(Initially published on publish0c.com)
In our time, everyone who uses computers or the internet needs passwords to access online accounts. Even access to devices, as well as virtual and physical places may require passwords, PINs, or access codes. Some studies (see [1-4]) indicate that an average number of passwords a user needs to manage is above 100.
Any static password can be cracked with a brute force method with 100% of certainty. Indeed, basic parameters of static passwords are: a length of passwords (lp) and a length of a set of symbols (ls) from which passwords are constructed. From these two parameters we can calculate a number of all possible combinations (NAPC) of passwords with these parameters,
which is equal to NAPC=ls^lp. If a time for testing a single password is equal to t1, then the time t_crack=t1*NAPC is the time when the password's combination will be found with 100% certainty. It should be noted that with some luck, it is possible to find the correct combination even from a single attempt. The probability of such an event is small p=1/NAPC, but it is not zero.
Dynamic passwords are changeable static passwords. To understand how frequently passwords should be changed we need to understand two important definitions: an expected loss (EL) resulting from a compromised password and a level of tolerance (LT) to the loses resulting from a compromised password.
An expected loss (EL) due to a compromised password is equal to the product of the probability of the password being cracked and a real loss in the case of the password being cracked. For example, suppose that a real loss (RL) from the compromised password is one million dollars and the probability that the password will be cracked in one day is equal to 0.00001. Then the expected loss for a day is equal to EL(1 day)=$1,000,0000.00001=10 dollars, the expected loss for 10 days is equal to 100 dollars, and the expected loss for 100 days is equal to 1,000 dollars. A level of tolerance (LT) to the losses is the percentage of real loss you can tolerate. Once this parameter is determined, it is possible to calculate a period for password changes from the equation: EL(T)=LTRL. For example, if the LT=0.1% then LTRL=0.0011,000,000 =1,000 dollars= EL(100 days). Therefore, the passwords should be changed in 100 days to satisfy the level of tolerance LT=0.1%.
Dynamic passwords create inconveniences for users, because users need to securely manage these password changes. Online and offline password managers are proposed to address these inconveniences. But the big problem with these password managers is the problem of risk concentration. When users use such password managers, they put "all their eggs in one basket." The password managers store passwords in an encrypted file called a vault, which is a target for attackers. If attackers hack this vault, they will be able by using the brute force method to crack this vault at some point in time. Every year, researchers
find weaknesses in such password managers (see [5-8]); therefore they are very risky for users.
A password management system, which allows one to generate multiple passwords for multiple sites or/and accounts in a simple way, which does not store passwords on computers or paper, which allows users to recreate/recover complex and strong passwords with easy memorable information, will be satisfactory for most users of passwords.
Many security experts will say: "Such system is not possible, because it is well known that there is a trade-off between security and convenience. If we want strong secure passwords then they must be complex and not memorable, which creates an inconvenience in use and management of these passwords. On the other hand, if we generate simple and memorable passwords, they will not be secure."
The password 123456 is easy to remember but is not secure. For many years this password was among the most popular.
To convince skeptics, let us generate multiple strong passwords with a simple key: 123456 and the memorable date: February 22, 2222 with a public password generator (PG) available at URL https://dynpass.online .
As we can see in the picture below, all fields on the form are hidden by default to prevent other people behind the user’s backs from seeing the entered data. Users should verify that no one can see the user’s input before entering data.