One of the things holding me back from using a password manager is being able to access my passwords anywhere. I’d never thought of using Dropbox but this seems like a fairly good solution. I might give KeePass a go.
Indeed. Using Wikipedia as a resource, adding a random word from a 7776-word dictionary adds ~13 bits of entropy, while adding a random character adds ~6 bits of entropy. Adding one character makes your password 26 = 64 times as hard to guess, while adding a word makes it 213 = 8192 times as hard to guess, or about the same as adding two random characters (and probably much easier to remember than any two random characters).
The problem is choosing a random word. “Love” is a random word. “iloveponiestails” is not a good random sequence. “uniformlovepurplehospitality” is better, but since I came up with that mentally, it’s probably still suspect. Diceware gives me “UnityMullOfMiltCupidChop” for ~ 78 bits of entropy, generated randomly. That is, an attacker could know that I used this website to generate the password from six random words, and it would still take them 221,073,919,720,733,000,000,000 attempts (that’s 221 septillion attempts, or ~700,000 years at 10 billion passwords per second). That’s if they know the word list that I started from.
Schneier is both right and wrong: He’s wrong in that, done properly, stringing together a bunch of random words is a really good way to pick memorable passwords. He’s right in that people will hear “pick four random words” and then string four words together that fit together, and thus will create an insecure password.
There’s not much you can do to prevent people from following well-written instructions poorly, but that’s no reason to criticize the instructions.
The bottom line is there’s really no such thing as a secure password. Any password can be cracked given enough time and resources.
The only real defense is some sort of multi-factor authentication. While not perfect it massively reduces the likelihood of an attacker compromising your account.
So many people use online programs/apps/services to remember their usernames/password combinations…which is rather ludicrous in these current times of websites being hacked. Those password-saving-auto-insert apps will eventually be hacked and the whole point of protecting users’ security on the InterTubes will be lost.
My solution (tried and true way): I keep a small book with usernames and passwords hidden in my apartment…out of sight but easily reached when needed. The only way people can get my list of unique names/passwords would be to break into my household. I doubt I live a life when going through that trouble is worth it for anyone. Besides, they’ll never find it in the empty ice cream tub in my freezer! -)
TQQdles™
Sometimes you even run into sites that forbid common non-alphanumerics from the EN_US keyboard layout. Spaces, forward and backslashes, similar seemingly innocuous punctuation.
Aside from being annoying(probably far more so for people using character sets that aren’t basically 21st century ASCII), those sorts of rules always make me nervous because they suggest that the path your password takes in being passed around and munged on the site’s systems may be longer and more decrepit than you would like. Especially when the forbidden characters are escape sequences in some common language or ones that interfere with less-than-robust string handling tools.
You want your password to be a nice salted hash and nothing else as soon as possible; so the more rules about what you cannot do(as opposed to complexity requirements), the stronger the temptation to suspect that your password is being passed around in plaintext, possibly even retained permanently in plaintext, used to authenticate against some legacy backend that Doesn’t Do unicode, etc.
What always makes me sad is that the tech, even relatively standardized, has been available more or less forever to do things nice and robustly. Certificate-based authentication is markedly harder to defeat than any password(it’s basically at the ‘try to steal the private key of an SSLed website’ level of challenge); and the hardware for storing them securely and keeping them off a potentially compromised local filesystem(you can do certificate authentication that way, as well, and it’s still better than passwords; but if your system is compromised you are pretty screwed) is quite cheap. SIM cards do pretty much exactly this all the time for maybe $1/unit, probably less in quantity.
There is some limited adoption(in the US, CACs are standard on the DoD side, PIVs common but less ubiquitous for civilian applications; and some governments have implemented similar things in national ID cards), and you can buy a YubiKey or something if you want a handy USB-attached DIY option; but good luck getting most websites to care.
Even things like banking and brokerage accounts often take some arm-twisting to get a basic RSA-fob style authenticator, rather than some goofy SMS-based ‘2nd factor’, and those have real money on the line.
I’m personally not comfortable with LastPass because of the small but nonzero risk involved in the service being compromised as it was last year. Granted, making off with the password hints, salts, and authentication hashes still makes for a bit of work on the attacker’s part without the vault, but it still left me with cold feet.
Others have mentioned and I agree: KeePass + Dropbox is great for ease of use and having just a little more control over the vault. Now I only need to remember two passwords: my dropbox account and the master password for the vault. And then hoping that the NSA doesn’t have an arrangement to be shipped a copy of every *.kdb file every so often. My capacity for extreme paranoia just isn’t what it used to be.
Why two-factor or multi-factor auth isn’t more widely available makes me sad. Too few orgs put a price tag on security until after it bites them in the face.
Sometimes you even run into sites that forbid common non-alphanumerics from the EN_US keyboard layout. Spaces, forward and backslashes, similar seemingly innocuous punctuation.
Well, you can always used diceware with a word list composed of Diablo 2 character names.
My BB password:
xXxDemonxXxIHeartB00bsxXBewbXxxXxXAssassainXxXxBestBarbLol
This topic was automatically closed after 5 days. New replies are no longer allowed.