BitWarden And LastPass Have Overlooked The Human Element In Network Security Passwords
BitWarden And LastPass Have Overlooked The Human Element In Network Security Passwords

BitWarden And LastPass Have Overlooked The Human Element In Network Security Passwords

By Smoljanović | Smoljanovic | 19 Mar 2020


BitWarden And LastPass May Have Overlooked The Human Element In Network Security Passwords

horizontal line

Network Security Password With Cryptocurrency Transactions

Apps, wallets and websites connecting to the Bitcoin, Ethereum and Ripple networks require a high level of security to ensure the safety of online transactions.  There is much to risk by trading and staking cryptocurrency today.  Passwords are the first line of defense against hackers and should be followed up by other measures such as two factor authorization to provide the necessary security to safeguard your funds.

I generally use more than one software wallet due to the limitations imposed by each wallet I tried. Basic Attention Token BAT and DAI Stablecoin may be compatible for one wallet which may handle ERC20 tokens on the Ethereum network but Hydro tokens may not.  Each of my favorite wallets can do most of what I need but unfortunately lack something another one has. Graduating to a proper hardware wallet is only a matter of time.

Secure passwords are just as necessary in this day and age as are the keys to homes. I remember the days you could safely leave your doors unlocked, when we walked 40 miles to school carrying 20 kg of books uphill both ways in 30.48 cm of snow without proper boots in -40 C weather.

I will continue to use a variety of wallets until an appropriate solution is found. I am not fully satisfied with any of the wallets available in the market today.  A secure hardware wallet will  be my next choice as soon as the new wave of models are introduced.

I never got much use of the home-made hardware model created in article Publish0xTutorials-Creating A Secure Homemade Hardware Wallet.  It was basically an experiment to see if it could be done and probably has little value, so don't waste your time reading it.

Importance Of Password Managers

Passwords are needed in all aspects of our existence where privacy and wealth is a concern.

BitWarden recently won me over in a head to head 30 day direct comparison but the reason I did not choose LastPass is irrelevant and not the topic of this article. Recommending a password manager will not happen here. Either password manager can suffice if they meet your particular and individual requirements.

Password Managers Quirks

The fundamental issue I have with both password managers is that they seem to neglect the human element.  People are not as adept in remembering random sequences of characters as they are with phrases that can be visualized.

When I was studying computer electronics and various programming languages over 30 years ago, we coded in a binary, octal or hexadecimal format before the languages and levels evolved.

I remember when the mailman delivered my first Intel Z80 and Motorola 6800 microprocessors. I eagerly added supporting logic chips and slapped in the Z80 into a test board and programmed it in machine code using mnemonics and built my first computer. Mnemonics were actual words that represented the hexadecimal machine code that really boiled down to binary ones and zeros.

The computer didn't do much.  I interfaced a keyboard for the input and only had alphanumeric LCD displays for an output and added a temperature sensor and a small DC motor some time after to play around with.

Mnemonics used were easily remembered names of commands that manipulated data registers arithmetically, doing functions such as rotating, decrementing and incrementing values.  There was even an instruction that did nothing called NOP for no operation that was useful in a loop when creating delay timers since even doing nothing took time to load the instruction.

We used mnemonics because most humans cannot easily remember large groups of ones and zeros. Coding in hexadecimal was easier than straight binary system made code writing, editing and trouble-shooting extremely difficult.

The BitWarden Password Generator

The password generator for BitWarden is highly customizable and allows selecting length, and four types of characters.

Selectable Character Options

Bitwarden allows you to check off any or all of the following four character types.

  • upper case alphabet A-Z

  • lower case alphabet a-z

  • Numerals such as 0-9

  • Special character such as !@#$%^&*

Any combination of options for the password character generator works as intended but the lack of a human element exists. People don't read the same way machines do. Google bots and other automated systems see things a little different than humans do.

eUmk5DGv!n7pDAJCU*g*rGX7 is the first password generated while the length is set to 24 and all four character options are selected. The problem with the password generated for my example is the lack of human element.

Generating a 24 randomly selected character password results in a password I will never remember. Although the password manager is designed to keep track of the difficult passwords and storing them securely, I can visualize scenarios where disasters can develop. There may be valid reasons to want to keep some sort of backup and the password manager has an export feature to accommodate that.

It would be a better and more secure option to have a password that was easily remembered.

A better password can be created by stringing together words in a sentence that can easily be remembered using only lower case letters without spaces.

The six words my seven wives peel my grapes can be used to create a highly secure password that can be easily remembered.

The password mysevenwivespeelmygrapes is also comprised of 24 character and is more secure than eUmk5DGv!n7pDAJCU*g*rGX7.

The main difference between the two password examples is that mysevenwivespeelmygrapes would be more easier to remember than eUmk5DGv!n7pDAJCU*g*rGX7. Even the names of the seven wives could be used if it were possible to remember all seven of their names.

Forcing Stronger Passwords

Unfortunately, bad front-end programmers occasionally feel they must baby-sit our personal security and force passwords insisting one uppercase, one lowercase, one digit and often one special character.  Some people not using a password managers tend to use the same password everywhere when forced to create a complex password.

Using the same password for more than one site or application is always a bad idea even though passwords are stored securely on credible websites. Passwords are normally transformed and stored as a hash in a database making the stored info useless to a would-be hacker if the contents were ever compromised.

Passwords in most circumstances are somewhat safe as long as the hashing algorithm is complex enough to ensure that it would not be deciphered easily.

Bottom of the barrel websites that store passwords in plain text are usually easy enough to recognize and avoid. A highly secure password should be used regardless of the website.

Password Crackability

As we all probably know, computers are rather stupid although they can do some things faster and more efficiently than humanoids.  One of the things that computers are good at is high speed repetition.  Computers have been steadily increased processor speed since being introduced to the public.

My first top of the line desk top PC had a 16 MHz SX processor, 80 MB hard Drive with 4 MB RAM.  It came with 6 1.4 MB floppies containing Windows 3 and MS DOS 6.2 had 3 disks.

The Trouble With Short Passwords

Never use a short password if you care about security because they are just too easy to crack.  Adding characters increases the security exponentially.

Computers are much faster now and can brute force their way through a code containing 7 lower case characters in under ten minutes.

Replacing some of the lower case characters with upper case and special characters increases cracking time to about 6 weeks.

Password Cracking Times Using Lower Case vs Complex

7 Character password.

  • yfhhjeg - under 10 minutes

  • 6ba!S9W - about 6 weeks

8 Character password.

  • gxyhrthb - under 4 hours

  • *kA!8mqi - about 6 months

9 Character password.

  • kqcfvtqnm - 4 sleeps

  • !a7WJp6L2 - about 1,000 years

10 Character password.

  • inyqyhavdm - almost 4 lunar cycles

  • n7!@oTw7C6 - almost 4,000 years

11 Character password.

  • svtdhzpjoys - over 8 years

  • 6Gv^YNxr#42 - over 200,000 years

12 Character password.

  • yjvzvokdptiw - over 200 years

  • CV^$WMHm6!3U - over 15 million years


It may be more practical to generate intelligible phrases from pre-selected groups of words or just create them yourself.

Using the password mysevenwivespeelmygrapes would be more than adequate to guarantee security, but may be hard to remember if you don't have seven wives that peel grapes for you.

A decent password manager will always be necessary for me because of the immense number of accounts I deal with on a daily basis.

What You Should Gleam From This Article

Password users should not be forced to create unnatural passwords that are more difficult to remember containing, lower case, upper case, numbers and special characters.  A password with 12 lower case characters can be easily remembered and take over 200 years to crack.

I regularly generate 24 character complex passwords with BitWarden and only do it because it is just as easy as creating a 12 character password.  A complex password using 12 characters would never be necessary since I will not be around for 16 million years to see it cracked.

It may be more practical to generate intelligible phrases from pre-selected groups of words although it may not be the same solution for everyone.

Final Thoughts

A decent password manager will always be necessary for me because of the immense number of accounts I deal with on a daily basis.  I wouldn't be able to remember more than a handful of meaningful passwords anyway.

horizontal line

Comments are welcome and thanks for reading!

Feel free to add your own Publish0x articles on Post Your Publish0x Articles Group and the new Facebook page Publish0x Articles by Smoljanovic.

You can follow me on RedditTwitter and Publish0x


Smoljanović
Smoljanović Official Team Member

Publish0x Team Member and Canadian Expatriate from Sarajevo living in Sweden.


Smoljanovic
Smoljanovic

The blog Smoljanovic is intended to contain articles about cryptocurrency, trading, programming and other technical or non-technical stuff.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.