Topic: 7 simple rules to mitigate most threats related to passwords (Read 4959 times)

In early May of this year, LastPass announced that it believed that its user database had been compromised, very much like Mt. Gox recently.  Here's a link to a story in a respected technical news source, TechWorld:

http://www.techworld.com.au/article/385447/lastpass_hack_fear_leads_password_reset/

I work as a technical writer for a Fortune 1000 firm in the U.S., in a product area that provides security software for use by banks and other institutions that deal with financial and other highly sensitive (usually legally protected) information.  I would NEVER use or recommend a cloud-based product to protect passwords to any account that is linked with a bank account that I own or a credit card that I am responsible for.  LastPass is a great idea for managing all of those accounts you have to sign up for to get access to news sites or other fun stuff, but not for the accounts that actually matter.  

For accounts that matter (your bank accounts, accounts on your credit card site, PayPal, Dwolla, investment firm accounts, accounts with a currency or stock exchange, accounts with your utility company, etc.), you need something local and secure.  I recommend keeping those passwords stored in a text file encrypted with GPG or in some other form that uses a strong encryption method.  I also recommend backing the encrypted file up on a USB dongle or (even better) a CD that you replace every time you add a password.  Finally, use a product that wipes (rather than just deleting) files on the computer that you use to encrypt and decrypt this file, and wipe the swap file every time you access that file.  Another option is to use a product that encrypts your hard disk or swap file, or both, such as TrueCrypt or my favorite, Jetico Bestcrypt.

I'm not entirely immune to hackers or a password-stealing trojan; nobody is.  But if you do what I suggested, your chances of surviving a hacker or virus intent on stealing valuable information are much improved.

For me it is all simple. I have two types of passwords. Those which I do want to remember and others (for which it is task of my computer to remember and store securely).

For those passwords which I want to remember I am fine with using Steve padding approach or something else.

For the rest of them there is not a single good reason whatsoever to make them any less random or short than it can possibly be. Too bad some idiotic websites unreasonably limit maximum password length and alphabet. I'd be happy to have all such passwords 1000 symbols long. I quite often encounter systems which limit password length to 10 or even 8 characters!!! Particularly some banks, are guilty of this (idiots!).

That's true, if a password is cracked, and a human examines it. But if your password is something like 15 characters, it will take centuries to crack, so it won't be your problem if anyone ever succeeds.

Read the page again. The point is not that everyone should use passwords that's a dictionary word followed by repeating the same character X times, the point is that entropy is overrated, and a longer and memorable password is stronger than a shorter and impossible-to-remember one.

Not necessarily. Four obscure words joined together may be beyond the length of what many popular cracking tools support, and of relatively high strength. Assuming each word is only found in 100k+ dictionaries, there are 100000000000000000000 possibilities.

If such passwords are not strong enough, you really need to reconsider how much of your life should be tied to computers.

What you mean is that it will not change enough.

Each hash will still take ten times longer, and remove a layer of script kiddies who can't be bothered finding cracking tools that support SHA-512.

As I read all these password posts and don't happen to read any advice remotely near to the system I use, I only get more and more astonished. I just can't believe no one does this. Well, let me share what I do—may not be the best of the world but it works for me.

All* of my passwords are derived from the corresponding login and a couple of rules. Example:

• Take a reasonable string like vU4p!,a'fZx*
• Change its first character into the last in the login
• Change its fourth character into the second in the login
• Change its seventh character into the length of the login (or its last digit if the length is greater than 9)

So, if the login is "an0therlr3", the password would be 3U4n!,0'fZx*.

It takes a little of practice, but it pays off. The initial string could be based on a real sentence (as already suggested on this thread) for easy remembering. You can have more than one of these rules, of course. It's important not to change the last characters in the initial string, since some sites have an absurd limit of eg. 8 characters, and the modifications wouldn't be taken into account.

This even allows you to have the passwords written in a text file, stored unencrypted in the computer. Example:


A given attacker would have to break (by brute force) at least two passwords built with the same ruleset to be able to easily break a third.



* Excluding the typical bank PIN and the likes, which are severely crippled.

I Second Lastpass.

Strong encryption of the pwd database (Which even they cannot break), Automatic syncing to all my computers, Auto-filling of passwords and forms, and everything is encrypted on my computer, then sent.

I use Password Maker ; it's way easier to remember a few settings than to remember hundreds of secure passwords, and i don't have to worry about someone finding my passwords stored anywhere (well, except in the databases of unsecure sites)

Dictionary words are always a bad idea, even though you are correct that length does always make a password stronger.


Don't.

There's a huge difference between having to brute force through 65^n and 95^n. Though you don't really need that many. The passwords that I need to type often look like bab+ef+qeo+feo+F9!. It's still pretty fast to type. Most of my passwords are KeePass generated, though...

Here is a much simpler way to create easy to remember (not only somewhat easily remembered) and secure passwords: Use a complete sentence as your password! If it has more than four words, it is secure enough, and if you make it a bit obscure, nobody can guess it. So instead of
3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%
just use
Finished with your wife, although she helped my cat.

And BTW, forget about these special characters and such. The blanks that separate the words suffice. Special characters only make your password more complex and harder to remember. If you are concerned about the security, just choose a sentence that is a word longer.

Why? Because nothing beats length! (an increase in length adds to the exponent of the complexity, one more special character only adds to the mantissa).

In other words: Just make words the atoms of your "password" and you win twofold:
1. It easier to recall a (near)-sensible sentence than a single word (or the trace your cat left when it walked over your keyboard).
2. It is much more secure, because it is harder to crack (both by a dictionary attack and by simple brute force).

Here is the downside: It will take you longer to enter your password...

I don't know anything about that, but I use and reccomend LastPass. It is essentially the same type of thing as PasswordMaker, but works on all major browsers, has mobile apps, and is generally very secure.

Does anyone use PasswordMaker ?

https://addons.mozilla.org/en-us/firefox/addon/passwordmaker/

I'm thinking of using this system.

I stand corrected. Nonetheless, as you say, once the database is hacked, you're screwed anyway.

This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above.

Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough.

Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus...

One way to construct a somewhat easily remembered long password is to think of a song, poem or somesuch, which you could remember in your sleep, and then apply some algorithm on the words.

As an example, pick the first three letters of each word from the first line of Paranoid:

Finished with my woman 'cause she couldn't help me with my mind

Then pick some characters to delimit the letters and maybe start or end the password. Make up some rule by which you make some of letters uppercase. For example:

3Fin.wIt.my.Wom.'Ca.she.Cou.hEl.me.Wit.mY.min%

That's 46 characters fairly easily remembered. Half of that would be enough, and in fact 3 letters may be a bit much since I ended up with a couple of dictionary words in there.

(You want the brute-force search space be large: use 1 or more characters from each group: uppercase, lowercase, numbers, symbols.)

No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database. A much more secure way to login that I wish more sites would implement is Gmail's two-step verification process, where you must enter your password and enter a verification code sent to your phone in order to login. I think that the time where a complicated password that would be impossible to brute force being sufficient has passed. Newer, multiple-step verification processes are necessary. Maybe MtGox can consider implementing something like that. It would sure make their users feel safer.

This page contains a serious flaw.  It may well be true that padding increases the strength of your password, but if an attacker cracks one of your passwords, he will know what padding to use for your other passwords.

Here is what I use to keep my passwords safe.

1) KeyPass and KeypassX:  I have it on my Windows systems, Linux Systems and my Android phone.  The database can be synced and used by all 3 Operating Systems.

2) Every site I visit has a randomly generated password using the maximum amount of characters and symbols the site would let me use.

3) Master passwords I use for the databases are a place in the world and I memorize the latitude and longitude to create my master password.  I use Google maps to find the latitude and longitude and I do not click on the most obvious place at the location.

For Example:

If I want to use the Eiffel Tower for my password at 48.8583N, 02.2945E my password would be similar to this.  I never capitalize the first letter but some letter in the middle.  I also replace some of the letters with leet speak.  Now if I need my password before I memorize it I can just think of the Eiffel Tower and then use that to remember my master passwords.

3iff3lt0W3r488583N022945E

GRC rates the above password 2.09 trillion trillion centuries to break.

-Dukejer

"research"? That is more like a very weak and naive claim. Old man seems to be getting way behind the curve.

With all due respect, to Steve Gibson and his cute idea of easy to remember passwords, I am going to have to disagree with him on this. He claims that 'D0g.....................' is stronger password than 'PrXyc.N(n4k77#L!eVdAfp9'. He should know better.

It might be the case when stupid brute force is employed, but these days attackers use much much more effective ways to reduce the key space than simply iterating over all permutations, as Steve seems to believe. These include permutations of dictionary words with common replacements of letters by numbers with various uppercase/lowercase scenarios in combination with sets of same symbols repeating as well as other methods of reducing keyspace by emulating various patterns people use to create passwords they can remember. These techniques often reduce keyspace by many orders of magnitude.