Password Extravaganza: Open discussion about security
In recent times, I’ve been thinking quite a lot about security on Internet. And I mean my personal security on Internet. There has been some recent examples of leaked passwords on some common websites (LinkedIn, I am talking about you!), and I get the impression that the way I was handling passwords on the past was no longer good enough. Luckily, I never had problems, but I thought that I needed review my habits and to take it more seriously.
As with everything that is new, when I open my first email account (about 15 years ago) and register in the very first web pages, my security concerns weren’t really that much important. I started with a relatively (for the time) strong password with more than 6 characters, upper and lower caps + numbers that I can remember easily. Back in the day that was strong enough. I then started to use it everywhere. I’ll call it “password A” from now on.
After some time, I realised that it wasn’t really that good of a strategy, so I got another coupe of stronger passwords, and use them on “sensible” places, like my email, which is the most important point on the chain, or later Facebook.
So, some time ago, I started to think more and more about this, and started being more conscious to password security and the challenges it present. I am going to describe what are my views about passwords and my strategy about them. I am not a security expert, and I think there are a lot of wrong assumptions and myths around passwords. That’s why I want to be open about that, and try to make a “call for review” to share tips and see if I am doing something wrong and see other ways. So, please, add whatever you feel is interesting.
Safety and convenience are two parts of the equation. You can come out with a “perfect” solution that involves impracticality every time that a common operation needs to be done. That needs to be balanced, so the problem is “how to minimise risks while adding a minimum of extra work”. If, at some moment, the extra work is difficult or laborious, you will get tired very fast and skip it / reduce the security somehow. I found that problem in some of the corporate rules, like making you change your password every three months (you’ll made up bad passwords, or reuse old ones or worse, copying them on a Post-It on your screen).
That’s something that needs to be taken into account when designing any system.
There is a possible game-changer, as it is more difficult to type passwords on phones and tablets than in a full-sized keyboard. Is it possible that the growth in those devices changes the way of approach the security systems? Things like detecting biometric signals (like analysing faces through a webcam, or fingerprint detection) seems like it could be possible on the medium term. On the other hand, they are the kind of things that look just about to become a reality for the last 10 years.
THE WEAKEST LINK
Assume it. The most efficient way of cracking someone security is not by fancy cryptographic algorithms, is by knowing him/her and using social tricks. For example, something as simple as asking: “what is your password?” (I am still surprised that some people gave me their password without even having to ask) or checking the drawers looking for a piece of paper with a written password.
A good security system starts with the following assumption: “It is not a secret if it’s shared”. So any password should live only in one place. Your head. And that’s it. No telling your friends, not telling your mother, not writing it down.
Of course, you are also exposed to other, more insidious social methods, specifically addressed to you, like guessing what is your password due personal knowledge. Or more expedite methods. But that’s more an issue in movies or in cases where you are in charge of really important information (like industrial or military secrets, for example)
In general, for us mortals, security is like a good lock on a bike. Someone with enough motivation and resources will steal it anyhow. But it makes to take more time or better tools than usual, and diverts the attention to the rest of the bikes, with worse locks, as preferable targets. Just be vigilant and cover the basics.
PASSWORDS vs PASSPHRASES vs ENTROPY
There seem to be a significant number of debate about what entropy means in terms of passwords and what are the best tips to get a password that it is difficult to crack, which not necessarily is the same thing. We all agree that having a common password (one in the list of the 10k more common passwords) is a Very Bad Thing™, and should be avoided. But I am not that sure that, once you move away from obvious words and increase the length the rest of “add entropy methods” really makes that much of a difference.
Sure, for short passwords, putting something like “X5t$5^” can be safer than “ispass”, but if we move to the realm of long passwords, something like “it.is.a.bird-it.is.a.plane-it.is.superman” is much easier to remember and it is very unlikely that it is present on a dictionary or rainbow table. Once your password enters the “not easy to guess with a smart general approach” realm, brute force is the only option, and in that case, the length of the password is the most important consideration.
Note that you can select a rather ridiculously long phrase (for a password), that don’t even need to be random, and have some meaning. For example, something like: “Obi-Wan – These are not the droids you are looking for”, it is easy to write and easy to remember, and quite long in terms of characters (54). You can remember a memorable joke of a friend; or your favourite line of a movie, TV show or book (better if it’s not that famous / obvious). Adding a little personal touch like the punctuation, nickname, private joke, or similar stuff, it can make a very strong passphrase while keeping it simple to remember and to type.
Changing some of the letters with the usual l33t talk seems a little overkill to me. I am not comfortable with that, as it adds more confusion to your password than really increasing the complexity breaking it. It is simpler to use a longer password, adding more words or just being creative with the punctuation.
I will suggest to try to make it a little memorable and/or fun, so you type it will a smile on your face. This way, the extra characters are not as tedious to type.
Some examples of what I mean (you can probably recognise where they come from):
I also use random passwords generated with a password manager (more on that later), the problem with that is that you can’t expect to remember those, so those are always behind another layer and are used in a copy-paste base.
A very very interesting website dealing with passwords and computer security in general is http://xato.net I encourage everyone to take a look for insight and ideas.
I use a password manager. In my case, 1Password which has some good features like using DropBox to share passwords on different computers and iOS integration. There are other free alternatives like KeePass. I protect it with “password X”, which is a passphrase following the principles stated above.
I generate and use a different random password for every account I create, mostly (but not limited to) web pages with a couple of exceptions described later. All generated passwords are 25 characters long (or as much as possible, if there is some restriction). Of course, that means that I need to access 1Password to be able to access all those accounts (that’s why Dropbox integration comes handy). I also keep a backup of the password file.
Curiously, my Dropbox password is generated this way, so, in case I need to install Dropbox into an new machine, I have to take a look at my phone to copy that long password. Not that I have to do it everyday.
To migrate old account, I just log with my previous password (“password A”) and change it with the manager. I have migrated all the accounts I use regularly, and the most part of the ones that I use less frequently. There are some accounts I haven’t migrated yet because they are basically inactive or I forgot about them. Changing the password takes a few minutes, so I do it every time I discover an old account. It is also handy from the point of view of having a place with a list of all your online accounts. You get a lot of those with the years.
The email account is, basically, your identity on Internet. It is your most important account, as you can reset passwords and verify emails from there. So it takes an special treatment. I have its own “Password Y” for it, that also follows the same principles stated before. For convenience, it is stored on the password manager, but I know it, and can use it without the password manager. That is important in cases where I don’t have my computer, but I want to check my email. Now, with the use of 1Password on my phone, I’m not sure it’s that important.
Another great security measure is to activate the two steps authentication, which adds a quite strong extra security layer. I’ve heard enough horror stories about impersonating email accounts, and I am a little paranoid about that.
I have another password (“password Z”) for root access and computer login access. I am not very mobile with my computers (I have a laptop that leaves home around 3-4 times a year), so I have a shared one among my work computer and my home computers. It is not as long as “password X”, as I need to use it more often, but the principles above still apply.
Of course, it will be possible to physically use one of my computers, crack that easier password, and then access my email. I can remotely wipe my computers in case it is necessary. I hope never have to use it.
To handle my online bank accounts, I have other passwords, as the banks will force you to use their own systems, like 4 or 6 digit passwords, etc. Every password for each bank I work with is different.
In an special case, I use my Spanish ID card, which have a chip with a digital signature. That means that you connect the ID card with a card reader to your computer, enter your ID card password, and use that certificate to log into the bank. In Spain, that ID card is mandatory to everyone.
You only have three attempts to get the password before the ID chip gets locked, and you need to unlock it on special machines with biometrical information (your thumbprint).
That is probably the safest way, but it is very inconvenient as installing all the software and keep it working is a nightmare. My solution to avoid problems with update software, OS, etc, has been to use a Virtual Machine (after spending A LOT of time configuring it), which I think is beyond the grasp of the average user that could benefit of this system. I hope that gets improved and simplified in the future.
Well, that’s basically it. As you can see, excluding banks, I only handle in my head 4 passwords: password A (my old password, which is being replaced), password X (password manager), password Y (Gmail) and password Z (login and root access on my computers). The password manager makes it quite convenient to login or get the password to any other account I need from there.
I would like to encourage you to share your thoughts on possible weak points, comments, as well as describing what are your strategies on dealing with your computer security, and how do you find a balance between convenience and safety. So, what do you think?
EDIT: I’ve submitted this post to Hacker News and Reddit. Please share!
have you tried smartsignin ? its a pretty good alternative
I didn’t know it. I am taking a look at it. One inconvenience I’m seeing is that is a service (not an independent program). For this particular case, my idea will be to try to own the data, not relying on an external service, and the program. If I don’t own directly the data, I depend on that company, that can disappear or have other kind of problems.
I feel safer owning that data.
Anyway it also looks like is oriented more to companies that to consumers.
I checked out 1Password and found that they are only using 128 bit AES encryption which can hardly be called secure. That’s disappointing.
Great post! The tips on phrases are very helpful.
I’ve been using Ascendo DataVault password manager http://www.ascendo-inc.com/DataVault.html and I’m pretty satisfied. It also synchronizes via Dropbox or Wi-Fi and is cross-compatible between Windows, iOS and Android which is just what I needed. I use it not only to store passwords but login data, frequent flyer data, customer service phones, etc.
Yes, I also use it as a repository of “handy info”, specially sensible data like bank account numbers, or social security numbers.
I love the password examples you gave. My favorite is “Fandango;Galileo;Figaro;Magnifico”
I have used passphrases for over a decade. I stay away from popular quotes (like the obi wan one) because they could be easily included in a rainbow table (eg with/without spaces, with/without correct capitalisation). If I use a quote I make sure its a misquote or a misspelling.
For not-really-there-for-my-protection passwords (ie no big deal if broken) I use a formulaic password based on a set salt.
I use oplop (https://oplop.appspot.com/), with a list of nicknames.
I’ve got a single master passphrase that is only used on oplop (no server has it). If someone was to obtain that and my list of nicknames, they would be in a pretty good position to take over my online identity, as every password I care about has been generated from that.
So I’m most vulnerable to some kind of direct snooping, though I imagine if an attacker obtained a significant number of my passwords, there’s probably a way to reverse that into my passphrase, especially if they have my nicknames list.
I’ve got a handful of the most common passwords memorized, and another handful of my most common sites passwords stored in the browser, so I don’t end up needing to use oplop all that often. I also use two-factor authentication in several places.
I prefer oplop because there’s nothing for an attacker to steal and decrypt. Not that I’m ever likely to be targeted for such an attack, but at any given time, my computer could have vulnerabilities that could allow a worm to go snooping for password databases, such as I assume 1Password generates.
“The most efficient way of cracking someone security is not by fancy cryptographic algorithms, is by knowing him/her and using social tricks.”
If someone you know is manually trying to guess your password based on information they know about you, they are likely to be blocked after a few attempts.
The vast majority of compromised passwords (99.99999%) are done automatically without knowing a thing about the person being attacked (dictionary attacks, etc.).
Agreed, that’s the common approach when you want to hack into “a machine”, but you don’t care which one.
But if you care to enter into specifically one specific account, it’s typically better to try to guess the password with social tricks. That doesn’t mean to sit down on front of a computer and think what they like. That mean using tricks to make the user tell you the password (or other security information that can be used) Thinks like calling from technical support and requesting it directly. Or request security questions that can be used to force a “forgotten password event”, etc… When done properly, it can be very very effective.