A good first step in cyber self defense

The recent data breach at Equifax makes it clear that it is critical to use strong passwords for all online accounts. According to Equifax, the data breach happened between mid-May and July. The hack was discovered on July 29, but Equifax did not inform the public until September 7. Sensitive personal information such as Social Security numbers, date of birth, addresses was stolen from Equifax, affecting one in two adults in the United States (see here).

How to create strong passwords? Obviously the longer a password, the stronger it is. The issue is that of laziness. There may be a long list of accounts, e.g. financial accounts (banks and credit cards), social media accounts and other accounts. There may be ten or more such accounts to manage. Some people get lazy and use the same password. Using different passwords that are long enough and random enough across many accounts would indeed pose a huge management challenge – how to remember, store and update the passwords.

It turns out that it is not difficult to create strong passwords that are easy to remember. The idea is to come up with a phrase that is memorable only to you. For example, a college student may come up with the following phrase.

    My weakest subject is Chemistry. I will go to Tutoring Center 5 days a week this semester to get Help!

The resulting password would be “MwsiC.IwgtTC5dawtstgH!“. This is a 22-character password that includes upper case letters, lower case letters, numeric characters and special characters. Another plus is that it contains no dictionary words. If the information about chemistry subject is important and meaningful to the creator of the password, then it is easy to remember.

The string MwsiC.IwgtTC5dawtstgH! appears random. Yet there is a high level piece of information behind it that is known to no one except the creator of the passwords.

The college student in question can change the password by using another memorable phrase after the semester is over. So this idea is flexible and the possible pool of passwords is limitless.

For each account, create a memorable phrase associated with that account. Managing these passwords still requires effort. However the information to remember is at a high level (and memorable and personally meaningful). It is not about memorizing a random string of characters. In light of the Equifax data breach, the effort is the least we can do to help defend ourselves.

Any discussion of safe and strong passwords is a good pivot to talking about large numbers. Having an appreciation of large numbers help us appreciate the passwords such as MwsiC.IwgtTC5dawtstgH!.

For example, how many possible 22-character strings are there? To get a sense of how big this number is, let’s assume that the 22-character string consists of only lower case English letters. Then there would be 26^{22} possible strings. How big is this number? It is 1.3474 \times 10^{31}. To simplify, let’s say it is 1 \times 10^{31}, the number 1 followed by 31 zeros. Note that a billion is one followed by 9 zeros. A trillion is one followed by 12 zeros.

The number 1 \times 10^{24} only includes lower case letters. If we include upper case letters as well as numeric characters and special characters ($, ?, ! etc), then the universe of potential passwords is greatly expanded.

To appreciate how big 1 \times 10^{24} is, let’s compare it with the age of the universe, which is about 13.8 \times 10^{9} years (13.8 billion years). Converted to seconds, the age of the universe is approximately 4.35 \times 10^{17} seconds, which is less than 1 \times 10^{24}. Guessing at the password at the rate of one per second, the entire age of the universe is not enough time to cover the possible choices within the number 1 \times 10^{24}. This is assuming upper case letters and numeric and special characters are not in the mix!

It is believed that the sun can burn for another 5 billion years. So guessing at the password at a fast rate would mean that there is not enough time to cover all the possible choices.

Using the “memorable phrase” approach for password management is a good first step in cyber self defense. This approach can help keep your bank accounts safe. So it is a good first step in financial self defense as well.

Here’s a peculiar way to find strong passwords. This scheme is to produce 26-letter passwords such that every letter is known and is fixed! In fact, the first letter of the password is the first letter in the English alphabets, the second letter of the password is the second letter of the English alphabets and so on. The length of the password is long but every letter is fixed. This scheme is discussed in this blog post. This universe of passwords is not as big as the one for the 22-character passwords discussed above. But it is a big enough collection of possibilities that it is all but impossible to hack without computer help. There are 67,108,864 many different possibilities (over 67 million). How does this scheme work? Why is it that every letter is known but the passwords can be strong?

Curious? Think about it or go to this blog post. This particular scheme is a way to learn the concept of binomial distribution. Any one who understands this scheme understands binomial distribution.

\text{ }

\text{ }

\text{ }

\copyright 2017 – Dan Ma