Pick a good password, then never change it

Maybe they expect the government to bail them out…

FIFY

So many of the posts here make me sad.

Right now, the best form of password protection is to use a long (14 character minimum) randomly generated password for each site. This means you really should be using a password manager program to generate and store your passwords for you. The most important aspect of any security tool is that it is convenient for you to use, or you won’t use it. Therefore, I highly recommend you select a tool that allows all your personal phones, tablets, and computers to share the same password database, and it should sync automatically. Once it starts to make your life easier, you’ll trust it more, and it will improve your personal security the more you use it.

At the risk of promoting things inappropriately, there are some password managers that I have a lot of experience with and knowledge of, and I want people to consider any of these to be excellent choices.

KeePass is a free, open source tool that is trusted by security professionals worldwide. There are several versions that can all share a common database; you might find KeePass-XC to be a convenient version that offers browser plugins for all major browsers. It offers TOTP, ssh key storage, and other features useful to computer security people. The main drawback is that syncing the database is left entirely up to you; you can use DropBox, Google Drive, OneDrive, iCloud, or whatever floats your boat. But you have to set it up yourself, which can be a technical hurdle too high for some people. KeePass is used by info sec professionals worldwide; I happily use it at work, and highly recommend it (if you can handle the syncing on your own).

Bitwarden is another completely open source tool with plugins for all major browsers and operating systems. The company behind it offers free storage on their web servers, which makes it very convenient for syncing passwords across all platforms, like iOS, Android, Windows, and Linux. You can also install their open source server on your own systems to host your passwords yourself, if you don’t want to trust their servers. I use Bitwarden for my personal passwords, as I frequently use every major platform and several different browsers on each. They have a “premium version” where you can pay them a nominal amount (something like $10USD/year) and you can get some extra features like 2FA / TOTP support.

The iOS Key Ring is a great built-in choice for people who are 100% Apple. I highly recommend it for them – convenience is off the charts, and their security is top-notch.

Some of the infosec people I work with swear by a Yubikey device and LastPass password manager. These are commercial tools that offer real convenience for a secure touch-to-authenticate system on desktop/laptop systems. Because they require a physical USB key, they offer peace-of-mind when you unplug it from your system and put it in your pocket. I’ve strongly considered them for home use, but I don’t want to carry their dongle along with my iPhone. An excellent choice for paranoid people who don’t mind the inconvenience of carrying a physical key.

Pen and paper is a solid choice for people who don’t want to master the technical challenge of installing or using a password manager. I know only a few hackers who are able to attack a piece of paper folded up in your wallet. It can’t solve the problem of creating a strong random password for each site; additional education is required for that. But if it’s something that a person can be comfortable using, I encourage them to use it – it’s a lot better than reusing passwords everywhere.

Turning to passwords themselves, they need to be unique per site, and they need to be a long string of truly random uppercase, lowercase, and digits - 14 at a minimum, 22 for “over-the-top” strength. If you need symbols to pass a website’s “special characters rule”, you can always insert a couple randomly by hand - they won’t add appreciably to the password’s strength, but they won’t subtract from it either. All the open source password managers I mentioned have high quality password generators.

I don’t want to get into the math of passwords and password rules here, or the cryptography of securing passwords. There are a few more security points I’d make:

• Special character requirements are designed to get humans to make slightly stronger password choices, but people are still people, and the end results are generally only slightly better than window dressing. “password1!” isn’t an order of magnitude better than “password1”.
• Special character requirements are meaningless when it comes to high quality randomly generated passwords, but you still have to deal with the rules.
• Password reuse across sites is a huge problem that leads to “Account Take Over” (ATO) attacks. If you use the same password for your cat-fancier[.]com web site as you do for your pricy-jewelry[.]com shopping account, the worst is eventually going to happen – some attacker is going to crack the jewelry store site, and then reuse your password to post kitty pr0n on your other account. Or maybe they’ll just buy thousands of dollars of gift cards on your account at a national retailer.
• Percentage-wise, I wouldn’t trust most websites to properly handle your passwords; but it’s virtually impossible to tell from outside which ones are doing a good job with password security, and which aren’t.
• A site that offers 2 factor authentication is doing much better than a site that doesn’t have it; however, it is not infallible. If someone is spear phishing you directly because you’re a high value target to them, there are ways they can intercept the SMS messages with your 2 factor codes.
• A site that outsources logging in to a dedicated identity/security company (i.e. okta) is probably doing the right thing.
• A site that outsources payments to a third party is probably doing the right thing. That said, some of those third-party sites are pretty skeevy looking.
• If I don’t trust a site and they have the option, I’ll use PayPal instead of entering my credit card. I hate giving PP the revenue, but they’re generally very good about security.
• As a class, medical sites (like radiologists, surgeons, anesthetists, etc.,) have the f*cking worst security around their bill paying processes. Like if I drove to their offices and handed them my card I’d still expect it to get hacked. Charities are a close second, but at least they have an excuse: they usually can’t afford good security.
• Another security advantage of a password manager built into a browser is that they aren’t fooled by phishing websites. If someone tricks you into logging into www[.]mybamk[.]com instead of www[.]mybank[.]com, your password manager won’t find the password and won’t enter it for you.
• Password rotation is a problem that can be easily solved by using a password manager. When you aren’t reusing a password in multiple places, they’re just not that hard to change.

Disclaimer: InfoSec is my day job; password strength and password policies have been part of my training, my graduate degree program studies, and my security certifications. But you’re reading this advice from the comments section of BoingBoing, which means you still need to consider the source before taking your own actions.

Because that’s default with UNIX and it’s also another layer protecting my KeyChain, MacOS default password manager.

Also, I just have to wake the Mac, then in 99% of cases it will get unlocked by my watch.

Anecdote: In the 90s my then-employer hosted a lot of websites of newspapers and even two, three cities. Home rolled CMS, because there weren’t any else, of course.

Anyway, we actually made a high-rolling customer who enquired about his password very, very happy when we not only answered that we don’t know his password but didn’t provide a new one over form without us making the contact over the company’s official phone number and getting transferred to him. Even though we regularly did business over his direct number and with him directly.

It seems like every single year, I read an article saying that passwords would be infinitely more secure and much easier to remember if they were sentences (including spaces between words) instead of single blocks of letters/numbers/symbols. Why is this not happening? What are the technical obstacles to having sentence passwords?

This isn’t normally how password managers work.

There’s little risk of a service-wide database leak because the services don’t have your passwords, they have encrypted nonsense versions of them (and each person’s vault is encrypted using their individual key).

In fact, using a password management service winds up being rather similar to using something like Keepass and backing it up in the cloud.

The big players all encrypt on device and synchronize the encrypted gobbledygook. Assuming they’re doing the encryption correctly and your password is a good one, the biggest risk is from the local tools you use to interact with your password database (i.e. the app, browser plugin, command-line tool etc).

This means that while my password vault might be compromised in some way, other users’ vaults won’t be unless they’ve individually fallen prey to the same vulnerability. This is another reason why device security should be top priority, regardless of what password manager you use.

At the same time, there’s a potential vulnerability with password manager services that’s not found in the Keepass-and-backup model: if the password you use to log into a password manager service’s website is the same password you use to unlock your password vault, the info required to derive the encryption key and decrypt your vault is temporarily present in RAM on the server (Lastpass–not an endorsement–used to say this quote plainly in their docs). This should not be true when you log in using the app or browser plugin.

Some of the cloud services like Bitwarden (again, not an endorsement) are open source like Keepass, so you could run your own cloud password manager…if you’re braver than I am .

With your level of distrust to this infrastructure, I would suggest you take out the intermediary.

At least the Syncthing software I am running is capable of working with runtime conditions. Hence, I can run the service only while my device is on a specific WiFi. Sync is done locally, device-to-device. Which is fair enough for me, if I return home more than once a week. I use this for large amounts of data. (e.g., media content), and it’s beautifully fast.

If syncing locally isn’t for you:

I do trust the router a bit. I can protect the open ports from being attacked by restricting the access to these ports further, e.g. setting up limits for unsuccessful connects. YMMV.

You could also run your on Syncthing server, as per their documentation. I haven’t looked at it, since I don’t need it, but I would assume I could thus run my own peer-to-peer network.

If your level of distrust is even higher than that, then I would wonder how you get anything done on the internet…

Re: keepass -

More than once, this didn’t work for me in the past, but not on Syncthing - I used Dropbox. Again, YMMV.

• In case of break-in. Having one’s computer stolen goes from “minor annoyance” to “terrifying life destroying ordeal” if the thief can easily access your data on that machine. A password is sufficient there, because the average petty burglar is only interested in reselling the hardware on Craigslist. However if your personal data is right there for the taking, well…

I’ve now taken to recording the questions and answers in my password manager.

Too many times I’ve had the problem of, I can remember the answer, I just can’t remember the exact Capitalisation I entered when first asked. Was it 123 Street Street, 123 Street St, 123 Street st, etc?

This chart is misleading. It represents the time to crack a single iteration of unsalted MD5 – something that has not been an acceptable practice since the 90s, and should be considered gross negligence today. While there certainly still are services out there that do store passwords this way, this chart is absolutely inapplicable to, say, a Google password.

If you’re hosting your own cloud storage at home, such as with NextCloud, OwnCloud, or similar, having all your personal devices share a KeePass database file is a solid choice – I ran that way for several years. If you have a home server running docker, Bitwarden offers a docker image hosting their server (c.f. “braver than I”.)

Note that all of these solutions continue to work offline. So if the home cloud fails, you still have local copies of your password file in your phone, tablet, and PC.

I’ve read relevant chunks of the Bitwarden client code, and I trust the cryptography in use, so I don’t mind having bitwarden.com host my encrypted password data on their backed-up servers.

This topic was automatically closed after 5 days. New replies are no longer allowed.