More than 15 years ago I started working on a unique password generator that eventually evolved into a small program I now call Pafwert.

Pafwert is an unique tool to help you to select strong passwords that are easy to remember. Using strong entropy, tens of thousands of seed words, more than a hundred patterns with endless variations, and following password best practices, Pafwert can help you to select very strong passwords that are surprisingly easy to memorize. We have all seen random password generators, but Pafwert is very different.

Of course, while I still recommend using a password manager and generating completely random passwords, there are plenty of passwords we need to remember that we just aren’t able to save in a password manager. That is where Pafwert comes in.

Pafwert uses familiar patterns and a variety of memorization techniques to help you create strong passwords that are also easy to remember. Keep in mind that you don’t have to use the passwords exactly as it spits them out, you can use it simply as a tool to spark your own imagination when creating your passwords.

Pafwert is actually much more complex than it appears on the surface and generates passwords based on patterns and wordlists that you can customize. It then runs these passwords through a number of filters to obscure them just enough to make them unique. Yes, I probably wasted many thousands of hours overthinking this thing. Nevertheless, over the years it has gotten buried on my web site and largely forgotten (although I still use it myself every day).

I thought it was about time to update this tool and open source it (under the Apache license) to share it with the community. I would like to see it updated with new features and maybe even ported to PHP, but for now the code is there for anyone to play with. Note that I began work on this version of the code in 1999 so it is written in Visual Basic 6. That means that few of you will have the tools to do anything with the program itself (although I do have a complete dev environment in a VM if someone is serious enough about working on it).

If you would simply like to download the latest compiled version to install yourself, you can always grab it at http://xato.net/pafwert or you can check out the source code at GitHub.

If you want to get a taste for the complexity of this tool, you may want to spend a few minutes and read the Pattern Guide.

Hopefully someone can find this useful, if you do, let me know!

I still remember so clearly the frustration I felt back in the 90′s when starting in the security industry and trying to sell my services. It was so difficult trying to emphasize just how much at risk potential clients were and then get them to pay me to fix their stuff. Too often I came off like the paranoid conspiracy theorist–their sky wasn’t falling and they saw no wolf.

I remember one particular conference call at the peak of my frustration where a network administrator confidently bragged to me and the managers on the call just how secure their network really was. What the managers didn’t know at the time was that as we were all talking, the network administrator was scrambling to lock things down as I was furiously trying to break in. Being that I was pretty good at that stuff at the time, I was able to quickly drop a little program called cdtray.exe onto a number computers, including the admin’s own PC, and used the at command to schedule all of their CD trays to open in one minute. I started asking the admin some questions and could hardly contain my amusement sixty seconds later as he suddenly seemed distracted. Then I went in for the kill: “are you convinced now you need more security?” I asked.

I didn’t get that job.

Nor did I get any work from Bank of America when I notified them of a glaring security flaw that exposed their global.asa file which contained their database username and password. That was over a decade ago but I still remember the password: superchicken. More on email security

I wrote a couple months ago about the many attempts to patent various methods of checking passwords. Now eBay wants in on the game with United States Patent Application 20120284783. Here’s their summary:

A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user’s previous password, to determine similarity between the two passwords.

Reading through the claims, this is by no means novel or innovative and there certainly is plenty of prior art for this. Want to help prevent yet another abuse of the patent system? You can post any evidence of prior art on this Ask Patents post.

You’d think the US Government has been embarrassed enough with their abuse of power and disregard for procedure in the Megaupload case that they would just let it all quietly die. No, as evidenced by a recent filing in the Kyle Goodwin case, they are going to fight this one until the end.

Because this case potentially affects everything we do in the cloud, I have followed it closely. But I have to say I am a bit amazed by the arrogant, contradictory, hypocritical, almost desperate brief the government filed a few days ago. I recommend taking a few minutes to read the whole thing, but it basically comes down to the government arguing that instead of having one hearing to see if the guy can get his data back they should break it down into several different hearings, one to argue each point. Their logic is that if they don’t get past the first point, they don’t need to hold any more hearings.

The government would like the hearing broken down like this:

1. A hearing requiring Kyle Goodwin to prove he owns the files he says he owns.
2. A hearing to determine if Federal Rule of Criminal Procedure 41(g) allows Goodwin any relief.
3. Another hearing that would consider exactly what relief might be appropriate.

They also imply other hearings, such as an evidential hearing or another to ensure the court even has jurisdiction over the complaint.

Of course, this is all absurd and an obvious attempt to delay the proceedings and put a greater burden on Goodwin and anyone else who might want to get their files back. It is a common tactic and is one of the reasons why many law firms refuse to accept cases suing the government: even if the government is wrong, they have enough resources to completely swamp a law firm with paperwork and procedural obstacles potentially costing the firm millions of dollars just to get the case heard.

The government’s argument is that by breaking the hearings up, they can put less of a burden on the court. They state that by having just one hearing that “the Court may unintentionally authorize a large amount of irrelevant discovery that impinge on the criminal proceedings.” Plus, they argue, if you dispute some facts, that would likely result in having to dispute other facts and that might require “the testimony of numerous witnesses, including potential expert witnesses.” Finally, they argue, that because they won’t know the scope of the hearings, they don’t know how much information they will need to gather.

Much of the government’s filing is a clear attempt to kill the case by saying that Goodwin can’t even prove he owns his files. It all comes down to Federal Rule of Criminal Procedure 41(g):

(g) Motion to Return Property. A person aggrieved by an unlawful search and seizure of property or by the deprivation of property may move for the property’s return. The motion must be filed in the district where the property was seized. The court must receive evidence on any factual issue necessary to decide the motion. If it grants the motion, the court must return the property to the movant, but may impose reasonable conditions to protect access to the property and its use in later proceedings.

To argue that Goodwin has no ownership rights, the government says that he only used a service provided by Megaupload and they only leased servers from Carpathia, therefore Goodwin has no ownership rights to the servers they imaged. The contracts of these services, they argue, probably say that he doesn’t own those servers. But the argument here was never that he owned the servers, only that the government took the only copy of his data.

So what about the data? The government argues that owning a copyright “is not sufficient to establish that he has an ownership interest in… the copies of his data.” They say that there should be a hearing to determine whether Goodwin has a prima facie case before proceeding and that his contract with Megaupload limits his ownership rights. I find it hilarious that this very fact is why everyone is angry about the Megaupload case in the first place: the government had no hearing to prove that the entertainment industry had ownership rights of their data and the fact that Megaupload’s contract and federal laws indemnify them of any liability for sharing copyrighted files.

Their argument also has a major flaw: this is not a contract dispute between Goodwin and Megaupload or Carpathia, it is a lawsuit against the US Government. The government is not a party to any of these contracts and therefore they are completely irrelevant.

Then it gets even stranger. Although the government says they do not have Goodwin’s data on the servers they imaged, and that they are not in possession of the other servers, and that finding any particular users’ data may be technically infeasible, they go and claim that his Megaupload account contains files that might be pirated music. So do they have access to his files or not? Further, having pirated files in his account does not negate the fact that he owns his video files. It’s nothing more than a scare tactic and veiled threat that Goodwin should not continue this case because he does not have “clean hands.”

After the whole argument about Goodwin having to provide evidence of ownership, the government goes on to say that in a hearing to decide a Rule 41(g) motion, “the Court may use affidavits and documentary evidence, without the need for live witnesses.” Basically what they want is to be able to use sworn affidavits instead of putting up live witnesses. This means that they get to introduce a statement from their witness with no opportunity for the plaintiff to cross-examine the witness. Their argument is that Goodwin must bear the burden of proof, not the government. Nice trick, but our legal system doesn’t work that way. The only way to reconcile disagreements of prima facie evidence is through a full trial and that includes witnesses.

What the government is trying to do here is abuse the process to prevent the question coming up asking if their raid was legal in the first place. Part of Goodwin’s case relies on proving that his data was unlawfully seized, which might include proving whether Megaupload’s servers themselves were unlawfully seized and searched. This is an extremely important question that needs to be asked because it will set the precedent for all future government seizures. It affects every company on the Internet that hosts the data of others. And it affects any of us that completely rely on the cloud for running our own lives and livelihoods.

The government must be held to the same standards as anyone else and cannot be allowed to abuse the law to take out any company in any country that threatens the US entertainment industry. If we can stop the little abuses, we help prevent the big abuses.

Last week, Mozilla announced the first beta release of Persona. Persona, formerly called BrowserID, is a personal authentication system that aims to eliminate passwords to log in to web sites. Of course, you still need one master password to log in to Persona, but it takes care of every site login after that. Persona is definitely interesting, but it likely won’t be signing any death warrants on passwords just yet.

How Persona Works

One thing that Persona has going for it is that on the surface it is relatively simple. When it comes to authentication, simple is good. Here is a simplified explanation of how it works:

1. You visit a site and that site asks for your identity.
2. Your browser goes to persona.org (or whatever identity provider you use but for this example I will use persona.org) and asks you to enter your email address and password.
3. Once authenticated, persona.org signs your public key, basically giving you a seal of authenticity that’s good for 24 hours.
4. Your browser creates a document called an identity assertion, signs it with your private key, then sends that and your signed public key to the site you want to log in to.
5. The site looks at the document, verifies that it was signed by you, verifies that your signature was signed by persona.org, and then verifies that persona.org’s signature was signed by a trusted authority such as Verisign or Thawte.

Note that the identity assertion is valid only for that one site, only from your current web browser, and only for the next 24 hours. At any time, however, you can logout and invalidate all currently stored sessions.

What Makes Persona Great

One thing that makes Persona unique is that the site you visit doesn’t need to communicate with persona.org directly, meaning that persona.org never knows what sites you are logging in to. Another big advantage is that it is solely based on your email address, which is much easier to remember than an OpenID URL, and which means that you can easily remain as anonymous as your email address allows. Even better, Persona is distributed so if you own your domain you can be your own identity provider.

Persona is built on a concept that inherently protects your privacy puts you in control of your identity.

But There Are Problems

Like any authentication system, Persona does need some serious real-world testing to prove itself and work out the bugs. The problem with Persona, however, is that the stuff that makes it so cool is also what exposes it most to attack.

For example, there is the signing key at the identity provider. Normally you want the strictest safeguards  to protect any signing key. Some signing keys are so important that they are not even stored on network-accessible computers. The problem here is that in order to sign user certificates, you would need to allow the web server to access the private signing key. That usually means storing it on the web server itself.

We have all seen the news reports of user passwords stolen from a server and dumped on the Internet. But what happens if someone grabs a signing key? Basically it means they can sign any request and therefore log in as any user to any site that uses Persona. Yes, that is a pretty big issue. If I ran an identity provider, I would be terrified of taking my eyes off the monitoring consoles.

Another big vulnerability is the web browser itself. Of course, if someone’s browser is infected with malware, they already have some serious issues. But what makes Persona especially vulnerable is that such malware could do more than intercept passwords–it could authenticate it to any web site you use with Persona without any intervention on your part as long as your are logged in to Persona.

Yet another significant issue is that there is way too much room for error in implementing Persona. We have learned by now that if people can get it wrong, they certainly will get it wrong. Persona relies way too much on the implementation which means we will no doubt see plenty of vulnerabilities with identity providers, browsers, and relying parties.

A good example of this we can see on persona.org itself. When you login, it first asks for your email address to see if you are a valid user, then if you are it prompts you for your password. The problem with this two-step approach is that it makes it vulnerable to account harvesting. You always have to ask for email and password together and if one is invalid you never say which one it is.

Despite it’s potential flaws I do still like Persona. I don’t think it is the technology that will save us from having to remember passwords, but it is an important step in the evolution of secure authentication. What we learn from it is that emails are better than URLs as identifiers. We learn that it’s good to do stuff on the client side to ensure user privacy. We learn that we can easily leverage long-established and well-tested technologies without having to invent something new on the crypto side of things. Unfortunately, we also learn how incredibly difficult it still is to do authentication right.

 

I always enjoy browsing through password-related patents to see all the flawed, silly, or outright dumb ideas that people come up with in an attempt to improve how we authenticate ourselves in the digital realm. What amazes me though is how many patents I encounter that have been granted for some of the most obvious, well-known and ordinary techniques we use in the authentication process. In fact, every imaginable aspect of password selection, authentication, storage, and recovery seems to be covered by one or more patents. Continue reading “Want to Block Common Passwords? Sorry, That is Patented” »

Considering the increasing attention passwords have been getting lately, I thought it was about time we sit down and establish some new rules to define exactly what is a password. After all, so much of our personal lives, finances, and identities rely on these obscure jumbling of letters, numbers, and punctuation.

1. Password, 1234, letmein, and anything else that you see on this common passwords cloud are not passwords.

Recently I took my son over to a friend’s house and when we got there we found he lived in a gated community that required a PIN to enter. My son was about to call his friend when I told him, “I got this.” I reached over and entered 1234 and the gate promptly swung open. Yeah my son was very impressed at my hacker skills, but the fact is that 1234, 12345, or even 12345678 are not strong enough to be considered passwords.

2. If you google your password and get more than 10,000 results, it is not a password.

It’s really simple, if your password shows up that many times in Google, your password is not a password it is a dictionary or common wordlist word.

3. If your password is 8 characters or less, it is not a password.

An 8-character password just isn’t strong enough these days to be considered a password. Most 8-character passwords consist of a dictionary word or name with a couple numbers added to the end. These are incredibly easy to crack and will not stand up to a brute force attack no matter what type of encryption used. If your password is 8 characters long, you might have a PIN, but it certainly is not a password, which is probably why banks seem to love limiting password length to 8 characters. I recently explained just how much of a difference there is between an 8-character password and a 10-character password, but maybe this would illustrate it better:

This is the equivalent of an 8-character password

This is the equivalent of a 6-character password

4. If you use it on multiple sites, it is no longer a password.

Considering the huge number of passwords hacked and dumped on the internet every single day, I would hope that most of us have learned that you simply cannot reuse the same passwords on multiple sites. You are better off never even considering using the same passwords everywhere because it is easy to fall into that habit.

Just to illustrate why this is such a big deal, there are people such as me who collect passwords. Here is a list of all the passwords I have for the username bonehead. Now if I know that there is a user named bonehead on a web site, I can try all of these passwords and chances are surprisingly good that one of these passwords is correct. Why is this such an effective technique? Because everyone reuses their passwords on multiple sites.

5. If a password is older than 3 years, it has expired and is no longer a password

I know some of you get really attached to your passwords, but it is time to start using a password manager and changing those very old Hotmail and PayPal passwords.  You wouldn’t eat 3-year old food, so don’t use a 3-year-old password.

6. If you tell someone your password, it is no longer a password

Certainly sometimes it is necessary to share an account, but there is no excuse for telling someone your personal passwords, and this includes writing them down and sticking them on your monitor. If you have trouble doing this, one trick is to set your password as some phrase that reveals some highly personal or embarrassing fact you would never tell anyone–problem solved!

So come on people, we really can make passwords that really are passwords. Passwords don’t need to be totally random and they don’t always have to have numbers, capitals, and punctuation, but they do need to be long, unique, and secret!

For years I have advocated using long, memorable passwords using a variety of different memorization techniques. Humor, repetition, common suffixes, memorable phrases, and other methods are great for creating long passwords that are easy to remember.

But now my philosophy has changed: now I say just go ahead and use a password manager and generate long, random passwords for each online account.

While I still use my own easy-to-remember passwords for sites where I often need to enter passwords manually, the bulk of the passwords I create now are long, random passwords that LastPass generates for me. Even five years ago it was possible to manage and memorize ten or twenty unique passwords, but the world has changed and it is not uncommon for a typical web user to have dozens if not hundreds of online accounts.

With so many large web sites becoming victims of public account dumps, it is now more important than ever that you never reuse the same password anywhere. Tools such as LastPass or KeePass make the process of creating, managing, and entering passwords so simple, there is hardly any reason not to use one of these tools.

Yes, you can come up with fancy patterns or methods of creating unique passwords for each site, but it just is not worth the effort and pattern-based passwords tend to be shorter than they should be. Passwords are more vulnerable to attack than ever; you should never create a password less than 10 characters but use 20 or more if the system lets you. Managing this many strong, unique passwords is almost impossible to do now without the help of a password manager.

Yeah, I kind of miss making new clever passwords, that was always the fun part of creating new accounts. On the other hand, it is still kind of fun seeing how long a password each web site lets me create. My record so far: 128 characters, and it was a dumb recipes site.

I rarely see any discussion of password strength without seeing th XKCD comic below brought up to illustrate that a long pass phrase is better than a shorter random jumble of characters. Since this is something I have been arguing for fifteen years, this is something I do agree with, although adding a little more randomness and complexity is still necessary.

(XKCD: Password Strength - Creative Commons Attribution-NonCommercial 2.5 License.)

In 2006 I wrote Pafwert, a random but smart password generator, to illustrate this concept. Pass phrases are easier to remember, easier to type (we type in whole words), and are generally much stronger passwords. My philosophy has always been that length is more important than any other factor for password strength.

But not everyone agrees. Most often the argument against the pass phrase technique is that since the password is made up of 4 whole words, basically this isn’t that much different than a 4-character password, you just need to adjust the brute-force tools to work with whole words instead. While this is somewhat true, it doesn’t take much to turn this technique into something extremely effective.

How Strong are Pass Phrases?

To determine password strength, we generally determine how many passwords have similar characteristics. In other words, if finding a password is like finding needle in a haystack, the critical question is how big is that haystack?

To do the math on this, we need to determine how large a set of words the average English-speaking user would likely choose from. Some English language dictionaries include well over 150,000 words but most linguists agree that the average-intelligence English speaker has a vocabulary of somewhere between 7,000 and 15,000 words.

What is misleading about these numbers is that dictionary words are only a small part of our vocabulary. Consider these other non-dictionary words:

1. Proper nouns such as McDonalds, Lady Gaga, Instagram, JQuery, and possibly hundreds of thousands of other words that are part of our daily vocabulary.
2. Domain names like facebook.com, flickr.com, and thousands of others.
3. Popular slang and social jargon (see your average Facebook post).
4. Alternate spellings, leetspeek, etc.
5. Acronyms such as WWW, CISPA, SSN, WWII, and SMS.
6. Words from other languages
7. Programming language elements and function names
8. And don’t forget written-out numbers, you will never find “1,276,209″ in a dictionary and there are millions of those.

Forget dictionary words, our vocabularies are HUGE.

So how many actual words do we know? It is impossible to say but a very conservative estimate would be a minimum of about 25,000 words. Realistically this number is much higher than this but we will use 25,000 here just for illustration.

Now if we are picking 4 random words from a set of 25,000 words the number of possible combinations is 25,000⁴ or  390,625,000,000,000,000 (noted as #1 on the table below) which is about the strength of a 9-10 character alphanumeric password (see this chart). But passwords are case-sensitive and we often capitalize one of the words so realistically we are talking about 50,000 words or 50,000⁴ or  6,250,000,000,000,000,000 possible combinations (noted by #2 on the table below) which is about as strong as a 10-11 character alphanumeric password.

What’s interesting to note is that even a 3-word phrase results in 125,000,000,000,000 possibilities so even that would be roughly equivalent to a 7-8 character alphanumeric password which is the most commonly-seen password.

Making Them Even Stronger

Now most people have already developed techniques to make passwords stronger by adding some numbers or otherwise mutating that word so that it would not appear in a dictionary. That is why we often see passwords like dr@gon or freddy2000. Now these are very weak passwords by themselves but if you use this same technique in a pass phrase you can make them much stronger.

Remember, we are dealing with numbers that grow exponentially so a technique that is mediocre with a short password is incredibly effective with a long password.

Now consider the following pass phrase:  Picking at 200 p1ckles

Or this one:  I’m alway sthe first

Or this one:  How bout the 0xFC?

It’s a simple technique and a minor change but by doing this we have greatly expanded our 50,000 words. Many password cracking tools are very good at generating word permutations and can very quickly create and try hundreds of variants of a single dictionary word. But when you multiply that times 4 words, the numbers grow very fast.

Say, for example that for each of our original 25,000 words there are approximately 100 different mutations. That means we now potentially have a vocabulary of 2,500,000 words. And 2,500,000^4 equals 39,062,500,000,000,000,000,000,000 possible combinations of 4-word phrases (shown as #3 on the table above) which is stronger than a 14-character alphanumeric password.

So yeah, the XKCD recommendation is valid. And all you have to do is add a few simple mutations to make that method incredibly stronger.

We have all been hearing quite a bit of hyperbole concerning the sophistication of the Flame malware.  It’s hard to find any headline about the malware that doesn’t involve the adjectives massive, sophisticated, elaborate, impressive, or scarey. But is Flame as revolutionary as everyone claims? To me it looks amateurish.

Part of the curiosity that surrounds Flame is that it doesn’t fit the profile that antivirus companies are used to analyzing–which is part of the reason it has gone undetected for so long. Instead of a tiny piece of code that stealthily accomplishes a single task, Flame is a bloated and unencrypted general purpose spying toolkit. Yes the authors apparently had access to some an exclusive and possibly large knowledge base, but overall there’s really nothing new about turning on a microphone, exploiting old vulnerabilities, and subverting Windows features such as Autorun.

It’s just not that impressive as far as features go. In fact, 10 years ago it really wouldn’t have been that impressive.

What sticks out to me is that despite its breadth and apparent sophistication, one thing it doesn’t look like is something written by an experienced hacker. This thing makes hardly any attempt to conceal itself or prevent reverse engineering of it’s code. This means that once discovered the whole thing is completely useless. Even worse, it also means that any hacker or enemy can likely reverse engineer it enough to use it right back at the authors.

And then there’s stuff like a hard-coded password, an easily-discoverable network of command & control servers, and the use of CRC’s to ensure data integrity. Then there’s the query string it sends back to the command & control servers:

UNIQUE_NUMBER=xxxxxxxxxx&PASSWORD=LifeStyle2&ACTION=x&FILE_NAME=x&FILE_SIZE=xxxxx&CRC=xxxxxxxxx

Seriously, does that look like something a hacker would write? No, that is something written by a 40-something US programmer who lives in the suburbs (who also happens to use some variant of the password LifeStyle2 on every account he owns).

One thing is clear, Flame wasn’t built for destruction or financial theft. This is a spying toolkit plain and simple. The list of targets and the fact that it seems to be interested in AutoCad documents quickly points back to one likely suspect country.

One thing is also clear, this wasn’t written by a hacker. I would guess that some well-funded US agency paid some private consulting firm (which employs a bunch of 40-something suburbanites) millions of dollars to write up the ultimate hacker’s toolkit and Flame is what they got instead.

Nonetheless, the fact that it probably wasn’t written by an experienced hacker is what allowed it to go so long being undetected. Ironically it’s lack of evasion techniques let it evade detection.