We will be at the Penang International Science Fair
Workshop on Cracking and Creating Passwords
When the Penang Science Cluster unofficially invited us to participate in this year's Penang International Science Fair (2017), we were expecting to prepare a tiny little booth that allowed visitors to try their hands at cracking passwords, with the purpose of scaring folks into better security hygiene.
Yes, fundamentally speaking, I am the more mischievous of the two of us here in georgetown.technology.
The folks organising PISF liked the idea so much, they decided to provide us with a 400 sq ft area and upgrade our little gimmick into a full-blown workshop. We gratefully accepted their offer and are now preparing for our company's debut in our first fair!
Why teach password cracking?
Your password is more likely than not, the only thing standing between you and your important data. From experience, we have come to realise that people just do not seem to understand how vulnerable they are to attacks when they use weak passwords. We aim to provide a completely legal, guided, educational experience in password cracking so folks will be scared shitless enough to change their passwords into stronger passphrases.
These techniques are already in use by people smarter and more resourceful than us. The most prominent of them being the National Security Agency, as revealed by Edward Snowden in his 2013 leaks.
Tools used by the NSA have also been leaked to the public. The most devastating of them resulting in the WannaCry ransomware attacks in May of this year.
Although having a strong passphrase may not defend yourself against such attacks, it will at the very least blunt common wordlist-based password attacks.
Easy to remember passphrases
After giving everyone a belated Halloween scare, we shall teach you how to create strong passphrases that are both easy to remember, and resistant to cracking techniques. The method we shall be teaching is the Diceware method; the principles of which are very thoroughly explored in the article Passphrases That You Can Memorize — But That Even the NSA Can’t Guess written by Micah Lee on The Intercept.
Basically, using a wordlist called Diceware, and five dice, we can generate NSA-proof passphrases that created correctly, would take millions of years to crack (with currently known technology). We shall be using the Electronic Frontier Foundation (EFF) wordlist as some of the words in the original Diceware wordlist aren't even words, and may be more difficult to memorise.
More likely than not, you are probably using the same password on multiple sites and accounts, or the same password with slight variations depending on the account you are using. With the Diceware passphrase generating technique in your repertoire, you may now proceed to the important task of creating a password database to be defended by your Diceware passphrase.
Yes, this does mean replacing all your passwords with randomly generated passwords that even you won't bother to remember.
Yes, this also means if you forget your master passphrase, you will probably be locked out of some accounts forever.
But without doing this necessary step, all of your accounts are vulnerable as long as one of your accounts is part of a compromised website's password database dump.
Worry not! For if you join us at our booth, we shall also be covering techniques for memorising Diceware passphrases (which are incidentally covered in the articles above as well).
Hope to see you soon!
We would like to think our charming personalities would be enough to attract visitors to our booth, but we know better.
Instead of a traditional house of horrors so close to Halloween, we think the psychological dread of realising every passing moment you are simply a word away from completely losing your bank account, Facebook reputation, or being a conduit for scammers to get to your contact list will help change your behaviour for the better.
But words can only do so much. Come join us at the Spice Arena on the 11th and 12th of November instead, and experience the existential crisis resulting from the realisation that your entire identity and quality of life in the 21st century is dependant on whether your passwords can withstand sustained attacks from state actors.