Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com)

Posted by EditorDavid on from the 12345 dept.

An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."

But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?

35 of 637 comments (clear)

  1. Generators by Anonymous Coward · · Score: 4, Informative

    https://www.random.org/passwords/

    With a length of at least 10, preferably 20 or more.

    1. Re:Generators by Anonymous Coward · · Score: 5, Funny

      Everyone knows that hunter2 is the best password

    2. Re:Generators by FatdogHaiku · · Score: 4, Informative

      No, it's correcthorsebatterystaple...
      https://xkcd.com/936/
      No one would ever guess that.

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re:Generators by Anonymous Coward · · Score: 5, Insightful

      Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?

    4. Re:Generators by marcansoft · · Score: 4, Insightful

      Length doesn't matter. What matters is that you use a unique password for everything.

      Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.

      Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.

      Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.

      Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.

    5. Re:Generators by stealth_finger · · Score: 4, Informative

      Everyone got, it stopped being amusing years ago.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    6. Re:Generators by njnnja · · Score: 4, Informative

      I was actually just speaking with a police officer the other day who said criminals don't care much about electronics nowadays because the stuff depreciates so fast if you have a 4 year old laptop it's not worth much after depreciation and the black market discount. Even dumb thieves know to go straight for the bedroom and take the women's jewelry and the men's watches. They also check the top drawer for cash. But yeah, unless you are a high value target for information, nobody is rummaging through your desk for sticky notes.

    7. Re: Generators by Lije+Baley · · Score: 4, Funny

      If you wrap your fingers in tin foil before you type, you will be safe.

      --
      Strange things are afoot at the Circle-K.
    8. Re:Generators by bigdavex · · Score: 3, Funny

      Length doesn't matter

      Right, password girth is the key.

      --
      -Dave
  2. Password Generator by CastrTroy · · Score: 4, Insightful

    20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Password Generator by thegarbz · · Score: 3, Insightful

      Dear god!

      How about use a common easy password for things you don't give a shit about, use a more complicated password for things you do, and reserve your super complicated passwords for things like your banking / email.

      We're slowly getting to the stage where a typical day will be spent managing passwords rather than accessing content with them.

    2. Re:Password Generator by AmiMoJo · · Score: 4, Insightful

      No need for SMS messages any more. 2FA via an app is a much better option. There is even an open standard for it (RFC 6238). I use Google Authenticator, but others are available. It doesn't even need internet access, it's time based. Every 30 seconds it generates a new code for each service you add to it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. GUID by Frosty+Piss · · Score: 4, Insightful

    All of my passwords are 32 char random strings using all the available chars.

    The only drawback is that I have to write them down on a yellow sticky.

    Fortunately, none of the hackers have physical access to my collection of yellow stickies...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:GUID by NotInHere · · Score: 3, Interesting

      Just don't get a household robot, otherwise it will turn itself on when you sleep and the hacker will guide it to your sticky collection.

    2. Re:GUID by PopeRatzo · · Score: 5, Funny

      All of my passwords are 32 char random strings using all the available chars.

      I just use my dog's name. Fortunately, I named my dog, "x:65=;V@Y|Dg#OdJ!T"

      --
      You are welcome on my lawn.
  4. Easy. by khasim · · Score: 4, Informative

    #1. No password re-use. Ever.

    #2. Not formulaic.

    #3. Not in a dictionary list.

    #4. Long. I prefer 32 characters long.

    1. Re:Easy. by khasim · · Score: 5, Insightful

      #1. But I can't remember all those passwords.
        - use a password manager

      #2. But I like the formula I use. It's my name + the website name.
        - no. Just use a password manager

      #3. How will I know that my password isn't in a dictionary list?
        - use a password manager and have it generate random passwords

      #4. But I cannot remember long passwords.
        - use a password manager

      Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.

      Once you publish your "secure" password someone will add it to a dictionary.

      http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/

    2. Re:Easy. by khasim · · Score: 5, Informative

      Yeah, it matters. Unless you really are using a hash function you probably aren't as unique as you believe.

      Remember, the crackers have hundreds of millions of passwords to dig through to find patterns.

      Check haveibeenpwned.com to see if your email address has already been compromised. And if so, at how many sites.

    3. Re:Easy. by bloodhawk · · Score: 4, Insightful

      unless you run your password manager on a non internet connected stand alone machine I would say this is pretty bad advise from the majority of users. Most users simply don't have the security awareness or safe computer use habits to make a password manager secure, with drive by exploits and malware infesting everything these days putting all your eggs in one basket would be tantamount to internet suicide for many people.

    4. Re:Easy. by Tom · · Score: 4, Insightful

      #1. No password re-use. Ever.

      user-hostile

      #2. Not formulaic.

      memory-hostile (the mind loves patterns)

      #3. Not in a dictionary list.

      memory-hostile (the mind recalls the known better than the unfamiliar)

      #4. Long. I prefer 32 characters long.

      user-hostile

      Thank you for explaining in just four points why normal users think that security dudes are assholes and sabotage the rules made by them wherever they can.

      --
      Assorted stuff I do sometimes: Lemuria.org
    5. Re:Easy. by AmiMoJo · · Score: 3, Insightful

      A password manager is the best advice for most people, because the risk of it being compromised is much smaller than the risk of them using poor passwords if they don't have one.

      To get at the password manager, drive-by malware has to defeat the browser security, then defeat the OS security, and then defeat the password manager's security. That is assuming that the password manager happens to be open and the database decrypted at the time, if not then stealing that file still requires the cracker to find the master password.

      On the other hand, major and minor web sites alike regularly leak user data and passwords. Realistically users to too lazy to come up with really good passwords for every site, or to remember them, or to look through their password book for them. And if malware does get onto their computer, there are easier targets like cookies for sites they are currently logged in to and account numbers stored in documents and spreadsheets, which typically are not encrypted.

      I think you also vastly over-estimate the level of malware infestation. Chrome, the most popular browser, is actually extremely secure and so is Windows now. That's why malware has changed from mostly exploit based to mostly trojan based.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Use an application or OS that allows passphrases by pjbgravely · · Score: 4, Insightful

    Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.

    --
    Star Trek, there maybe hope.
  6. Relevant xkcd comic by suupaabaka · · Score: 3, Insightful

    xkcd covered this a while ago.

    I use this now. Not the actual passphrase, but the principle.

  7. SHA256. by 0100010001010011 · · Score: 4, Interesting

    echo -n "<mypassword>|<username>+example.org" | sha256sum | cut -c1-20

    Need to change all my passwords? Change the cut or my password.

  8. Re:Everyone knows by Rick+Zeman · · Score: 5, Funny

    Rot13.

        For real security, use it twice.

    I'm Swede (29 characters in the alphabet.)

    ROT14.5?

  9. morse code by Anonymous Coward · · Score: 5, Funny

    It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.

  10. Am I the only one who uses Lastpass? by mark_reh · · Score: 3, Insightful

    The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?

  11. No One Else Uses This One. by Pauldow · · Score: 3, Funny

    I use eight asterisks as my password so I can see it when I'm typing it in.

  12. A bit of an essay... by Sarten-X · · Score: 5, Informative

    In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example, "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".

    In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.

    For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.

    If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.

    If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.

    On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.

    Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  13. Poetry by Space+cowboy · · Score: 3, Interesting

    So one of the (at the time) drawbacks of my UK education was that we had to learn poems off by heart for the English Lit. exam. At the time I thought it was just about the most boring part of the curriculum, but now they're a treasure trove of password sources...

    Example (no, I don't use this one). One of the poems we had to learn was "Dulce Et Decorum Est"...


    Bent double, like old beggars under sacks,
    Knock-kneed, coughing like hags, we cursed through sludge,
    Till on the haunting flares we turned our backs
    And towards our distant rest began to trudge.
    Men marched asleep. Many had lost their boots
    But limped on, blood-shod. All went lame; all blind;
    Drunk with fatigue; deaf even to the hoots
    Of tired, outstripped Five-Nines that dropped behind.
    Gas! Gas! Quick, boys! – An ecstasy of fumbling,
    Fitting the clumsy helmets just in time;
    But someone still was yelling out and stumbling,
    And flound'ring like a man in fire or lime . . .
    Dim, through the misty panes and thick green light,
    As under a green sea, I saw him drowning.
    In all my dreams, before my helpless sight,
    He plunges at me, guttering, choking, drowning.
    If in some smothering dreams you too could pace
    Behind the wagon that we flung him in,
    And watch the white eyes writhing in his face,
    His hanging face, like a devil's sick of sin;
    If you could hear, at every jolt, the blood
    Come gargling from the froth-corrupted lungs,
    Obscene as cancer, bitter as the cud
    Of vile, incurable sores on innocent tongues,
    My friend, you would not tell with such high zest
    To children ardent for some desperate glory,
    The old Lie; Dulce et Decorum est
    Pro patria mori.

    "The old lie" being "It is a great and glorious thing to die in the service of one's country". Anyway, take the N'th character of every line - easiest is the first, until you get the number of characters you need. It's easy to remember if you know the poem, it gives you a completely unintelligible password, and it's easy to make a password hint that's opaque to pretty much everyone but you.

    Has worked for me for ages. (I'm very old, compared to you yound whippersnappers hanging around /. recently).

    Simon

    --
    Physicists get Hadrons!
  14. dog and kids by clovis · · Score: 4, Funny

    What I find is the hardest part about changing passwords is getting my kids and dog to accept their new names.

  15. The Bigger Question by ytene · · Score: 4, Interesting

    Is there a more interesting question to ask here?

    Have we reached the point where the concept of the password itself is no longer either appropriate, or adequately secure? For example, should we be recommending use of multi-factor and/or multi-channel solutions?

    A useful question to ask is, "Where do you have to place your trust?" For example, many respondents to this thread recommend using a password manager.cOK, but how many of those people are aware of the emergence of specific threats targeting password managers, or that some solutions have been found to be insecure? How many people come to rely more and more heavily on a smartphone or similar personal device - a single object that can give access to web, email and voice authentication vectors - yet which is one of the most heavily-targeted platforms from a threat perspective?

    I am not trying to denigrate the many excellent answers given here, but I wish to point out the risk that we are taking by asking this as a closed question ("How do you create a highly-secure password?") when changing the question slightly (for example, to "What are the most pragmatic and reliable secure authentication mechanisms available?").

    As technology consumers, maybe we should be a bit more demanding about the solutions we are offered. Maybe it would be nice if we had a trustworthy and independent third party that offered a security audit rating system for commonly used service providers, like banks? This alone would drive down a lot of the risk, because to so e extent breaches can be facilitated by bad practices on the part of the service providers...

    But other options could consider available variation on the themes of something you have, something you are and something you know. Services should allow us to set our security based on a selection of two or more of that trinity, with a range of options for each... Here's a bad example... Suppose that the fingerprint reader on new Apple iDevices had an exposed API. Then suppose that a web site authentication engine integrated with this, over a secure SSL channel. You go to the site, you tap the option for fingerprint reader, then you put your pinky on the sensor.... What would it take to engineer that securely? In a combination with even the most basic of known passwords, wouldn't that be much more secure?

    Or what about something you have? How many people drive a vehicle with a remote control unlock mechanism? One German manufacturer uses a supposedly very secure rotating key mechanism that never sends the same release code twice... What if we used the same principle and allowed people to connect their car key to their keyboard via Bluetooth, using the same or similar principle to integrate an everyday object like a car key as a "something you have" factor?

    Both of these are spur-of-the-moment suggestions and likely flawed, but I just wanted to push us past the idea that the right solution is still a password. Respectfully, that's still only single-factor and thus still implicitly weak.

  16. lies and statistics by Tom · · Score: 5, Insightful

    The first thing you need to do is stop listening to statistics someone else faked.

    Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.

    In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.

    So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.

    The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.

    IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.

    --
    Assorted stuff I do sometimes: Lemuria.org
  17. Leet speak is not pattern recognition. Non-diction by raymorris · · Score: 3, Informative

    > Our ability to remember long passwords is limited without context or patterns.

    Certainly true.

    > A computer's ability to recognize patterns is however insanely difficult.

    "pOs5IbL3" is not pattern recognition, and it is used by common cracking tools. The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.

    Mainly what it comes down to when choosing passwords is length. Add a few extra characters to the alphabet, using 0,3, and 5 as letters, is fine and all, but you get more bits of entropy by making your password a character or two longer.

    To create long passwords that one can remember, a sequence of words is good, but of course attackers have dictionaries. One option to improve it, therefore, is non-dictionary words like unjoyfully, runnableness, or happify (make happy). A sequence of such non-words can be easy to remember and hard to crack.

  18. Password Safe by ElizabethGreene · · Score: 3, Informative

    Password Safe >> New Entry >> [type url] >> [Default Username] >> Generate Password >> Save

    I never type it, not even once.