Why “Biometrics” Ain’t Such a Gud Idea… (Part 2)

Hi Ranty Nation!  Ranty McRantyson har agin!

(Note: This talk dun be updated on 11/29/2020)

In mah last talk bout, “Why ‘Biometrics’ Ain’t Such a Gud Idea… Part 1”, ah talked bout the trouble biometrics caused when they dun be used as a stand-alone security measure.  But ah never talked whut is proven to wurk!  Well, har we are.  Whadda ya say we talk bout fixin the problem?

So Whut’s the Solution?

Well, the old tried an true is the best… a PIN/passwurd!  Ah know, ah know, y’all’re sayin that them security folk’re sayin that PINs (Personal Identification Numbers) an passwurds ain’t no gud no more.  Well, yes an no.  Let’s talk bout why.

They’s three reasons why security folk’ll say passwurds ain’t no gud.

Furst, most folks ain’t got gud passwurds.  An by “gud”, ah mean that they’re way too easy to guess.  Ah’m shure y’all have seen them movies when the compooter nerd-like guy (an sumtimes, gurl) dun says, gimme a minute while ah try to guess this har person’s passwurd.  An bout a minute later they say, “Got it!”  When asked whut it was, the compooter nerd’ll say sumthin like, “it was their birthday, but backward.”  Y’know, sumthin that the person cud easily remember, but changed a bit.

An that’s the problem wit most passwurds folk pick.  They’all pick a passwurd that they can remember easy, whut means that it probly also be easy fur sumone else to figure out!

Jus so y’all know, FUR YEARS, the three most common passwurds were, “123” (or “1234” fur PINs), “sex”, an, y’all guessed it, “password”.  The sad thang is, security folk dun required that folk make them passwurds longer, they jus kept doing the same silly thang.  Fur 2020, the top 3 passwurds are:   (outta over 275,000,000 stolen passwurds)

  1. 123456
  2. 123456789
  3. picture1

The honorable mention (#4) is, yep, y’all guessed it, agin: password

Jus to be clear, usin regular like wurds ain’t a gud idea.  Specially since them crooks an guvmint dun got whut’s called “passwurd dictionaries” that can go thru a buncha the most common password real quick-like.  So if’n y’all use a “cute” passwurd, then a lotta folk probly be usin it too and y’all’ll be an easy passwurd hack!

Secund, most folks passwurds ain’t random!  Now y’all’re probly thunkin, “Whut you talkin bout, Ranty?  Ah picked the furst thang that popped into mah head!  An if that ain’t ‘random’ ah don’t know whut is!”  The problem is that whut we dun figure is random really ain’t fur a compooter.

Y’see, like so many thangs, compooter folk put a special meanin on the wurd “random”.  It basically means that a number is “random” if’n y’all can’t predict that number.  Course, now that sounds like one of them “Duh!” statements.  But wit compooters, what are designed to do thangs predictably, that can be hard to do!

HowToGeek.com: How Computers Generate Random Numbers

So, whut them compooter folk dun did was to create “pseudo” (means “kinda”) random numbers that’re “random enuf” so as it wud be really, really hard to predict em.  Hard nuff that fur most thangs it jus wudn’t be wurth it!

Gittin back to passwurds, y’all want a passwurd that dun be really hard to guess.  An that means a random passwurd.  To help y’all out, ah’ve included a link to a really gud random passwurd generator below.  But before y’all go generatin sum new passwurds, we’all got a few thangs to talk bout furst…

Third, most folk’s passwurds ain’t long nuff.  Fur years security folk dun thunk that a random PIN that was 4 characters long be long nuff to be safe.  An it probly is, fur most stuff (unless y’all do sumthin stoopid like use a birthday or sumthin).  But it means that, on average, a “bad guy” needs to try 5,000 passwurds to git into yur stuff (0000-9999 = 10,000 PINs / 2 fur an average = 5,000).  An fur them bad guys, that ain’t too much effort.

Fur other thangs like stuff on the InterTubes an yur home computer, well, y’all really need a longer passwurd because crooks an guvmints can do whut’s called a “brute force attack” on y’all’s passwurds!

So y’all’s passwurds can be figured out by what the compooter security types call, “brute force attacks”.  An this’n be pretty much like whut y’all might thunk it be.  It’s when the bad guys tell they’s compooters to jus try ever possible passwurd they is.

Course, they’s gonna try the easy stuff furst, like a “passwurd dictionary” or likely changes to passwurds in a passwurd dictionary or even just easy to type passwurds.  After all that, then they’s gonna git serious an fire up the sooper dooper compooters an jus try ever passwurd till they git it.

Now, them sooper compooters are durned fast.  They can check thousands (regular folk), even billions (large corporations) or trillions (big guvmints) passwurds a second!  So, let’s say, a regular compooter can only check passwurds at a 1000 passwurds a second.  A six digit passwurd (upper/lower case letters, 0-9, an special characters) means bout 26 upper case + 26 lower case + 10 numbers + 33 special characters (trust me on this on) = 95 to the 6th power (6 digits of 95 possible in each position) = over 735 billion possible passwurds.  Wow!  Ain’t that a bunch?

Now let’s have this so-so compooter have a try at it.  At only 1000 passwurds a second, it wud take bout 18 years to find that passwurd.  Seems purty gud, right?

Well, let’s try it wit an average sooper compooter at bout 100 billion passwurds a second.  That’ll only take a bit over 72 seconds.  Yep, bout 100 million times faster!

Har’s sumthin cool.  Let’s stick wit that sooper compooter.  An let’s go frum 6 random characters to 10.  Now y’all’re probly thunkin, “Well, that’ll only take bout 60% more time.”  Remember how 6 characters wud only take a bit over a minute?  Well, wit the SAME sooper compooter, it’ll take over 19 years!

Just to be clear, big guvmints, like the US guvmint can afford sooper dooper compooters that’re 10,000 times or more faster than the one above.

Course that’s 19 years if’n y’all have a random 10-digit passwurd.

If’n y’all like mathimacation, try this har calculator an see how long it’d take to brute force yur passwurd.  If you don’t have a fully randomized passwurd, then that number’ll the maximum average time!

Steve Gibson’s Password Haystack Calculator

Also, remember that 19 years fur a 10 digit passwurd (with all 95 possible characters)?  Well, ah thunk ah’d put together this list below so y’all can more easily see why the more possible characters the better:

Upper/lower case letters + 0-9 numbers + 33 special characters = 95 total possible characters
95 possible characters at 10 digits long:  19+ years

Upper/lower case letters + 0-9 numbers = 62 total possible characters
62 possible characters at 10 digits long:  3.24 months
62 possible characters at 11 digits long:  16+ years
62 possible characters at 12 digits long:  1000+ years

Upper/lower case letters = 52 total possible characters
62 possible characters at 10 digits long:  2.44 weeks
62 possible characters at 11 digits long:  2.44 years
62 possible characters at 12 digits long:  127 years

Basically, the more kinds of possible characters the better.  Anyhoo, y’all can check it out fur yurselves at the link above.

So, whut we dun need is a gud random passwurd generator y’all can use so y’all can git yur own super strong 10+ digit passwurds.  Now, Steve Gibson’s a really gud programmer.  An he also dun have a really gud random passwurd generator on his web site.  His passwurd generator’ll give y’all a 64 character passwurd.  An each time y’all visit it’ll make a new one.

Ah, know, y’all are sayin, “Ranty, have y’all dun lost yur mind?  Ah can’t remember 64 random characters!”  An you’d be right!  BUT, y’all can pick any bunch of characters (all next to each other, in order) an it’s still a “random passwurd”!  So go to his passwurd generator an pick any 10 characters in a row fur yur new sooper dooper compooter bustin passwurd.

Y’all can git it har:

Steve Gibson’s Random Passwurd Generator

How to Remember All Them Passwurds?

Well, most passwurd hacks happen online.  Which means they dun be whar y’all can’t see them or even know it dun be happenin.  The bad guys like this cuz they can do it at home in they’s PJs, if’n they wanted to.

So, one way to save yur passwurds wud be on a paper list at home.  Cuz y’all know who’all’s supposed to be in yur home an, I hope, y’all trust them.

If’n y’all don’t don’t trust yur folk at home and/or might need to access that info at home, yur still in luck.  Wit y’all’s smartphone, y’all can git a “password manager” that’ll remember them passwurds fur y’all!

Now y’all might be sayin, “But Ranty, then sumone who steals mah phone’ll git them passwurds!”  Furtunately, them passwurd manager programmer folk dun thunk of that an y’all have to use a passwurd to access all them other passwurds.  Yeah, that is a bit of a bummer, but y’all only have to remember one really gud passwurd rather than all of them to keep all’y’all’s passwurds safe!

The Bottom Line

The fact is that folk’ve bin usin usernames an passwurds fur a long time now.  An other than users not bein so gud at pickin passwurds, they dun wurked really gud!

Now, if’n ah were to say whut ah thunk biometrics was gud fur, ah’d have to say usin biometrics instead of a username wud be a gud use cuz witout a passwurd, no one can git in.  So, if’n the program designers were to use it that way, that’d be great!

Then combine that FaceID/username wit a gud passwurd an y’all’d have a purty gud, an safe, way of signin in!

So, this is the end of this har talk on why biometrics ain’t that gud fur security.  In a future talk ah’ll go over a couple purty gud ways of makin an rememberin a purty secure passwurd that ain’t totally random…

Ranty McRantyson signin off!

PS.  Ah dun also consulted mah bruther, Rufus McRantyson, on the security stuff in this har talk cuz he be a “compooter security expert-like person”.

Be the first to comment on "Why “Biometrics” Ain’t Such a Gud Idea… (Part 2)"

Leave a comment

Your email address will not be published.
