Image of the glider from the Game of Life by John Conway
Skip to content

Another Reminder About Passwords

Two things are prompting this post. First, the recent leak of LinkedIn passwords, and second, family/friends' email accounts getting hacked. It's amazing to me how many posts there have to be on the Internet about password security, and how little attention people pay to them. One could say that many of the weak password demographic doesn't read tech blogs, and if they did, they wouldn't understand most of the post. Even then, I've had friends in the tech industry who should know better, and still ended up with hacked accounts. So, while I might be reaching a limited demographic, and for those who I am reaching, won't care, I'm covering it anyway.

To prevent a compromise of your account because of your password, all you need to do, are two things:

1. Use different passwords for every account online

This is probably the most difficult step for most. Remembering 100 passwords or more can be a major pain in the butt. Everyone has their way of doing it too, but from what I've seen with most people, a single password is used on multiple accounts. This is especially critical for finance and corporate accounts. No one really cares if your personal email or fitness account is hacked, but you might care when your savings is emptied, or your boss might care if sensitive data is leaked.

So, I would recommend the following system for using different passwords on every account. First, generate and print a password card. I've blogged about this before. Essentially, your passwords are stored in plain text on the card itself. You pick a row color and column symbol on the card as the starting point for your password, then go from there. That becomes the password for your account. Second, I would install KeePass. For every password you create from your card, and add to your account, make note of it in the encrypted database, including where the password starts, the direction it takes, and how long it is. This way, should you forget your starting location, you have an encrypted database to get access to all the passwords you've created.

2. Use passwords with a great deal of entropy

I hate "password strength meters", because they are always completely arbitrary, and really don't communicate to the user what that strength is or where it comes from. Usually, they just assign points to things like uppercase letters versus lowercase, extra points for symbols and numbers, points for length, etc. Like playing tetris, if you fit all the pieces of your password together, maybe you can get a high score. To me, these are pointless and not helpful. Instead, you should be concerned about the entropy your password belongs to.

Think of entropy like a haystack. Your password is the needle. Aside from burning down the haystack, can you find the needle? Of course, the larger the haystack, the harder it will be to find the needle. I have also blogged about this in the past. Thankfully, Gibson Research Corporation has put together a web application that uses this analogy. Entropy can be defined in a simple equation: length of your password times the log base 2 of the character set search space. In other words, it's not arbitrary points. It shows you the size of your haystack. The larger the haystack, the more difficult it will be to find your needle. Play with some passwords in that web site, and you'll get an idea of how this works.

They key point here, however, is to help people understand how password attacks work. Attackers don't start by incrementing through the alphabet, starting with 'a'. Instead, if brute forcing, they will start with common words in a dictionary, and popular modifications of those words (think "leet speak"). They will use common phrases, then append and prepend numbers to these dictionary words and phrases. Believe it, or not, but this is a very effective way to get a vast majority of passwords. Why? Because the haystack is small. Very small. If your needle is in that haystack, it will get be found.

So how do you get a larger haystack? Well, first use uppercase and lowercase letters, numbers and symbols. We want a large character set to search through. But, make the password LONG. You would be amazed at how much bigger your haystack is with a 9 character password versus an 8 character password. Length will buy you much more hay then some convoluted, difficult to remember, pain in the butt password. Length is key. Different character sets are also important, but length gets you so much more hay.

Conclusion

Think. Think about your haystack. Think about being an attacker. Think about your data. If you would just sit down, and think your passwords through, you would be ahead in the game. Remember, different passwords for different accounts, and big haystacks.

{ 8 } Comments

  1. Prateek using Firefox 12.0 on Ubuntu 64 bits | June 8, 2012 at 7:25 am | Permalink

    Obligatory link: http://xkcd.com/936/

  2. Aaron Toponce using Google Chrome 18.0.1025.168 on GNU/Linux 64 bits | June 8, 2012 at 8:44 am | Permalink

    Yes, except 44 bits of entropy won't get you far. If you're not north of 64 bits, your haystack is pretty small.

  3. Name using Google Chrome 19.0.1084.52 on GNU/Linux 64 bits | June 8, 2012 at 9:54 am | Permalink

    Also obligatory: https://www.pwdhash.com/

  4. Ron using Firefox 13.0 on Windows 7 | June 8, 2012 at 10:18 am | Permalink

    https://www.us-cert.gov/cas/tips/ST04-002.html covers a good deal about passwords. For myself, I use alpha-numeric characters with symbols in a rhyming scheme thaqt are at least 15 characters long - and I memorize them. Each unique to every place I visit.

    $3g4t6brt#173xdd rhymes like so $ 3g 4t 6brt # 173xdd

  5. outa using Firefox 13.0 on Ubuntu 64 bits | June 11, 2012 at 10:57 am | Permalink

    The problem with password managers like KeePass is that they confine your passwords to your own machine, so you can't log in from a friend's computer for example.

    As for the card, I'm a bit skeptical. You still need to remember color, symbol, direction, and length for each password. I would guess that is rather hard, especially because you don't have any association with these combinations (unlike with normal passwords). So far the xkcd approach seems easiest for me.

  6. Aaron Toponce using Google Chrome 18.0.1025.168 on GNU/Linux 64 bits | June 12, 2012 at 5:56 am | Permalink

    You still have the problem of remembering each password for all of your sites. Even with the XKCD approach, unless you're using "correcthorsebatterystaple" for every password, how do you know which password belongs to which site?

  7. atmosx using Google Chrome 19.0.1084.56 on Mac OS | June 15, 2012 at 9:00 am | Permalink

    Hello,

    Nice post. I use 1Passwd on my Macintosh machines. Since it syncs with the iPhone I have all my passwords stored in the iPhone. The problem here is that I use 2-passwords. But if you find those you can access all my data at once. (scary). I wish there was some sort of security measure like '10 wrong passwords erases the db'.

  8. Joe Julian using Firefox 12.0 on GNU/Linux 64 bits | July 31, 2012 at 12:20 am | Permalink

    Also think about your exposure. You touched on it briefly in your first point but it's not at all necessary to have a different password for every forum on the internet. Partition your security into several sections. If someone finds your jokeforum.com password and it also gets them into thedailykitten.com, do you care?

    If they hack your fitbit.com password and it gets them into facebook, that might be a little more of a problem.

    If they download passwords from your credit card company and that lets them into your bank, that's a much bigger problem.

    On an unrelated node, changing your password every 30 to 90 days does nothing to increase that entropy like some companies force you to do. Quite the opposite, it generally forces people into using password schemes that decrease entropy or causes people to write down passwords in an easily comprimised place (like stuck to your monitor with a sticky note).

Post a Comment

Your email is never published nor shared.

Switch to our mobile site