Better passwords the key to safer cybersecurity

Once the preserve of spies and their masters, cryptology – the science of keeping secrets – now affects us all.

Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.
Powered by automated translation

Once the preserve of spies and their masters, cryptology – the science of keeping secrets – now affects us all.

Hardly a week goes by without news that one government has been spying on another, or that hackers have broken into a website and made off with client data.

Earlier this month the crowdfunding site Kickstarter became the latest high-profile victim of hacking. Customer information including usernames, email and postal addresses were stolen.

The company insists no credit card data was accessed, and that the security breach has been rectified. Even so, it has advised its five million-plus users to change their passwords “as a precaution”.

All of which prompts the question: why can’t these supposedly tech-savvy companies keep our secrets secret?

Bluntly, the fault largely lies not with them, but with us. Despite countless warnings, surveys suggest that about 80 per cent of the passwords we use are virtually hopeless.

Last month, online security company SplashData announced that “123456” now topped its annual Worst Password list – having beaten that long-standing champ “password” into second place.

It’s hardly a secret why such pathetic passwords are so common: most of us just can’t be bothered to devise and memorise individual, secure passwords for all the sites we access.

This highlights one of the enduring challenges of real-life cryptology: the compromise between security and convenience. And it’s one that a UAE-based cryptologist is trying to tackle. Dr Ziyad Al Salloum, of ZSS Research, Ras Al Khaimah, thinks the answer lies in pictures rather than words.

We all know we’re supposed to pick passwords made from long, complex character strings, such as 45Gh6%7hUklR9#3. With more permutations than there are particles in the universe, such a password is all but impossible to break.

But such passwords are also incredibly hard for humans to remember, and even cryptologists accept that for that reason they are never going to be widely used.

That’s led them to turn to a neat mathematical trick to make even “123456” a bit harder to break.

In school maths, we learn how to “undo” the operation of multiplication by using the reverse process of division. In the mid-1970s, cryptologists began investigating a means of keeping passwords secret using operations that are very hard to reverse.

They focused on so-called “hash functions” – ways of scrambling long strings of characters that can’t easily be reversed.

The idea was that companies would then store not the client passwords themselves, but only the scrambled versions.

Every time a user typed in a password, it would be scrambled according to the mathematical recipe and the outcome checked against the list of scrambled versions held by the company, which would have no idea what the original password actually is.

That solves the problem of both company insiders or outside hackers getting access to the original passwords – as the hashing process is very hard to undo.

Or at least, that was the theory. Like most clever ideas in cryptology, however, it quickly fell victim to the ingenuity of code-breakers. They found a neat trick for undermining the hashing process, called a dictionary attack.

This involves compiling a “dictionary” of the hashed version of likely passwords, and looking for these in the stolen records. As the same characters always produce the same hashed versions, the dictionary would then reveal the original password.

The cryptologists hit back by adding a long random number to every password before it gets hashed. Known as “salting”, this hides the connection between the password and the hashed version, preventing dictionary attacks.

This is the basic method used by many commercial companies – including Kickstarter – to keep client passwords safe.

Even with this extra security, clients using weak passwords are still much more vulnerable than others. That’s because hackers start with simple passwords, and then focus on removing the random number “salt” to see if they’re right.

So what can be done to get everyone to use better passwords? Making complex ones more memorable would be a start.

And that’s the approach being taken by Dr Al Salloum. He is developing a source of unguessable passwords based on the fact that we remember places far better than random character strings.

The idea is very simple: instead of picking passwords, we pick a place in the world that means something to us from an online atlas similar to Google Maps. Divided up into a grid of hundreds of billions of squares, this “password atlas” allows the location of our special place to be turned into a very long number-string. This can then be added to a long random number “salt”, and the combination converted via a hash function into a very secure password string. All we have to remember is the location – a building, say, or road junction – that we chose.

Describing his method in the current issue of the International Journal of Signal and Imaging Systems Engineering, Dr Al Salloum says it’s far more resistant to standard hacking techniques used to turn hash strings back into passwords.

Perhaps so, but it’s unclear whether it will stop people swapping their guessable passwords like “123456” for images of guessable locations like the Eiffel Tower or the Burj Khalifa.

And even if it does, you can be sure the hackers will find a way around it eventually. Cryptologists know they’re locked in a Darwinian war for supremacy that’s not going to stop any time soon.

In the meantime, there’s a trick anyone can use to create better passwords: use pass-phrases instead.

Think of a simple phrase – such as “Brad Pitt was born in Oklahoma in 1963” – and take the initials of each word, plus the number: “BPwbiOi1963”.

The result is not utterly unbreakable, but it’s easy to remember – and it’ll keep hackers out of your account for longer than it takes to type “123456”.

Robert Matthews is visiting reader in science at Aston University, Birmingham