How Secure is my Sh*t?
I've been using KeepassXC for several years now on Linux and Mac computers. On iPhone and iPad, Strongbox can read from and manipulate the same database. Recently, I wanted to know just how secure my stuff is. What does it really mean to an attacker that my password has n bits of entropy? I assume you already know what entropy means for a password, but here's a simple primer:
Suppose your password consists of upper and lowercase characters, numbers and spaces. That gives you an alphabet of 2*26+10+1, or 63, possible characters to choose from. That's just a tad less than 2^6, so we'll fudge and say that each character gives you 6 bits of entropy. If you generate a password with 12 random characters from this alphabet, it will have 12 * 6, or 72 bits of entropy.
How good is that?
That was the question that kept bugging me. Just how strong is any number of bits of entropy How long would a brute force attack take that guesses every possible hash of 12 characters chosen as I describe. Even better, what would it cost an attacker?
Although I haven't tried it, I learned of a tool called "Hashcat" for guessing password hashes. I found this article that describes running Hashcat on AWS with it's most powerful virtual machine, the
p3.16xlarge instance, costing a bit under $25/hr. According to the benchmark used in the article, the instance was able to generate about 60,000,000 SHA-256 hashes per second, the same hashing algorithm that Keepass uses.
Now the math:
One instance can generate 3600 * 60*10^6 SHA-256 hashes in an hour. That's approximately 2^37.65. So it would take a half hour on average to guess a password that has 37.65 bits of entropy.
Let's say your password has 72 bits of entropy. That means it would take 2^(72 - 37.65), or over 2^33 times that long at $25/hr. (Or you could pay for 2^34 instances and have the answer in no more than an hour.)
Either way, that's about $215 trillion, on average for the world's fastest commercially available computing platform to guess a password with 72 bits of entropy, with a worst case scenario of $430 trillion. For comparison, world GDP was estimated at $80 trillion for 2017.
The article also states that you might be able to get a "spot request" for 50%-80% less. OK, so now we're talking a worst case scenario of only $86 trillion.
This Hashcat article describes only how expensive your password would be for attacker with today's fastest commercially available computing platform. We might assume that the intelligence services of an advanced country like the US or China might have considerably more computing resources at its disposal. That might be something a rival global power or terrorist organization might need to consider.
Suppose your password consists of upper and lowercase characters, numbers and spaces. That gives you an alphabet of 2*26+10+1, or 63, possible characters to choose from. That's just a tad less than 2^6, so we'll fudge and say that each character gives you 6 bits of entropy. If you generate a password with 12 random characters from this alphabet, it will have 12 * 6, or 72 bits of entropy.
How good is that?
That was the question that kept bugging me. Just how strong is any number of bits of entropy How long would a brute force attack take that guesses every possible hash of 12 characters chosen as I describe. Even better, what would it cost an attacker?
Although I haven't tried it, I learned of a tool called "Hashcat" for guessing password hashes. I found this article that describes running Hashcat on AWS with it's most powerful virtual machine, the
p3.16xlarge instance, costing a bit under $25/hr. According to the benchmark used in the article, the instance was able to generate about 60,000,000 SHA-256 hashes per second, the same hashing algorithm that Keepass uses.
Now the math:
One instance can generate 3600 * 60*10^6 SHA-256 hashes in an hour. That's approximately 2^37.65. So it would take a half hour on average to guess a password that has 37.65 bits of entropy.
Let's say your password has 72 bits of entropy. That means it would take 2^(72 - 37.65), or over 2^33 times that long at $25/hr. (Or you could pay for 2^34 instances and have the answer in no more than an hour.)
Either way, that's about $215 trillion, on average for the world's fastest commercially available computing platform to guess a password with 72 bits of entropy, with a worst case scenario of $430 trillion. For comparison, world GDP was estimated at $80 trillion for 2017.
The article also states that you might be able to get a "spot request" for 50%-80% less. OK, so now we're talking a worst case scenario of only $86 trillion.
This Hashcat article describes only how expensive your password would be for attacker with today's fastest commercially available computing platform. We might assume that the intelligence services of an advanced country like the US or China might have considerably more computing resources at its disposal. That might be something a rival global power or terrorist organization might need to consider.
Edward Snowden was quoted as saying that "serious" encryption requires at least 100 bits of entropy for the foreseeable future. He might have been thinking of governments, banks, military organizations. For ordinary private citizens who need to keep a few savings accounts and personal documents safe from criminals if their laptops got lost or stolen, 72 bits should be sufficient if my analysis holds. If you are unsure, you can always make your password longer. Remember, each additional character adds just a little under 6 bits of entropy, increasing the cost to an attacker by a factor of just under 64. (Curiously, Apple, and some financial websites put limits on your password length and character choices, hobbling your ability to secure your personal data.)
Some pundits cite "Moore's Law" as a factor that will weaken passwords over time. Moore's Law postulates that the number of transistors that can fit into a chip of a given size doubles every two years (some say this occurs every 18 months). Moore's Law is not really a law at all but an historic observation that has nevertheless remained remarkably consistent over the past half century. Doubling the number of transistors does not necessarily double processing speed. There are other factors such as heat dissipation and quantum tunneling that put a limit on processor and memory speeds despite the density of transistors long before transistor density might reach the ultimate theoretical boundary set by the Planck length.
Even if processing speed and memory size continues to double, current encryption technology can keep up simply by adding one or two bits of entropy every two years. We'll just have to put up with longer passwords. The Electronic Frontier Foundation (EFF) and other organizations publish long lists of curated words that can be randomly selected by rolling casino dice. Five rolls of a single die can select from a list of 6^5, or 7776 words. Thus each word has an entropy of roughly 13 bits. Six such random words have an entropy of 6 x 13 or 78 bits. Remember that $430 trillion cost? Now multiply that by 64.
A sequence of six words, such as "jeeringly kick unhappily numerate hash datebook", are considerably easier for most people to remember than a random string of mixed-case characters and numbers such as "r646STqmChaa". This page makes it easy for you to select random words of different lengths and give you a choice of lists to choose from with different features. You can read about it. To trust it, you need only verify that it generates each sequence locally in your browser and does not store or transmit each result it generates.
Some pundits cite "Moore's Law" as a factor that will weaken passwords over time. Moore's Law postulates that the number of transistors that can fit into a chip of a given size doubles every two years (some say this occurs every 18 months). Moore's Law is not really a law at all but an historic observation that has nevertheless remained remarkably consistent over the past half century. Doubling the number of transistors does not necessarily double processing speed. There are other factors such as heat dissipation and quantum tunneling that put a limit on processor and memory speeds despite the density of transistors long before transistor density might reach the ultimate theoretical boundary set by the Planck length.
Even if processing speed and memory size continues to double, current encryption technology can keep up simply by adding one or two bits of entropy every two years. We'll just have to put up with longer passwords. The Electronic Frontier Foundation (EFF) and other organizations publish long lists of curated words that can be randomly selected by rolling casino dice. Five rolls of a single die can select from a list of 6^5, or 7776 words. Thus each word has an entropy of roughly 13 bits. Six such random words have an entropy of 6 x 13 or 78 bits. Remember that $430 trillion cost? Now multiply that by 64.
A sequence of six words, such as "jeeringly kick unhappily numerate hash datebook", are considerably easier for most people to remember than a random string of mixed-case characters and numbers such as "r646STqmChaa". This page makes it easy for you to select random words of different lengths and give you a choice of lists to choose from with different features. You can read about it. To trust it, you need only verify that it generates each sequence locally in your browser and does not store or transmit each result it generates.
(You also have to trust the pseudo-random number generator your browser uses to make each selection. Pseudo-random number generators are beyond the scope of this discussion, but suffice it to say that to be effective, it doesn't have to be truly random; it just has to be unbiased enough to make it exceedingly hard for an attacker to predict and exploit. Needless to say, the seed, or starting value, of the random sequence must not be predictable.)
You will probably need to write down each passphrase you use and keep it in a safe place until you have memorized it. Writing anything down means it becomes available to anyone who can find it and knows how to use it, but without that you run the risk of permanently locking yourself out of all your protected passwords should you ever forget it. Yet another trade-off between security and convenience.
How secure is your sh*t really? Well, that still depends...
Some journalists have cited quantum computing as a game-changer in encryption technology. Quantum computing has not yet gone beyond proof-of-concept stage in lab settings that can cool a circuit down to near absolute zero. It remains speculative if and when it will ever become practical and affordable on a mass-scale. If it does, it will pose a threat to privacy only during the period when it becomes feasible but too costly for all but governments and wealthy entities. When and if it does become affordable and ubiquitous like cell-phones, we must assume that it will be used to encrypt communication, removing the advantage to crackers with quantum technology.
Note that the above only deals with a brute-force attack on your encrypted data. There are other ways for criminals to get at your data that do not require GDP sized computing budgets. The simplest and most effective way being to point a gun at your head or your loved one's head and demand your password. Less violent ways might involve phishing and keystroke logging. There have been news reports of victims being induced to give criminals access to their bank accounts while they are under the influence of the drug scopolamine. Encryption cannot protect you from a threat or physical attack on your person.
Note that the above only deals with a brute-force attack on your encrypted data. There are other ways for criminals to get at your data that do not require GDP sized computing budgets. The simplest and most effective way being to point a gun at your head or your loved one's head and demand your password. Less violent ways might involve phishing and keystroke logging. There have been news reports of victims being induced to give criminals access to their bank accounts while they are under the influence of the drug scopolamine. Encryption cannot protect you from a threat or physical attack on your person.
Two-factor authentication (2FA) can provide some additional protection for your data against phishing and keystroke logging because an attacker also needs your physical security device to obtain an additional code. You still need to hang onto your security device and assume it has not been compromise. Two-factor also makes it more likely for you get locked out of your accounts if you don't take a few precautions, like copying down recovery keys and keeping them in a safe place you can get to.
You might also want to consider the cost to an attacker of repeated guesses of your password in different situations. If the attacker has seized your encrypted hard drive, the number of attempts per second is limited only by his computing budget. But for someone parked across the street from you in a white van trying to guess your Wifi password, most Wifi routers just take too long to process each password attempt. This limits him to at most one or two attempts per minute, and adding additional processing power to his arsenal will be of no use to him. So your Wifi password probably doesn't need 100 bits of entropy for your Wifi to be safe.
You might also want to consider the cost to an attacker of repeated guesses of your password in different situations. If the attacker has seized your encrypted hard drive, the number of attempts per second is limited only by his computing budget. But for someone parked across the street from you in a white van trying to guess your Wifi password, most Wifi routers just take too long to process each password attempt. This limits him to at most one or two attempts per minute, and adding additional processing power to his arsenal will be of no use to him. So your Wifi password probably doesn't need 100 bits of entropy for your Wifi to be safe.
On the other hand, all bets are off again if an attacker can surreptitiously enter your home or business, gain access to your Wifi router, copy its memory to his own device, and cover his tracks so you remain unaware of the breach. Then he can take it back to his computing lab and make as many attempts per second as his computing resources will allow. CBS "60 Minutes" did a segment on an FBI "search and entry" team that specializes in surreptitious entry for gathering evidence. Of course, this requires a judge to sign a warrant, and a senior manager has to sign off on covering the cost of such a team. Unless you're a high-profile criminal, you're probably not worth it.
The same goes for your e-mail account. Your email provider will only allow so many attempts per minute, whether by policy, or by the inherent slowness of the online authentication process over a remote connection, but if an attacker can steal their account database with encrypted data and take it back to their lab, again they are limited only by their own computing budget. Mass breaches of raw encrypted data have been known to happen, and some providers have not been immediately forthcoming to let their customers know of the breach so they can change their passwords in time. So I treat my email with the same care I would treat my bank account.
How secure is your sh*t really? Well, that still depends...
Comments
Post a Comment