SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 184: Safe Passwords with Bart Busschots

Posted on May 7, 2020

This week on the Checklist, we sit down with a special guest to talk about passwords — plus we’ll update you on Google’s efforts to build a safer smart home.

Passwords for humans

If you’ve listened to the Checklist before, you know that the importance of good passwords is a favorite theme of ours — because it’s such a fundamental aspect of digital security and privacy.

This week, we sat down to talk with Bart Busschots, creator of xkpasswd, a web-based tool that helps users generate strong, unique passwords that are actually easy to remember!

Busschots is based in Ireland, where he works as a developer, podcaster, and system administrator. He’s clearly a tech guy through and through, but we asked him to talk a bit more about his background in his own words by answering the question “Who is Bart Busschots”?

BB: That’s a very existential question! So, I was convinced — absolutely certain — that I was going to be an astronomer: That that was my line in the universe. And I went off to university to study maths, mathematical physics, and experimental physics. But I needed a fourth subject for my degree. And I went, “I don’t like biology…maybe not good at chemistry…Oh, computer science! That might be an interesting distraction for a year!” 

Well, I very, very, very quickly realized that I am not very good at mathematics. So the mathematical physics: not so good. The maths: yeah, not so good. So I ended up graduating with a degree in experimental physics and computer science.

I like being a physicist on paper, but I have never actually made a career in my physics half. I ended up going into what we call a postgraduate — I guess you call it graduate studies or something. And it was vaguely related to astronomy — we were writing software to help people to learn, and the McGuffin we used was live access over the Internet to real world-class telescopes from the classroom. That really got the students in, and then we were trying to teach them about science and stuff. And then I realized that academia wasn’t for me and I accidentally became a sysadmin and a developer.

Busschots says that he developed an interest in cybersecurity by way of his natural curiosity. Descriptions of hacking — as reported in the popular press, anyhow — often sound a bit like magic … which can be prove unsatisfying for a certain type of mind:

BB: I like to know how things work. When you read a story about how a hacker can do this, that, and the other, I’m like: But no! You can’t do that by just going and clicking on these buttons! How can they do that?!

As a developer, Busschots is naturally concerned with writing secure code as well. 

With the rise of modern, “safe” programming languages, many of the issues which plagued previous generations of developers are now, if not entirely obsolete, at least greatly mitigated. 

But Busschots warns that there’s a danger in complacency, and that the newer programming languages can still lead to serious issues — especially if developers lack a security mindset.

BB: It’s such a double-edged sword. On the one hand, the more modern programming languages make it much more difficult to make the kind of catastrophic mistakes that it was trivially easy to make in the past. The old languages didn’t manage memory for you. You had to do it yourself — which meant that buffer overflows and all these traditional errors were extremely easy to make. Whereas nowadays, the languages take care of all that for you, so you can’t write a buffer overflow in your own JavaScript code, because you’re not managing the buffer: JavaScript’s looking after that for you.

On the other hand, it’s really easy to write code that works when everyone does everything they should. But security is from the exact opposite point of view: What happens when anyone does something they shouldn’t? Does it still work?

If you write code to the point where you can make it do what you want, because you’re putting in the sensible inputs and the sensible outputs are coming out, and you call it a day … you have probably released the most insecure piece of junk on planet Earth. 

This interest in security led to the development of xkpasswd, a free web service designed to help users generate strong, memorable passwords. The password creation tool is fairly intuitive, and anyone looking for a more detailed walkthrough can check out tech podcaster Allison Sheridan’s excellent tutorial.

Busschots talks about the origins of xkpasswd:

BB: Around the time I was thinking about these things, two things happened at the same time.

First, the infamous xkcd “correct horse battery staple” comic came out, where they basically did the math and proved that a password made up of words chosen at true random is more secure than a shorter password made of actually random gluck that no human being has a chance of remembering. So the idea was that “correcthorsebatterystaple” was actually more secure than “!3241c:-” or whatever, you know, eight characters of unpronounceable modem noise. So why were we making passwords that were hard on humans and easy for computers to crack? You know, it’s like, hmm, that’s a good way to put it! Maybe it should be easy on humans and hard on computers, so make it long! 

And then, Steve Gibson, at the same time, did his “password haystacks” thing, where he was basically saying “defense in length, defense in length, defense in length”. You know, pick a password and stick ten full stops before and ten full stops after and you have made it so many more times more secure, because no [password] cracking tool is going to go to all those permutations. To some extent, it’s one of those “you don’t have to run faster than the bear, just the other guy” situations. If there’s a password breach and the hackers are trying to reverse all of the passwords, and if yours is one of those ones that’s in the 5% left over at the end that they can’t crack, it’s probably going to stay left over at the end.

And being a programmer, I thought, well I have an itch, and I can scratch this. That, to me, is why I love having the skills to write software: because when I want to do something, I can. And so I created a tool that took the two ideas — make it long, and use words — and mashed them together. I initially called it “xkpasswd” and then later, when I open-sourced the actual Perl module that powers it, I called it “HSXKPasswd”, for “haystacks”, so Steve Gibson gets the credit as well as xkcd.

Many of us have been conditioned to think of good passwords as inherently unreadable (at least by humans), and so the idea that a word-based password can actually be safer than a shorter password that uses numbers and symbols may strike some people as counterintuitive. 

Busschots has an extremely accessible explanation of how it works:

BB: Here’s how I think of it. If you’re picking out things at random, the question is how big is the bag of things you’re sticking your hand into and pulling something out of, and how many times are you doing that. So imagine playing Scrabble as a kid. You stick your hand in the bag and you pull something out. Well, if you’re using letters, numbers, and symbols, every time you stick your hand in the bag what comes out is one out of say 56 possibilities, if we take uppercase letters, lowercase letters, a few symbols, the digits. So you do that eight times, and that gives a certain probability of it being guessable.

Well the dictionary is effectively the world’s biggest Scrabble bag, but each individual thing you’re pulling out is not one of 56 letters, numbers, and symbols, but one of tens of thousands of words. And so if you pull out a few things from a bag that contains lots and lots of things, that’s actually more combinations to try than pulling out more things from the bag with less in it.

The issue of randomness is worth discussing in its own right, as it has an extremely specific meaning in computing and mathematics. Both the xkcd comic and Sheridan’s tutorial make reference to the idea of “bits of entropy”. Despite the somewhat intimidating name, Busschots says the basic idea is fairly straightforward:

BB: “Bits of entropy” is ultimately a measure of the amount of randomness that goes into picking the password. Say you assemble an xkpasswd password that consists of two random digits, followed by four random words, separated by a randomly chosen character. So you look at how many choices were there for each of the four digits, and you multiply those numbers together; how many choices were there for the symbol, you multiply those choices together; how many choices were there for the words, you multiply all that together — and then you get the amount of choices and, to be honest, I don’t remember the exact formula, but the amount of choices … I think it’s the square root of or something … gives you the bits of entropy. 

It’s just a measure of how much randomness had to go into making the password. And the reason you care is this:

Imagine a person trying to crack your passwords. If they don’t know anything, they’re just trying to guess every possible combination in the universe, and they’re never going to get to a long password made of words. But if they assume you started with a dictionary — and let’s give them all the credit in the world, let’s tell them how we made the password, tell them everything, we chose four digits, then we chose a symbol, then we chose four words — even if they knew everything, how many things would they have to try before they would get your password? Entropy is just a way of measuring that.

One noteworthy feature of xkpasswd is the degree of customization it allows the user. It comes with an extensive array of options to change the configuration of the tool’s output. You can, for example, choose the number and length of words used, various capitalization patterns, the number and type of the digits and symbols used as padding, and much more. Busschots says that this was due in large part to his own experience testing the tool out on various websites and services. He soon discovered that many sites had quite particular — and some might even say arbitrary — restrictions on what counted as a good password. In the end, a highly configurable tool was the best way to serve as many users as possible:

BB: As I was writing the tool, I kept on thinking of things that would be cool to be able to do. And so I just made it configurable. And then I tried to use my own passwords around the Internet, and different websites would come up with different blockers: “Oh, no! You must be less than 64 characters” or “Oh, no! You can’t do more than 32 characters”.  Apple wouldn’t let you repeat the same character more than twice. There are all these little rules, and so I just decided why not make the tool have some options. And I may or may not have gotten carried away, but I’m a nerd so that sort of happens from time to time!

UX is at the heart of the xkpasswd tool, which is one reason why Busschots sees it as a complement to — although not a replacement for — traditional password managers like 1Password, Dashlane, and LastPass. 

BB: This is a very, very important point: xkpasswd doesn’t replace the need for a password manager, and a password manager doesn’t replace the need for xkpasswd. 

I store all of the passwords I generate with xkpasswd in my password manager. The password managers will all offer you a password of absolute random unreadable garbage. So, you might ask, why don’t I just use their complete random glop for my passwords?

The thing is, it happens to me quite often that I am out and about (at my parents house, at a relative’s house, at a friend’s house) and I have to enter in one of my own passwords. I have my iPhone, so 1Password is right there with me, and I bring it up on screen and I say “Display Large” and it says “!-321…” — and I can’t type it in! Whereas if it’s a password from xkpasswd, I only have to glance at it a few times: OK, the digits, tick tick, the words, tick tick tick tick. It’s typable.

And the other thing it is, xkpasswd passwords are shareable over the phone. One place I use passwords from the site a lot is when I have to securely send someone a file. So I’ll encrypt a zip file and then I’ll send the zip over email and the email will say “phone me for the password”. And then I have to read — over the phone — a password that is secure enough to withstand being hammered on, because email is the most insecure medium out there, pretty much, so I have to assume that if I’m emailing, anyone could have it, so it has to be a strong password. Well if it’s an xkpasswd password, this is actually quite easy to do, because most people can spell most words!

The ability to create passwords that are both strong and memorable is the great strength of xkpasswd. This is especially useful when making a strong master password for one’s password manager. After all, if you’re going to keep all of your other passwords safe in the vault of a password manager, then it stands to reason that you’ll want the password that opens that vault up to be as strong as possible — and also something that you’ll be able to remember.

BB: 1Password is a product I happen to have fallen in love with, but LastPass is great too, there are lots of good password managers. But with these tools, you’re basically putting all of your eggs in one basket, so you want to make sure the basket has strong arms: like, make sure it’s a good basket! You can go onto xkpasswd and there’s a dropdown for how many passwords it generates at once, and you can set that to 10, and then click “go” a few times, and whatever one makes you laugh — because it’s truly random, which means the most off-the-wall, insane garbage can come out — whatever one makes you laugh, that’s the basis of your password for your password manager. Because it’s going to be something that you’ll remember.

When discussing password management options, it’s worth mentioning that Apple’s native tools have grown increasingly sophisticated (and robust) over the years, and that these solutions may be enough for some people. Busschots agrees, but also points out that relying entirely on Safari and iCloud Keychain might not work for everyone — and in addition, he notes that full-featured password managers can actually do much more than just manage passwords:

BB: If you live entirely in the Apple world; if you’re the kind of person who spends their entire life on their iPhone, iPad, and Mac, and you browse the web more than anything else, then I don’t see why you need more than iCloud Keychain.

But if you also have passwords for databases that you manage, and passwords for servers you manage, and software license keys, and credit card numbers, and bank details, and on and on, then a password manager really comes into its own, because you have a secure encrypted wallet for all of those things.

For example, I’m a sysadmin by trade, so what’s actually way, way more in my 1Password vault than plain old passwords is private keys to match public keys, SSH keys, private keys for server certificates — all that stuff goes into a password manager too, as do things like your bank details. That way, you can have all of those with you securely and safely everywhere you go. 

And with a Secure Note, the sky is kind of the limit. While it doesn’t technically need the encryption, I have Secure Notes which contain things like my chart number in all the local hospitals that I have a relationship with, and the medicines I’m allergic to, etc. All those kinds of things are in my 1Password, because it’s always with me! So there is value in a password manager beyond just web passwords. 

But if you live in a web world, and you live in an entirely Apple world, I don’t see any reason, from a security point of view, not to just use the feature Apple puts right in front of you.

The Checklist and SecureMac would like to thank Bart Busschots for joining us on the podcast this week. If you’d like to learn more about xkpasswd, and give it a test drive, check out the xkpasswd website. To find out more about Bart and his work, please visit his personal website.

All’s well that ends well

For the past year, Google’s Nest smart home system has received more than its share of bad press due to security issues and privacy concerns. But to its credit, the tech giant responded to the criticism, and introduced a plan to phase in mandatory two-factor authentication for all users in a bid to make Nest safer. 

This month, Nest users who haven’t enabled phone-based 2FA or migrated to a Google account will need to verify their identities with email authentication every time they log in. Users will receive an email from accounts@nest.com containing a 6-digit, single-use code in order to verify that they are the legitimate owners of the account they’re trying to access.

This may prove inconvenient for people who don’t want to use mobile-based 2FA or get a Google account, but it’s definitely the right move. People’s tendency to reuse passwords across sites (or choose insecure passwords) was the root cause of most of the aforementioned issues with Nest. This step, while no doubt a little heavy-handed, was necessary in order to keep users safe … from their own bad password habits. If only they’d known about xkpasswd!

That takes us to the end of another Checklist, but we’ll be back next week with a new episode. We’ve received some great suggestions for future shows from our listeners, so if you haven’t already written to us, we’d love to hear from you too! Drop us a line at Checklist@SecureMac.com with ideas, requests, or security questions that you’d like to see covered on a future podcast.

Join our mailing list for the latest security news and deals