In George Orwell’s 1984, Winston Smith finally comes undone and betrays the person about whom he cares most when he is confronted with the thing of which he is most afraid. No matter how otherwise secure an encryption algorithm is, it is always vulnerable to what is often known as “rubber hose decryption”: the possibility that the person who wants a password can simply beat it out the person who holds it. In an age where waterboarding and rendition are practiced and condoned by the United States government, people can draw their own conclusions.
Of course, one need not resort to force when guile is sufficient. Government and corporations have a wide range to technological means of putting people under surveillance and intercepting their passwords. One example is keylogging programs, which, once installed on a person’s computer, record every keystroke, including but not limited to passwords. Keylogging programs in some instances can even be installed on a person’s computer remotely.
Trickery, or Phishing, is another way that passwords can be compromised. How many times have we heard “Never give your password to anybody”? And yet, how tempting it is to disclose it in the face of the “official” email from your ISP asking you to upgrade your software!
Finally, of course, passwords are compromised through simple carelessness, often something as simple as writing them down on Post It notes by one’s desk. The safest place for your password is your memory. Second best is an encrypted file secured with a strong password kept only in your memory. Nobody should have to settle for third best.
In practical terms, the only sensible response to being taken into custody and questioned by the police is “I have nothing to say, and I want my lawyer.” Obviously, in any situation involving law enforcement and criminal law, the only prudent course is to retain a lawyer and rely on the lawyer’s advice specific to the situation.
However, it is worth noting that there may be some grounds in the law for refusing to disclose a password without fear of legal compulsion or contempt. In particular, the Supreme Court in a tax case, Fisher v. United States, 425 U. S. 391, 410-413 (1976), laid out three situations when the “act of production” of documents could have self-incriminating, testimonial value that is protected by the Fifth Amendment. See Aaron M. Clemons, No Computer Exception to the Constitution: The Fifth Amendment Protects Against Compelled Production of an Encrypted Document or Private Key, 8 UCLA J of L & T 1 (2004). The three concerns articulated by the Supreme Court when the government compels production of a document are that it may “(1) concede the existence of a document; (2) concede possession, location, or control of a document; [or] (3) assist in authentication of a document.” Id. at 12. Any one of these may apply when the government seeks to force someone to cough up a password that allows access to encrypted documents. However, the government may still be able to force disclosure if it offers “use and derivative use” immunity from prosecution to the possessor of the documents. Id. at 1.
The imperative to control crime, including terrorism, drug trafficking, organized crime, and child pornography, has created a great deal of pressure to grant greater powers to law enforcement to compel production of passwords. See id. at 5; Andrew J. Ungberg, Protecting Privacy Through a Responsible Decryption Policy, 22 Harv. J of L & T 537 (2009). A prudent person would not invest too much assurance in the protection of the Fifth Amendment, bearing particularly in mind that it only protects one from being forced to confess to a crime. It is not a generalized right of privacy.
Apart from the government, however, there are fairly strong restrictions against unauthorized acquisition and use of passwords by private parties to gain control of a computer. See Clemons, 8 UCLA J of L & T at 1 n.7.
In light of the fact that the best place for your password is in your memory, a good password has two competing characteristics. First, it must be sufficiently complex that it cannot be easily guessed or deciphered. Second, you must be able to remember it – easily.
The complexity of a password is calculable based on the number of possible random combinations of characters in the password. Thus a longer password is better than a shorter one, a password based on more characters better than one based on fewer characters, and in any case the combinations should be random.
For example, a password based only on 26 letters of the alphabet (n) and that is 6 letters long (r) allows for 308,915,776 possible password combinations (n to the power of r), a number which is not outside the power of a modern computer to guess making repeated tries in a reasonable period of time. (A “brute force attack”).
In contrast, if you draw from every available symbol on the keyboard (94), including both capital and lowercase letters (assuming your system distinguishes between them) and create an eight letter password, then the number of possible passwords rises to the level of approximately 6 quadrillion. At this point, you begin to approach the level at which it would be very difficult to crack your password by brute force (“computer guessing”). See Permutations and Combinations.
Apart from the question of complexity, however, is the question of memorization, particularly since one wants to avoid the temptation to succumb to the Post It note on the monitor.
One method I favor for important passwords where length is no limitation is known as Dice Ware, which basically requires five dice and a long random list of short words. In brief, one rolls the dice to create a random number, uses the number to select a word from the list, and the repeats the process for the next six words. The resulting password is both long and random, but because it does contain words it is easier to remember than a string of random symbols (although increasing the symbol pool with a few random nonalphabetic symbols can increase the strength of the password, as noted above.)
As a practical matter, it is not really possible to remember the multiplicity of passwords required for today’s digital lifestyle, particularly if one aims to have passwords that are sufficiently random not to be easily cracked. For obvious reasons, it does not make sense to use one password for every application or account, since cracking that one password would leave every account vulnerable. Passwords should ideally be long, random, and unique. In light of these criteria, one possible approach is to use some kind of password manager, in which one password is used to secure all other passwords in an encrypted file or database.
I keep some passwords in a simple PGP encrypted text file. The advantage of this approach is that it is free, simple, portable, and not tied to any specialized brand of proprietary software. It has the disadvantage that it is not as convenient as programs that fill forms automatically in web browsers or that automatically allow access across the Internet.
One popular password manager that integrates with a number of web browsers and fills forms in the browser is Roboform. Roboform keeps your data encrypted on your computer until it is unlocked by your master password, at which point all your passwords become available. Roboform now includes an online synchronization service.
LastPass is another widely used password manager. It keeps your passwords encrypted on an Internet server (“in the cloud”) until you need them, at which point they are decrypted locally on your computer. At one point, a hacker’s attack on LastPass computers generated some fears that passwords would be compromised, but in general LastPass has a good reputation, and I still use them myself. The chief advantage is that my passwords are easily synced to all my computers and my iPhone.
Every once in a while, one sees an article proclaiming the obsolescence of the password. At present, given the ubiquity of passwords and the paucity of, say, biometric technology, this proclamation seems premature at best. However, there are a number of other current technologies that replace passwords in whole or part with more secure alternatives.
Linux and possibly Macintosh users are likely to be familiar with creating secure connections on the command line using secure shell (SSH) technology. Windows users can access the technology using the program PuTTY, but need to have a computer with an SSH server with which to connect. (People familiar with such protocols as telnet should be aware that they are NOT secure and that data, including passwords, transmitted by telnet can be intercepted.)
Part of the genius of SSH, however, is that it can be configured to recognize a computer’s unique, encrypted certificate rather than requiring a password. Unless someone obtains physical possession of the certificate, this connection is very hard to crack.
SSH is also very useful because it can used to create an encrypted tunnel for other insecure protocols such as http.
Windows CardSpace is an initiative by Microsoft to replace passwords with encrypted “identity cards” that live on your computer. An intriguing idea whose time has not come and may have passed.
OpenID offers greater convenience if not necessarily greater security. By designating one provider to identify you, you are able to use one password at every Open ID enabled site.
As the name states, Multifactor authentication requires more than one “factor” to be present to unlock an application. LastPass, for example, can be configured to require both an encrypted key on a USB drive and a password. Unless you have the physical USB drive in your possession, you are denied access to your passwords.
Google is also offering two-step verification in order to access your Google account. Basically, with two-step verification, Google requires you not only to enter your password but also to enter a code generated by or transmitted to your mobile phone.
- Disclaimer: Except where noted, these are the observations of a computer user, not a computer expert, based on personal use and experience; you are encouraged to do your own research and, if in doubt, to seek the advice of a professional. The foregoing information is provided “as is” with NO WARRANTY of any kind, including but not limited to merchantability or fitness for a particular purpose. While this information is intended to be helpful, I disclaim any liability, express or implied; if your computer is hacked, cracked, or spontaneously combusts, it is your sole responsibility.