Monday, October 24, 2016

Better, Easier, Safer Passwords

Most of our passwords are flawed and not secure.  This article describes a better way, and includes a scheme to help you remember all of your passwords.  This article was originally published on 08/2011 and revised most recently on 2015.08.

We have all been told to make passwords eight characters long, to use a mixture of upper-case and lower, as well as numbers and a special character.  This is not good enough.  With simple software, and a standard PC, brute-force attacks can now easily crack these types of passwords. 

I attended a security training class where the Linked-In database that was leaked a few years ago, was hacked, in real-time, during the class.  Using a lowly, run-of-the-mill laptop, 300,000 real-world encrypted passwords were cracked in two minutes.

The passwords were not just simple words, they had numbers, mixed case, special and replaced characters.  Given another couple of hours, our instructor could have cracked an additional 200,000 passwords, with an 80 to 90% success rate. 

The passwords had one thing in common:  Most were 8 to 10 characters long.  The ones that were not cracked (yet), were longer.

"Through 20 years of effort,
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess."

This interesting "arsTechnica" article discusses the techniques now being used:

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” 

Be sure to glance through the comments at the end of the article.

20 Years of Password Nonsense

Straying from a brute-force attack, are there other ways to get a password?  Of course, and these are even more fun. No matter how long, no matter how complex, no password is safe if you give it away through social engineering (fake login pages).

Never, ever click a link from a vendor or bank's email that will take you to their site.  These are easily spoofed.  Instead, open your browser and go to the site yourself.

And passwords are hackable with this method:

This now-famous xkcd comic describes the benefit of a simpler password, using multiple words.  It has circled the Earth about a million times, and although the idea is sound, it is less-than-perfect and does not work well with the dozens of accounts we need to login to:

Click for a larger view, click right-x to return.

Having a multi-word password, with spaces or not, is better than using "password123", but it is prone to attacks using the methods discussed in the ARS article.

But still, a 16 or 20-character password (a password phrase!) will slow them down.
Your passwords should now be this length.

Password Safes and Vaults.  Horrible Idea!

Since you should use different passwords for each different account, how many phrases (correcthorsebatterystaple) can you invent, for all the places you need a password?  You need help

Password Safes store your numerous passwords in some other protected program or vault.  The trouble is, this doesn't work in real life.  Each time you need to login somewhere, you have to unlock the safe, find the account, and type the ugly password.

In practice, this is too cumbersome and you won't use it.

A pattern or scheme (see below), or two-factor are better solutions.  Both are described next.


You may think your data is not that important.  I disagree.  In my case, they could adjust my house thermostat and cause my refrigerator to order more milk.  In all seriousness, with my credentials, they could get to my bank account or Amazon. All of my financial and tax records would be exposed.  I could imagine my address books and my cellular accounts are of interest.  All kinds of mayhem would ensue and the violation would take years to unwind.

With or without 2-step authentication, do these things for better password security:

1. Password length is king.

Longer passwords are better than hard-to-type passwords.

qeadzcwrsfxv -- (12 Chars) is not nearly as secure as
catschasefrogs  -- (14) two more characters really help

2.  Use a memorable password phrase (three or more words)

uSe mIxed case, where the first word is not capitalized.

catsChaseFrogs   (14 characters)

3.  Make one of the words a non-dictionary word. 


4.  Special characters or numbers.   Most sites require special characters and numbers in their passwords.  This does not add  much security, but since such nonsense is often required, make this part of your scheme.  

Special Characters:  I like to use a space or a period because they are easy to type and are as good of a character as any.  After practicing the password a few times, make sure the keystrokes are easy to reach, and in a good pattern.  Re-arrange punctuation, as needed.

cats Chase.Krogs 2aa  (20 characters, including 2 spaces and a period.  Yet easy to remember and type)

I am not recommending numbers and special characters because they increase the password's entropy (available characters).  The real reason is because most sites require them, so you have to use them.  Since you must, adding special characters is an easy way to increase the length. 

Here is the trick:

5. Use a different password for each site -- but use a scheme to help remember. 

The reason:  If one password is compromised, you won't loose everything. But all these different passwords are impossible to remember.  Consider this trick: Use the same base password on each site/program, but add a prefix or suffix, making it unique.

For example:
If your normal password were "aK9doggly.barks"

use "aK9doggly.barks hotm" for your hot mail account.
use "aK9doggly.barks goog" for your google account
use "aK9doggly.barks bank" for your banking account

or "hK9doggly.barksm"  where "h-m" is hot mail
or "gK9doggly.barkso"   where "g-o" (oh) is google (one word)
or "mK9doggly.barksb"    where "m-b is "my bank"

Devise your own scheme, then use it everywhere; make it predictable to you.

If one password were compromised, the hacker's automated programs would attempt that password to login to other systems and would fail because each password is different.  Naturally, a human would see through this, but humans don't look at these things -- they are automated -- and the programs won't know the scheme. 

6.  When available, use 2-step authentication.  Especially on the important accounts.  Make sure your phone is password-protected.  See below.

7.  Dumb sites

For dumb sites, where you could care-less if it were hacked, such as registration sites, forums, etc, use a simpler password and by all means use the same password in all unimportant sites.  I call this an expendable or junk password.  Do not bother using a password scheme.

For example: DumKats.2aa

Two-Factor Authentication

Longer passwords slow down hackers - so much so, they give up.  But if your vendor's database escapes in a hack, all the passwords are at risk - especially the shorter ones. One way to solve this is by adding another layer of security. 

Consider "two-factor authentication."

I have been using Google's 2-step authentication (2-factor, two factor authentication) for many years for my GMail account.  Each time I login, Google sends a text message to my phone (or now with a nifty app).  Then, in a secondary login screen, I type the transmitted random numeric code.  Only then does my login succeed.  The code changes every minute and is unique to my account.

Even if they have my account credentials, they can't login without my phone. 

These companies, and others, support two-factor authentication:

Google (Gmail, Youtube, Blogger, Picassa, etc.)
Microsoft (onenote, Office 365,
Your ISP Account (should support this)
Your domain service provider (most seem to support two-factor)

Most support either an SMS text message or a dedicated app.  Use the app for your most-common, often-used services.  Use text messages for those less-common accounts.

What if I lose my cell phone?  It becomes painful.  Without going into details, Google has a moderately secure, alternate method for logging in. See this article for full details on the 2-step authentication. See also this keyliner article:  Using Google Authenticator

Things that don't work anymore:

Curse sites that require password changes every 90 days.

This goes against convention.  If you have to periodically change passwords, you will invariably pick a shorter password with numeric suffix, such as the month and year.  Sites with longer passwords that do not expire (say 12 or more characters) are safer than sites with 8-character rotating passwords.

Some forward-thinking companies are changing their stance here.  Quit making people change passwords so often, but require longer passwords.  Length is king.

Condemn passwords that are too hard to remember

For example, I have an account with this password (that I am not allowed to change).
"1SanFran$1sc0D91" (16 characters).

Every time I need this stupid password, I have to look it up.  This means I wrote it down.  I am tempted to print.  I hate this password.

Imagine this replacement, at 35 characters:  "sanFrancisco isa 9a"

- this is a much more secure password - just because of its length.  Clearly better than the first.  The complexities in the other password are nonsense.


Passwords need some complexity, but don't go nuts. Your best protection is a long password phrase with two-factor authentication.  In lieu of that, a scheme, such as the one described above, goes a long way to make this manageable.  

Related Articles:
Gmail Protection Steps
SMS Text Message: Your Gmail account has been hacked
Using Google Authenticator - a Google App
Google Documentation - 2 Step Authentication

1 comment:

  1. Recommend taking the time to download & listen to the podcast on the page. GREAT info. Good article.


Comments are moderated and published upon review.