Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com)

Posted by EditorDavid on from the 12345 dept.

An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."

But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?

9 of 637 comments (clear)

  1. Re:Easy. by khasim · · Score: 5, Insightful

    #1. But I can't remember all those passwords.
      - use a password manager

    #2. But I like the formula I use. It's my name + the website name.
      - no. Just use a password manager

    #3. How will I know that my password isn't in a dictionary list?
      - use a password manager and have it generate random passwords

    #4. But I cannot remember long passwords.
      - use a password manager

    Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.

    Once you publish your "secure" password someone will add it to a dictionary.

    http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/

  2. Re:Everyone knows by Rick+Zeman · · Score: 5, Funny

    Rot13.

        For real security, use it twice.

    I'm Swede (29 characters in the alphabet.)

    ROT14.5?

  3. morse code by Anonymous Coward · · Score: 5, Funny

    It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.

  4. A bit of an essay... by Sarten-X · · Score: 5, Informative

    In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example, "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".

    In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.

    For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.

    If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.

    If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.

    On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.

    Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  5. Re:Generators by Anonymous Coward · · Score: 5, Funny

    Everyone knows that hunter2 is the best password

  6. Re:Easy. by khasim · · Score: 5, Informative

    Yeah, it matters. Unless you really are using a hash function you probably aren't as unique as you believe.

    Remember, the crackers have hundreds of millions of passwords to dig through to find patterns.

    Check haveibeenpwned.com to see if your email address has already been compromised. And if so, at how many sites.

  7. Re:Generators by Anonymous Coward · · Score: 5, Insightful

    Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?

  8. Re:GUID by PopeRatzo · · Score: 5, Funny

    All of my passwords are 32 char random strings using all the available chars.

    I just use my dog's name. Fortunately, I named my dog, "x:65=;V@Y|Dg#OdJ!T"

    --
    You are welcome on my lawn.
  9. lies and statistics by Tom · · Score: 5, Insightful

    The first thing you need to do is stop listening to statistics someone else faked.

    Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.

    In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.

    So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.

    The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.

    IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.

    --
    Assorted stuff I do sometimes: Lemuria.org