Ask Slashdot: How Do You Create A Highly-Secure Password?

An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."

But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?

Password Generator

[CastrTroy]

20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

Re:Password Generator

[AmiMoJo]

No need for SMS messages any more. 2FA via an app is a much better option. There is even an open standard for it (RFC 6238). I use Google Authenticator, but others are available. It doesn't even need internet access, it's time based. Every 30 seconds it generates a new code for each service you add to it.

GUID

[Frosty+Piss]

All of my passwords are 32 char random strings using all the available chars.

The only drawback is that I have to write them down on a yellow sticky.

Fortunately, none of the hackers have physical access to my collection of yellow stickies...

Use an application or OS that allows passphrases

[pjbgravely]

Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.

Re:Easy.

[khasim]

#1. But I can't remember all those passwords.
  - use a password manager

#2. But I like the formula I use. It's my name + the website name.
  - no. Just use a password manager

#3. How will I know that my password isn't in a dictionary list?
  - use a password manager and have it generate random passwords

#4. But I cannot remember long passwords.
  - use a password manager

Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.

Once you publish your "secure" password someone will add it to a dictionary.

http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/

Re:Generators

Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?

Re:Easy.

[bloodhawk]

unless you run your password manager on a non internet connected stand alone machine I would say this is pretty bad advise from the majority of users. Most users simply don't have the security awareness or safe computer use habits to make a password manager secure, with drive by exploits and malware infesting everything these days putting all your eggs in one basket would be tantamount to internet suicide for many people.

Re:Generators

[marcansoft]

Length doesn't matter. What matters is that you use a unique password for everything.

Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.

Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.

Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.

Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.

lies and statistics

[Tom]

The first thing you need to do is stop listening to statistics someone else faked.

Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.

In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.

So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.

The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.

IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.

Re:Easy.

[Tom]

#1. No password re-use. Ever.

user-hostile

#2. Not formulaic.

memory-hostile (the mind loves patterns)

#3. Not in a dictionary list.

memory-hostile (the mind recalls the known better than the unfamiliar)

#4. Long. I prefer 32 characters long.

user-hostile

Thank you for explaining in just four points why normal users think that security dudes are assholes and sabotage the rules made by them wherever they can.