Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How's it going today? I know I'm at a bit of a random time for this episode. Again, we are going to chalk that up uh to uh business travel. I am currently in Anaheim for the Aws summit here.
Um And as those of you on the vlog can tell yet another glamorous uh generic hotel uh behind me. Don't get me wrong, getting great service at the property, but still for a background, you know. So originally when I thought about this topic for the basics and we're going to talk about passwords and pass phrases today, what I thought the video was gonna be was essentially me screaming into the camera uh into the mic for a good 25 minutes.
Um, passwords are probably the example of everything that is wrong with security uh in the digital domain. Um And let me just apologize for the last 40 years of professional practice around this. Um So let's let's fix up some mistakes here.
Let's give you a clear understanding of what passwords are, what a good password is. Um And why we use them, right? Ok. So, uh you know what a password is it's some sort of secret that, you know, uh, that combines with a user name.
Um, and you get to log into systems. The goal of a password is to make sure that you're you right. Authentication is a big thing in security and we'll cover authentication versus authorization in another topic. But authentication, making sure your, you is really important because if you log into Facebook, you should only see your stuff, not my stuff.
Right? So the under the understanding of, ok, we need some way of making sure that your, you is pretty clear for most folks, the challenge is, is that passwords are a horrible solution. They're a crap solution, but they're the least crappiest of all the crappy solutions.
Ok? Um, it's really hard to figure out who's who at scale and that's what we're talking about here is really at scale. Um, you get this in the physical security world where you walk up and they ask you for government issued ID, right?
And we try to make sure that, that ID is really difficult to forge. Um, that's a essentially like a password. Um, but it's obviously people have been forging it for years. We've all watched Cool Crime or spy movies.
Um, you know, even from the sixties where people were forging these documents to move through, there's a long history of forging credentials in the real world and we wanted to avoid that in the digital world. So we thought, hey, passwords.
That's great. The problem is the guidance, you know, and have sort of internalized, um, sort of the, the mythology around what makes a good password is all flat out wrong. And I don't say that just as my opinion wrong, mathematically, it is wrong psychologically, it is wrong.
Um, everything that we've internalized about like eight characters or more, um, needs to have a lowercase, uppercase least one number and a symbol actually leads to worse security passwords, right? The passwords, security of those passwords are far worse than what the current guidance is.
So, there is a group in the States called the National Institutes for Standards and Technology nist. Now they are sort of the gold standard for these kinds of standards. And they finally, last year updated their guidance to align with the reality of probability and psychology.
So the goal of a good password is to make sure that it's really hard for anybody but you to guess, ok. Um, the goal is to make it hard for a computer to brute force it. Now, brute force means that the computer just tries again and again and again and again and again, really, really fast in the order of tens of thousands, hundreds of thousands, if not millions of times per second to guess your password.
Now, there is a bunch of defenses put in place on websites and in applications to stop those guesses from being so fast because obviously a human could never do that. But you've seen these breaches where somebody has gotten in and stolen database of passwords.
Now, those passwords should be encrypted. Now, encrypted means actually these ones should be salted in hash, but we'll deal with that later. Basically, what it means is they shouldn't be stored as passwords. They should be stored as a code mathematically one way code of those passwords.
So that if the only way you can get back to that code is if you type it in and we'll cover the security around encryption and hashing and things in the next episode. But the important thing is to know that your password should ever be stored as you type it.
So, the idea here was to make sure that humans made good passwords that were hard for computers to guess, but it turns out that hard for computers to guess also means hard for humans to remember. And this led to password one password, two, password three.
Um, also this rotating passwords every 30 days, um, or every 90 days actually leads to worse passwords. It reads, uh, people get frustrated with them, people get really annoyed. Um, and it leads to worse security outcomes.
So, so far, we've got a bad thing that we treat poorly that we have bad operational security around that leads to bad outcomes. Big win so far. Um, well, the newness guidance lines up with reality and what it says is that you shouldn't put a limit on how long a password should be.
You shouldn't make it any specific pattern. You should strongly encourage minimum size passwords. So we're talking, you know, 1624 characters or more. The idea here is to make it hard for guests. But of course, you can't guess a random, you can't remember a random string of characters that are 24 characters long.
What you need is a pass phrase. Now, pass phrase is just a sentence that you remember or two or three that you can figure out. Um So the goal here is to have a um something that is long and um unique to you.
It could be a series of words or it can be just a sentence that makes sense to you using some random words and that will make a long password. Now, the reason why long is good is because of something called entropy and entropy is essentially the challenges around designing or breaking these passwords down because what we're talking about from a math side and that's a really horrible example of entropy.
I'll recover that online somewhere. But really the goal of a long password is to make it within a problem space. So the longer the password, the bigger the possible space of passwords. So if you have a one letter password, and we know that that is got to be within a certain set of characters.
So within the bounds of all the possible characters, you could type in which is, you know, somewhere upwards of like 15,000. So it's one in 15,000 characters if you go to two. Now it's one in 30,000 characters.
If you go to three, now it's one in 45,000. You see how that starts to work. Um, it starts to get really, really, um, actually even that math is off, it's higher than that. Um, I'm really not with it this morning.
Um But the point is the longer the password is, the harder it is to guess. And that's the goal of having a pass phrase. Now, the goal with a pass phrase um is to keep it for as long as possible.
So the new recommendation is that you change it once a year or if something happens. So if somebody broke into, or you think if somebody broke into a site where you're using that password or if you think somebody saw it over your shoulder, then you should be changing it.
So the goal of these pass phrases is to keep it really, really long and then you should be using something called a password manager. Now, this is a piece of software you can pay for them or you can find them on open source and it stores a bunch of passwords for you.
So you have one big pass phrase that unlocks your password manager and then the pass phrase, the phrase unlocks that vault. And then in that vault are a bunch of automatically generated gobble *** passwords that are really long and complicated, but you don't have to worry about because you only ever copy and paste them into your websites into your apps and that kind of thing.
And that's how you get a good strong password security. Now, the goal here of having different passwords for site is that if one site gets breached, your, all of your sites are not at risk. So if, let's say, you know, your corporate website gets, gets hacked and you lose that password, it doesn't give them access to your Gmail and to your Facebook and to your Twitter into your Instagram and all this kind of stuff.
So it's reducing that risk. But of course, you can't remember hundreds and hundreds of passwords, which is why we have the password manager. Now, the other thing I want to talk about passwords real quick because I know this one's going long is paste, copying and pasting them and entering them.
So, you know, when you have those little stars or dots or balls obscuring your password as you type it. And that can be sometimes frustrating because you're not sure if you typed it right. So the reason behind those is to make sure that if there's somebody behind your shoulder and they're physically looking, or if they're able to record the screen somehow that they don't get access to your password.
So you see on some sites notably amazon.com, you can actually check a check a show my password to see what's going on. Now, the reason for that is that they're saying it's less likely that somebody is surfing over your shoulder.
So if you're checking that box to show you your password, make sure you just take a quick glance or if it's on your phone, keep it close to you so that only you can see it and nobody can see it from over your shoulder.
Now, the thing about not being able to paste passwords, that's just a security misunderstanding and that's just people not doing the proper research. You should always be able to paste into security box but not copy from it for obvious reasons.
You don't want to be able to copy somebody's password, but you should always be able to paste into it. Now, fortunately, we're seeing less and less people implement that as a design pattern, but that's good. But remember if you come across that, that's the developer's error, not yours.
So it's a bit of both passwords. What do you think? Um do we need to recover this? I think we might need another episode on it. Let's see, hit me up online at marknca for those of you on the vlog or on the streaming channels in the comments down below.
Um As always for pod uh podcast listeners. Um and uh for everybody else, you can hit me up by email me@markn.ca. Remember you should have a pass phrase, not a password.
You should only change it when something happens. Um, or once a year, it shouldn't be regularly rotated. It's gonna take a while for the rest of the systems to get into place. Um, but that's the way where we should go because it leads to far better security outcomes.
I hope you're set up for a fantastic day. I will see you on Monday. Um, I'm traveling on the, uh, tomorrow, so, uh, we will skip a day, um, and we'll be back at it after the weekend.
Take care.
