Creating and Managing Good Passwords

As cracking tools have become more efficient, what counts as a good password has changed. At the time of this writing, 14-16 characters is pretty much the minimum length. And many of the old schemes we’ve used in the past, such as substituting characters or using the first letters of words in a phrase, are so well known that they are no longer secure.

Ideally, you should use a long unique password for each site you login to. The best passwords are a random mix of text, numbers and special characters. But few can remember this kind of password.

Fortunately, you don’t have to, if you use a password vault, like 1Password, Keypass, or LastPass. Some programs support browser plugins that will autolog the passwords. Some vaults can be stored in Dropbox, and LastPass stores them in their cloud. One thing to consider is the nature of the vault. 1Password stores indvidual logins as separate files, and that makes it easy to sync with systems like Dropbox or iCloud. KeypassX, the OSX port of keypass, stores the keys in a monolithic file, so syncing and backups become more complicated as the vault grows.

Ok, so you have a vault. The vault itself requires a password, and that one should be:
Long, as in more than 16 characters at least.
Easy to type, because you’re going to be typing it a lot.
Strong, ideally including letters, numbers, and special characters.

There are a lot of schemes out there, but also a lot of schemers. Pretty much any system one uses have been subject to scrutiny by crackers, so relying on a scheme that produces a very complex password won’t help much, and is likely going to result in a password that is both hard to remember and hard to type. Ars Technica has a good article on the advances crackers have made, and they ran a test in which three crackers tore apart a password list, one got 90% of the 16,000 passwords in a 20 hours using commodity hardware, although in fairness, the encryption they were breaking was MD5, which is not really resistant to brute forces attacks.

But if you look at the lists of passwords cracked–you can find a couple here–you typically see that regardless of complexity, it is pretty rare that one longer than fourteen characters gets cracked. So length is a key factor. And notice that some of the passwords are long and complex. The key thing to get here is that in addition to all of the bible and all of project Gutenburg, crackers use these long lists of known passwords in their dictionary files.

That being said, some of the passwords in such databases are long, and that suggests a troubling thing–that the schemes we use to generate passwords are neither truly random, nor unique. We know that human beings are not good at generating randomness, and, if you think about it, any scheme that you come of with to make passwords has probably been stumbled upon by many many other people. You can’t control how long the people creating those passwords are, so as a scheme is “discovered” by a brute force attack, that pattern winds up in the dictionary files even if no one can understand how it was generated. In a very real sense, any system that you come up, such as choosing a phrase from a song and adding some symbols and numbers is likely not very random. Most importantly, I’m not the smartest person on the planet and I don’t spend all my time scheming, so any scheme I can come up with has likely been used by others, and it’s part of the crackers’ job to figure out what scheme I’ve chosen. I don’t want to bet my security on me being more clever than the professionals.

Kerckhoffs’s Principle is apropos here: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”

Enter Dice Ware

So we need an approach to passwords based on a system that produces good passwords that are very difficult to break even when the scheme is known to the cracker, but easy to remember. The logic is pretty simple–if I can generate a random password with 80-100 bits of entropy using a system that is well known, I’m more secure than if I use an obscure scheme or a pattern that I generate.

You may have seen the XKCD cartoon about diceware. The short version is that if you randomly choose 5-6 words, you have a pass phrase that is relatively easy to remember, and more secure than 9-10 random characters. The key is the words must be random–phrases that make sense are easier to crack. For example, “bible ff few clout infra” has 83-95 bits of entropy, whereas “Xxthr{3glxg8” has 60-75 bits of entropy. And the pad will allow the password to be accept on most any system.

Tyler Atkins has a web based diceware generator you can use to play with the notion of dice ware. There’s also a link there to his password strength tester. Dropbox has a good blog entry on passwords and a good strength checker. These are handy tools to use to test passwords to see how resistant they are to programs like John the Ripper.

But you can also do riffs on dice ware, by including a pad of random numbers, capital letters, and special characters. For example, “folk patch ps final” has about 60 bits of entropy, but with a four character pad, we can get “folk patch ps N0~^ final” with about 90 bits of entropy. 90 bits is very good for a password these days.

And the really good news? If you’re using a vault, you don’t have to remember all that many passwords. You’ll need passwords for your vault, and your workstation login, and a couple of other things (like an encrypted key to store clear text backups of your vault’s database), but you really can bring it down to just a handful that you have to remember, and that means you’re that much more secure.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s