When it comes to securing things that are important to us, sometimes
we are asked to provide a Password and sometimes a PIN. The latter are clearly
to be preferred, as they are only 4 digits long and easy to remember. Most of
us re-use the one PIN for everything. I don’t know about you, but I have two different
ones I use in different contexts.
Passwords are a curse. On the Internet we seem to need more
and more of them, and not only that, there is now an insistence that a password
should have a minimal length of 8 characters and some of the characters should
be Capitals and some should be numerals. Again I have no idea what others do, but
I have three passwords I recycle in various forms. If one of them was previously
“mongoose” I now would use “Mong00se” to get past the security fascists. But of
course such passwords are much harder to remember.
A common solution is to download a free “Safe” onto your
computer and store all of your passwords in that, with the Safe itself protected
by a single hyper-secure password. For example, see
But of course this is literally putting all of your eggs in
one basket. Another nice idea is OpenID. See http://openid.net/.
Here the one set of credentials (for example your Gmail or Facebook login) get
you into a multitude of sites.
But why does a PIN work in one context, but a password is
required in another? It depends on the kind of problem you are trying to set an
attacker who is out to get you.
Now a PIN or a password has a certain amount of “entropy”,
or unguessability. A PIN has exactly 4 decimal digits worth of unguessibility. In the worst case it would take an attacker 10,000
guesses to find your PIN. A password on the other hand would be expected to
have at least 16 decimal digits worth of unguessability, so it should take an attacker up to 10,000,000,000,000,000
guesses to crack it. These attacks are sometimes called brute force, or dictionary
attacks. The attacker simply works though a list of all possible PINs or all
possible passwords. The counter-measure is to make the dictionary simply too
big to be attacked in this way. For a PIN it is, roughly speaking, sufficient
that a dictionary attack should be hard for a human. For a password, a
dictionary attack should be impossible even for a fast computer.
Which you need, PIN or password, depends on the context in
which it is used, and how much it costs to make a guess. In short a PIN is used
in a context where it is only exposed to “on-line “attacks, and a password is
needed if it should be exposed to an “off-line” attack. A PIN can typically be
used in the context where an attacker is forced to go on-line to some entity
outside of his/her control in order to test a guess. And that entity can make it costly to make a
guess, and can punish a wrong guess. The classic example would be if an
attacker were to steal your ATM card. If they don’t know the PIN the only way
to test a guess is by trying the card in an ATM machine. And after a few wrong
guesses the attacker will be rumbled, and no further guesses allowed. So in
practise it would be difficult to even make 100 guesses, never mind 10,000.
But if you are storing data in the cloud, it needs to be
encrypted. And encrypted data is only really safe if it is protected by a key
created from a suitably “high entropy” password. An attacker who gains access to the encrypted
data (which must be assumed to be possible– otherwise why is it encrypted?)
can, at their leisure, program a computer to try a multitude of guesses for the
key at computer speeds and leave that program running overnight. Now a computer
can attempt one hell of a lot of guesses in 24 hours! Hence the need to hide
our needle in a haystack of at least 10,000,000,000,000,000 needles.
The problem here is that computers are getting faster and
faster, and can search bigger and bigger dictionaries. And search algorithms can
be perfectly parallelized, so 100 computers can complete the search 100 times
faster. Which explains the recent insistence on more and more elaborate, and hence
less and less easily memorisable, passwords. And the elephant in the room is the
fact that 10,000,000,000,000,000 is actually not nearly enough, it really should
be 10,000,000,000,000,000,000,000,000 which is reckoned to be the bare minimum
for reasonable levels of security against a sophisticated and powerful attacker
with massive parallel computing resources at his/her disposal. And to make
matters worse the patterns that appear in memorisable text can be exploited to reduce
this search space still further. So unless you are using a password like
iUy78t^&aB1@ you really can’t be feeling 100% secure.
Conclusion: Wherever possible a PIN is obviously preferred
to a password. Systems should clearly be designed so that an attacker must
always be forced to go on-line to test a guess.
On a serious note, I would suggest that the whole
Internet/Cloud Computing project is at risk until and unless this problem can
be solved!
No comments:
Post a Comment