El Quijote or a password manager to create complex passwords that we can remember

JORDI SERRA RUIZ Professor of Cybersecurity, UOC - Open University of Catalonia

The first time there is evidence of the use or invention of a password is in 1961. That year, MIT scientists had to invent a system to be able to share a device to which different users connected in a shared way. They needed to be able to differentiate who was accessing at what time. This is how usernames and passwords arose.

Its use became popular with the different applications that were developed as the years passed. The system allowed, and continues to do so, for applications to know who is the person with whom they are interacting and thus save personalized data for each one.

At the beginning of the century, banks began to operate massively on the Internet, and more serious problems with passwords began to emerge. Over time, cybercriminals realized that these keys were easy to discover.

From 123456 to security questions

People get used to using passwords that are easy to remember, such as the most typical of 123456, names of people and years, names of pets, well-known places we have visited or where we live, and football teams. All of these passwords are very easy to remember and use, but cybercriminals can discover them very quickly by looking for a little bit of information about people.

In addition, as there were also problems with passwords that were forgotten, initially a series of fixed questions were invented to which the user had to answer with the same information that he had entered at the time of registration. The most typical: the name of the pet.

Let's remember the attack that Paris Hilton suffered years ago. The cybercriminals were able to enter the files that were saved on the mobile simply by answering the question of the name of their pet (a chihuahua that they did not separate from). By answering correctly, they were able to retrieve Hilton's password.

The first tips for creating passwords

In the year 2003, Bill Burr, manager of the National Institute of Standards and Technology of the United States, wrote a document in which he compiled a set of tricks to create the most secure passwords.

Burr introduced the guideline of mixing letters, numbers, uppercase, lowercase, and special characters and of a minimum length to create more complex passwords than the ones most people used at the time. He thought that he had done a good deed and helped people, but it was just the opposite.

Burr ended by apologizing for creating this document and these tricks. He had devised a system that forced the user to remember very complex passwords that were impossible to retain. We might remember one or even one person out of two, but with the number of services we currently have on the internet, this system is precisely the opposite of what it was intended to be. Passwords that don't make any sense to people are quickly forgotten.

Programs that find passwords

Starting from a known word (which is usually a common word), changing numbers and some sign is not a good solution. In addition to being much more complex to remember, it gives us the feeling of protection, of using a completely secure password system, but it is quite the opposite.

There are computer programs that generate passwords from lists of words in a dictionary. They change numbers for letters or add numbers before or after them or even special characters.

These tools thus make it possible to generate completely random combinations of these letters, numbers and characters, or permutations of letters and numbers from a few known words that may be more or less related to the people you want to attack. For example, for a person who is a big fan of a certain soccer team, you could create combinations of names related to that team, with athletes, years, etc.

In seconds, these programs are capable of creating a list with millions of possible combinations of letters and numbers that are tested on websites that ask for a username and password until they find the correct one.

Secure passwords that we can remember?

At the moment, we cannot stop using passwords. Today all systems are based on this way of identifying oneself. Therefore, it is best to have some way of using complex passwords that is easy to manage. We have seen that they cannot be directly known words, nor meaningless combinations of letters and numbers that we do not remember.

We can use two strategies that will allow us to have good passwords that are easily remembered.

The first is to remember a phrase from a book or a proverb and customize it for each of the services where we want to use a password. For example, we can consider the book El ingenioso hidalgo don Quijote de la Mancha by Miguel de Cervantes, which begins with the sentence: “In a place in the la Mancha, whose name I do not want to remember, not long ago there lived a hidalgo… ». If we take only the first letters and signs we can have a very long password that doesn't make any sense: E1ldlM,dc2nqa.

But we can also modify this key to adapt it to the website we want to use. For example, for the bank, which is five letters, from the fifth position we insert a concept related to the bank, such as a safe, using a separating sign such as +, -, ¿, :, etc. It would be something like E1ldl+FuerT+M,dc2nqa. So we just have to repeat the phrase and put the initial letters and the web to which it refers. Surely it is easier to remember this password than a random combination of 19 characters.

Another possible option is the use of a password manager, an application that we can install on the mobile or the browser in which we can save the different passwords that we create. In this way we will only have to remember one that will unlock the application and we will be able to look for the password that we need.

The problem with these tools is that we will always need the mobile phone to see what password to use in each case and remember to write it down, as well as the changes to these passwords.

In addition, you have to be very careful when installing an application like this because cybercriminals know this and create similar apps for us to use and send them all our passwords directly, including bank or email passwords. Before installing, we must take a good look at the comments that the application has and when it was created, and even so, we should always be a little suspicious. These tools are useful, but in the end we are relying on an application made by third parties that we do not know, and not on the ability of our mind to retain a sentence, for example.

The ideal: two-step authentication

There are three methods to be able to authenticate a person in a service, whether web or face-to-face: what we know, what we are and what we have. We know the passwords (we have them in memory). We are the fingerprints or the iris, in general biometrics. And we have a device to send a unique code to, the phone for example.

It has been known for some time that using only one authentication factor is a serious security problem, which is why banks and other services already use two. Apart from the password, they send us a unique code to validate the actions we do. In addition, the latest generation phones already have biometrics to manage access to the websites that we want to save.

With a good use of these authentication factors, passwords are going to stay with us for many years. It is highly recommended that in all systems that allow it, we activate this second authentication factor, especially on shopping websites or those that have saved the credit card to buy, email, etc.

Even if the cybercriminals manage to obtain the password, they will not be able to have the same device or the same fingerprint. Although there are cybersecurity problems with these latest methods, they are not as easy to manipulate and, therefore, we can be a little more protected than just the name of our pet or our favorite football team.

This article has been published in 'The Conversation'.

Source link