Slashdot Mirror
Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com)
An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
All of my passwords are 32 char random strings using all the available chars.
The only drawback is that I have to write them down on a yellow sticky.
Fortunately, none of the hackers have physical access to my collection of yellow stickies...
If you want news from today, you have to come back tomorrow.
Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
Star Trek, there maybe hope.
xkcd covered this a while ago.
I use this now. Not the actual passphrase, but the principle.
#1. But I can't remember all those passwords.
- use a password manager
#2. But I like the formula I use. It's my name + the website name.
- no. Just use a password manager
#3. How will I know that my password isn't in a dictionary list?
- use a password manager and have it generate random passwords
#4. But I cannot remember long passwords.
- use a password manager
Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.
Once you publish your "secure" password someone will add it to a dictionary.
http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?
Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?
Generators are definitely the way to go.
Also good is using a password manager. I personally use LastPass, though I know there are a number of others out there. One nice thing about LastPass is that it supports 2-factor authentication and has a password generator that generates pronounceable passwords for those passwords you want to remember (such as the password to unlock the password manager).
unless you run your password manager on a non internet connected stand alone machine I would say this is pretty bad advise from the majority of users. Most users simply don't have the security awareness or safe computer use habits to make a password manager secure, with drive by exploits and malware infesting everything these days putting all your eggs in one basket would be tantamount to internet suicide for many people.
Length doesn't matter. What matters is that you use a unique password for everything.
Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.
Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.
Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.
Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.
The first thing you need to do is stop listening to statistics someone else faked.
Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.
In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.
So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.
The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.
IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.
Assorted stuff I do sometimes: Lemuria.org
#1. No password re-use. Ever.
user-hostile
#2. Not formulaic.
memory-hostile (the mind loves patterns)
#3. Not in a dictionary list.
memory-hostile (the mind recalls the known better than the unfamiliar)
#4. Long. I prefer 32 characters long.
user-hostile
Thank you for explaining in just four points why normal users think that security dudes are assholes and sabotage the rules made by them wherever they can.
Assorted stuff I do sometimes: Lemuria.org
A password manager is the best advice for most people, because the risk of it being compromised is much smaller than the risk of them using poor passwords if they don't have one.
To get at the password manager, drive-by malware has to defeat the browser security, then defeat the OS security, and then defeat the password manager's security. That is assuming that the password manager happens to be open and the database decrypted at the time, if not then stealing that file still requires the cracker to find the master password.
On the other hand, major and minor web sites alike regularly leak user data and passwords. Realistically users to too lazy to come up with really good passwords for every site, or to remember them, or to look through their password book for them. And if malware does get onto their computer, there are easier targets like cookies for sites they are currently logged in to and account numbers stored in documents and spreadsheets, which typically are not encrypted.
I think you also vastly over-estimate the level of malware infestation. Chrome, the most popular browser, is actually extremely secure and so is Windows now. That's why malware has changed from mostly exploit based to mostly trojan based.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC