Don't dice with security buying passwords online
Here at IT Security Thing we are on a mission to inform, educate and engage. That’s why we exist, that’s why we supported the Security Serious week and made a free A-Z of data protection tips available for download, and that’s why we cannot get fully behind 11 year old Mira Modi who is selling secure passwords from her bedroom in New York City.
Now you might think that Mira is the very epitome of secure thinking, what with her using the diceware technique to literally roll out cryptographically secure passwords based upon random words. She certainly fulfils two out of the three principles by which IT Security Thing operates; namely to inform and engage.
The sheer amount of media attention that has been generated by her story, whereby she charges $2 to generate and post out a ‘secure’ password to customers via her Diceware Passwords website, has guaranteed that people who might otherwise not realise the importance of a longer and more secure password have at least been exposed to the concept.
There is also no doubting that Mira has ticked the ‘engage’ box, what with the majority of the published reports also covering the diceware technique and so explaining how a more secure password can be constructed without being a crypto-nerd.
The trouble is, neither of these meet our definition of ‘educate’ in this particular instance, simply because the system being used does not make good security sense. We admit, hands up, that having to pull Mira up on this doesn’t make us feel good but, on the other hand, we do feel duty bound to skip past the media hype and cut to the point of the story which is making things secure. Not just more secure than they were before, but truly secure; which is a different thing to the ‘super secure’ nature of the passwords she has spoken about. This is, sadly, where Mira has failed to deliver.
Mira doesn’t appear to be using tamper-evident envelopes which would show if anyone had actually interfered with the password container in transit.
In fact let’s start with the delivery process. Mira sends her passwords out not via email as you might expect, but rather through snail mail. Using US Postal Mail means that the envelope cannot, officially at least, be opened by the government without a search warrant. Therefore it gives the feeling of being more secure than sending via text message or email for example.
However, as a number of security savvy folk have already pointed out (and pretty much been shot down in flames for so doing), Mira doesn’t appear to be using tamper-evident envelopes which would show if anyone had actually interfered with the password container in transit. Nor, for that matter, is there any mention of a mailing strategy which involves using multiple, random, mailboxes well away from her home address. These two points mean, when we are talking about security remember, that already an element of risk has been introduced that weakens the super secure argument.
Then there’s the real insecurity element, and it’s so obvious that it should be staring everyone who reads this firmly in the fizzog: the passwords are handwritten by Mira, who obviously knows them because she has created them. The only human being that should know your passwords, if you want to be as secure as possible, is yourself.
Indeed, there is an argument to suggest that even then it is one too many people and it’s more secure if you only know one master password and the rest are machine generated and locked away in an encrypted password vault which it opens. However, that’s a debate for another day; the fact remains that letting someone else create your passwords, write them down for you, and then stick them in the post is not going to pass any half decent opsec requirement.
Mira herself even admits as much when she says: “Once you get your passwords you need to make some changes such as capitalizing some letters and/or adding symbols such as exclamations. This way it’s not the exact same one that I gave you.”
Indeed, which makes you wonder why the recipient wasn’t going the whole hog and creating the entire password themselves to start with. We have no reason to doubt Mira when she says that she doesn’t record the passwords anywhere after writing them down, or that she is using diceware to randomise their creation. The trouble, from an operational security perspective, is that we have no proof to guarantee that she doesn’t and that she is.
There are other points that could be thrown into the why buying passwords from a third party in this way debate, such as many sites and services have maximum length restrictions which would render long passwords unusable no matter how more secure they are. At least if you are generating your own passwords using any of a number of resources, most password vaults come complete with a secure password generator that allows you to tweak the result for the overall length and character types which are used for example, you get to tailor your passwords for their particular usage.
As it happens, we don’t dislike the diceware system either. Developed 20 years ago by Arnold Rheinhold, this uses rolls of the dice to determine a five digit number that corresponds to a word in the diceware dictionary. Roll the dice in sets of five to generate these relatively random words and end up with four or five or six of them to create a pretty random passphrase that is also relatively easy to remember as we are talking dictionary words instead of gobbledeegook. Because it’s long and random, it’s also difficult to crack; so it ticks a lot of boxes. We still prefer the use of special characters and symbols though to harden the passphrase further.
So, what are we saying? Well, we are most definitely giving kudos to Mira for her initiative and for bringing the use of diceware to a much wider audience. We are also saying that if you are serious about your security, and serious about generating secure passwords, then sadly buying them off of someone in this manner really isn’t the best way to be going about it.