Choosing a Secure Password


#1

Originally published at: https://boingboing.net/2014/02/25/choosing-a-secure-password.html

As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. Bruce Schneier says you need a strategy.


#2

in other words, passwords are idiotic.


#3

My issue with passwords is that every site seems to want something different. Length, capitals, punctuation, etc.
Then to add insult to injury, they want you to change it every so often and if you forget it and use the password recovery function, you can’t use it again should you suddenly remember.

My point is that if it’s too much trouble, many people will simply write down the password on a post-it in stick it on their monitor or in a drawer which defeats the whole purpose. I believe that the new push toward more secure passwords is not to protect your login but to protect the site from hackers and internal sabotage. Banks don’t want to be blamed for someone getting into your account even if it’s their fault.


#4

In addition to every site wanting a different variation of characters in passwords, with the sheer number of sites the average person is expected to manage it’s almost impossible to keep track of which id/password combination its being used without reusing them.

If I were to happen a guess, I would estimate I have over 200 different accounts established throughout the web - some used frequently and others I only access once a year at most. It’s absolutely necessary to have some kind of consistency in the username/password combination I choose in addition to a password recovery function even though this presents a level of risk for being hacked.


#5

if your program ever stored it in memory, this process will grab it.

From my hard drive at any time in the future? GTFO Bruce


#6

If you are in a shared space, a post it on your monitor is a bad idea. But if it’s in your home, a note in a book near your desk seems reasonable. My thinking is that if someone is already in your home, access to your passwords isn’t going to be your top priority, provided you’re not a spy or something.

Speaking of banks, I wish I could pick security questions, and not just use theirs. I know it’s possible to make up bogus answers, but if someone is asking for my paternal grandmother’s first name, I’m always going to think of the true answer before any made-up answer.


#7

I am surprised that he recommended the method based on initial letters of words in a sentence. My gut feeling would have been that the entropy is bit on the shitty side.


#8

As long as the sentence is not something you’ll find in a book or on the internet you should be alright, but you will need to choose a fairly long one because you never know when some site is going to have a really crappy hash function that can be brute forced up to 14 characters (coughcoughNTLMcoughcough).

Made up words are also a reasonable solution IMHO. “My, the 2 takaps are winberly!” Something that sounds like words, but isn’t found in any dictionary. Things that sound like words are much easier to remember.


#9

It has always baffled me that two-factor verification is not more widespread. Why are my video game accounts more secure than my online banking accounts?


#10

Password security is, IMO, simple. Two step anything of value, and consider your e-mail to be the most valuable thing you have. Outside of that, come up with a big long ass password for your password locker and call it a day. Every site gets its own password. It is pointless to have 1 good password. It only takes one site to get hacked and your 1 good password becomes about as good as having your password be “password123”.

Now, is there a danger in having your passwords in a password locker? Sure. If your computer gets owned, you are effectively screwed for anything that doesn’t have 2-step on it. However, if your computer is owned, you are already screwed no matter what method you are using. A password locker protects you where you are most vulnerable, and that is having 200 accounts on 200 web pages with varied levels of security. You personally are not a large target, but a website with bad encryption a few tens of thousands of passwords and e-mail is a blinking neon sign. The best you can do is defend against the most obvious and persistent attacks, 2-step anything that is important, and accept that if you are facing a persistent threat from the NSA or the mafia, you are effectively screwed regardless of the method you pick.

Honestly, I find that for most people, once they switch to a password locker they find it is so much easier than they wonder why the hell they didn’t do it earlier. When I found out that a site I use is hacked, I just wipe that one entry and call it a day. On top of that, I never struggle to remember which stupid password I have for which sites. I just open up the old locker, spew out some 20 digit non-sense, and call it a day. Seriously, use a password locker.


#11

I’m hoping that Steve Gibson’s SQRL project solves this problem. If you haven’t heard about it, check out the link. Steve’s solution is so simple and elegant, once you’ve seen it, you’ll wonder why no one came up with it years ago.


#12

yeah - management of my fake/clever answers is probably more of a management issue than my passwords.


#13

There’s two purposes of personal answers:

1 - requesting a password reset
2 - additional validation when logging in from an unknown system

my solutions:
1 - randomly generated string responses stored in a secure password application
2 - might as well go with real answers here, seeing as it’s in addition to your correct password


#14

Drives me up the wall. I use a site or two that actually force your password to be exactly eight characters - and reject lower case. Are they aiming for minimum entropy?

At the same time, the site used to apply for Federal jobs has the toughest regimen I’ve ever seen - upper, lower, numbers and symbols, and no consecutive digits or triple repeats, a new password forced every 90 days, and if you mis-type it three times, you get locked out until you call. What do they expect - Osama is going to crack in and submit a resume for me?


#15

my two problems with that one are: The information is probably out there, and if it is not I am giving it to someone that anecdotally may not bother to hash or salt it.


#16

I would like to take this oportunity and nag that Hotmail - Outlook only allow passwords up to 16 characters.
Why would they do that ? Its not like Microsoft is the convinience store on the next block. Is it so expensive for them to allow usage of passwords longer than 16 characters?


#17

Not having used one, my question with a password locker would be: what happens if I want to reformat my disk or if my disk dies?


#18

Have a backup. Or more than one preferably.


#19

Because there are higher penalties and more law enforcement dedicated to protecting bank accounts than video game accounts.


#20

Valid point. And there’s some things you may want to keep to yourself (your first love, etc). If all your most private information has leaked you can no longer prove you’re you.

Then we must stick with solution 1.