COMSEC is a type of INFOSEC. Your information needs to be secure from disclosure, and I have been doing quite a bit of research on that over the past few days.

A few days ago, I posted about INFOSEC and using a password wallet. Some interesting ideas were shared, good questions asked, and so I thought I would share some thoughts on the concept of passwords and password managers.

The basic theory behind passwords is simple: a password is two people attempting to ensure that one of them is the person that is authorized to access the files or other electronic resources that the second person is the custodian of. The process is called authentication, and the use of a user name/password combination is the first, simplest, and most common method of user authentication. It’s also one of the most insecure, for reasons we will explore.

The things that make username/password authentication insecure are rooted in a couple of things, one of them being the users themselves. All of them. A user can be phished, hacked, or otherwise compromised. There are ways to mitigate most of the risks. What are the risks?

The simple brute force attack is the most basic of all brute force attacks. The bad actor tries to guess the user’s password without the employment of software tools. The attacker relies on trying out commonly used, weak passwords such as 123456, qwerty, password, and password123. Unfortunately, the simple brute force attack can be pretty effective, because many people continue to use weak and otherwise poor passwords to secure their online accounts.

Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. If your password is random, it will take an average of 8,000 years to guess a 12 character password with even the fastest computers. One type of computerized brute force attack relies on words found in the dictionary. This sort of brute force attack is called a dictionary attack and uses a vast number of common words and their variations. To do that, hackers use software that can make thousands of guesses every second using dictionary databases.

Then there is a hybrid attack. A hybrid attack combines a dictionary attack with a simple brute force attack for a better chance of success. Often a hybrid attack is utilized once the attacker already knows the username of its victim. You see this one when a data breach has released user names and email addresses of a company.

  • Choose a complex password. It should be made of upper and lower case letters, numbers, and symbols. Doing that means you start with a base of 52 letters, 10 numbers, and up to 33 symbols, for a total base of 95.
  • Choose a password of at least 12 characters. Doing it this way means you are raising the base (95) to the power of the number of characters. So a 12 character password means that there are 540,360,090,000,000,000,000,000 possible combinations of passwords- that’s 540 sextillion possible combinations (5.4×10^23).
  • You should avoid the use of common words and common passwords. This will mitigate the risk of dictionary, hybrid, and simple brute force attacks.

The suggestion was made of using a 6 word password generated using diceware. The thing that I laughed at from the diceware website was “Do not use a computer program or electronic dice generator. There is no easy way to be sure they are random enough.” That one statement was enough to tell me that the website’s author doesn’t know what they are talking about. They are worried that a random number generator isn’t random enough, while at the same time ignoring the fact that their word list is public and uses words from the dictionary. This means it will not be as secure as using random characters, no matter how random your word selection is, the use of dictionary words compromises the randomness of the password. If they know you made your password from this word list, you are screwed. If they don’t, then the randomness with which you picked the words from the list doesn’t matter.

The last type of attack is called a rainbow table attack. Websites or apps don’t store passwords in plaintext. What they do is encrypt user passwords with hashes. Once the password is used for logging in, it is immediately converted to a hash. The next time the user logs in using their passwords, the server checks whether the password matches the previously created hash. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.

In most instances, the hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen in a data breach. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password. The big risk here is not only the access to that account, but the other accounts of those who reuse passwords from one site to another are now at risk.

The security of the password is restricted to the security of the custodian of the information that the password is securing. If you have an account with Home Depot, then they get hacked because they have shitty security, the bad guys now have your credentials. Having a secure password means nothing if the company you are doing business with doesn’t take security seriously.

Choosing a good password is just the first step in securing your online data. Now you have to store that password in a format that makes it easy to retrieve your password, while simultaneously making it secure from disclosure to unauthorized parties. That will be a future post.


Anonymous · January 3, 2023 at 9:56 am

If they know you made your password from this word list, you are screwed.

No, the increased password length is very valuable; that the length is made from dictionary words is relatively unimportant. The complaint with a password coming from the dictionary is that a hash for that word could be pre-computed. But if that dictionary word is in the middle of a password, you can’t pre-compute. For instance the dictionary word “aisle” in the middle of the password “unify-stole-cbs-hunt-aisle-india”. You can’t pre-compute a hash for just the “aisle” portion, because the hash is computed across the whole password.

Elrod · January 3, 2023 at 10:17 am

RE: Diceware….a friend uses letter tiles similar to Scrabble tiles, some painted to indicate lower case, all 10 numbers, and some with all the special characters Sharpied-on, shakes the bag and pulls out a dozen.

He admits, though, that sometimes, he has to perform a re-do because the blind grab didn’t produce at least one character from each of the 4 families (upper case, lower case, number, special characters).

And, I’m still surprised at how many people do not realize using the same password in more than one place is lethal to security.

Exile1981 · January 3, 2023 at 2:12 pm

Back in the 80’s we used the random function in basic on the 8086 (or 8087 i forget) processor, interesting if you ran the same randow program on two computers you would get the same sequences of numbers in the same order on both computers. I suspected it had to do with the system clock time being used as part of the random generator but never did prove it for sure.

Now that was a long time ago but i still look at random generators with suspicion.


Comments are closed.