be hard for them to remember all of these passwords (Password management). 

So, how to make a long password for all the systems that you have access on without writing it somewhere and make it vulnerable to hacking ??? Using Password Family technique which I will explain in this article and I hope that this concept will solve a big problem facing wide area of users. 

As we explained previously passwords should include capital letters, small letters, numbers, and special characters. So, we should work on one password contain two parts. Fix part which will include long and complex passphrase then attach to it the variable part that will help you to differentiate between each account password access you have. 

The fix the part in the password family technique can be at the beginning of the password or in middle or at the end and the same for the variable part.

We will explain the concept through an example.

The first step is to work on a fixed part for your password family. Here we chose this phrase to be the fixed part of the password family:  HeLL0#AhM3d_@4_. As you mention it is long phrase contain 15 Characters and include all complexity requirements. By checking the strength of this password it is 100% strong refer to the site The Password Meter to check the strength. It will need 16 Billion years to crack it. Refer to How strong is my password? site to check it. 

The fix part you need to memories it always and don't forget it because it will be the basis of your password family. DON'T share it with anybody or write it anywhere. It should be in your mind only. If it is compromised you have to reinitiate your password family again. And change all your passwords used with in this password family.  

The second step is to decide where to use the fixed part. Either at the beginning of the password or in the middle or at the end. In this example, we chose to be at the beginning. 

Now you need to create an account in Gmail and you need to enter your password. hence, use the fixed part of your password and add to it the variable part which you need to decide what is it at the time of creating the account and try to choose a phrase related to that account. In this example it is Gmail. therefore, the variable part can be gMail (Note I chose the second char to be capital letter just to add more strength in the password. It can be all small letter). Consequently, your Gmail account password will be:

 gMailHeLL0#AhM3d_@4_

The final password needs 43 QUINTILLION YEARS to crack it. Which is what we need...

In this way, you can create all your passwords and you need only to memories the fixed part of your password.  

We will create another password to clarify the concept more. You want to create an account on Netflix and you need to create a new password. Your fix part is ready with you and already you memorize it. So, we need to work on the variable part which is, in this case, can be: neTflix.

your password for Netflix account is: 

neTflixHeLL0#AhM3d_@4_

This password needs 252 SEXTILLION YEARS to crack it.

To overcome the problem of password expires add an extension to the password like _1. 

And so on you can build your password family. And create strong password without the need to write it down and expose it to hackers.

By Abdulla Abusaif, CISSP, PMP, CEH

6 comments:

  1. I think it's a good subject and good article... this mode of password would be most appropriate for admins to use rather than normal users, because I think it's still somewhat complex to the later... keep up the good work 👍

    ReplyDelete
  2. Adding on the article. Example that we mention in the article is with very complex password. May be it will be hard for normal user to use it. So, we will mention an easier example.

    Fix part of the password family it can be as : Abdulla_Fast_Happy_Mall_

    A passphrase which is easy to remember by the user and hard to be break by brute force. This passphrase need 53 SEPTILLION YEARS to crack it.

    Idea behind this way of choosing the fix part is that you will chose different words from dictionary which will be hard to be fit in a meaningful sentence and can help to create a strong password.

    If you want to create an account in Yahoo for example and you need a password. You can make the password:

    Abdulla_Fast_Happy_Mall_Yahoo

    In that way you will make it easier and simpler for the user and harder to be cracked.

    ReplyDelete
  3. Thanks Abdulla for the great article.
    The start of the process will be the difficult part especially that we have lots of accounts with different expiry dates. However, I will try to start changing the passwords using the password family technique.
    The only thing that concerns me is when the password of some of the accounts expire ... I will use your option above by adding _1 but the issue is that I will reach to a stage of not remembering which account expired and which one didn’t :-)

    ReplyDelete
    Replies
    1. Thank you Bu Abdulla for your time to read the article and for your comments.

      Valid concern yours which by adding _X number you may forget which count you reach. I will think about other solution and I will post it.

      Delete
  4. Over the course of her profession, Nina Simone shifted the focus target|the main focus} of her music to civil rights advocacy, demanding the kind of reform that the general public|most of the people|most people} deemed too extreme. “Ain’t No Use” isn’t about the civil rights movement, but somewhat an early monitor about a drained and fed-up lady whose emotions can now not be pushed down—an ode to Simone’s resilience and AV쏘걸 energy as a lady. British rapper Little Simz furiously delivers a diatribe built to combat ages of oppression and frustration. “Never givin' credit where it’s due 'trigger you don’t like pussy in power,” she spits simply as the beat trails off for a second, giving her rage heart stage.

    ReplyDelete

Vulnerability Assessment vs. Penetration Test

It is all about  Vulnerabilities.  So, what is the Vulnerability? It is a  Weakness  in an  Information System or  System Security Procedure...