I am often asked for advice on creating good passwords. Usually, as I talk, I get an opened mouth response as people go into shock.
The short version, for those who cannot be bothered to read the detail below, is you need to use machine generated random passwords of a decent length that are different for each and every site you use, and that as it is impossible to remember such passwords, use a password management application and service like lastpass.com (free) which can generate and remember them for you and fill them in when required on your web browser (in place of your web browser’s built-in capability to remember passwords which are easy to steal). You only need to remember one good password phrase (not a quote from a book/film/website – something unique and memorable to you) to login to such applications/services to make use of them.
The vast majority of people make fundamental mistakes when they create passwords. The most common of these mistakes are:
- use the same password on several sites
- use their own name or that of someone close to them
- use a word that can be found in pretty much any dictionary somewhere in the world
- use a word that would appear in lists of: pet names, places, famous monuments, etc.
- use a “clever” formulae to create different passwords for different sites
- use a browser feature to save their passwords to save typing them in each visit
- use a rotation scheme whereby particular passwords get used again and again
There are those that think that changing a few characters for numbers (e.g. 3 in place of a, 1 in place of i, etc.) or combining words and putting special characters between then (such as + or – or $) will help. Maybe ever-so-slightly, but not really. Nor does sticking dates on the end.
A lot of passwords can be guessed simply by collecting a bit of information about you from your social network presence (or indeed any other online presence in forums and the like). There are automated tools that will gather information available across the internet on particular people (the hacker just has to provide a file with any combination of names, links, addresses, etc.). However, mostly hackers are not interested in you personally and are not therefore focusing on you. Things are worse than that…
Who do you trust?
The key weakness in security for online services is not at your end, but at the other end. That is, the party that stores a password to check when you login to their site. This means that on computers in their office/data-centre/cloud-service, they have files that hold lists of passwords, linked to usernames/email-addresses. In many companies/organisations, the people working there, or the people working for their internet host, can get at those files. In addition, if their security is not absolutely brilliant, a hacker can get hold of those files.
Now, if the original keeper of that password file has been dumb enough to keep the information in a plain-text format (i.e. unencrypted), so you or I could easily read the passwords if we had that file, then your account with that provider is compromised already with no more work on the part of the dubious individual who managed to get hold of the file. Even if the file is encrypted (coded) in some way, unfortunately many encryption schemes are easy to detect by automated analysis of the file and quick to reverse. After a few minutes work, the password is in plain-text (unencrypted format).
So, the bottom line is, do you trust all of the people that you have online accounts with?
Once a hacker has obtained a plain-text version of a password file, if you have used a password in that file for several online accounts, then all of those will then be compromised.
If you have used a simple formulae to generate different passwords for different sites, as soon as a hacker has two or three (or four or five) of them, he may well crack your formulae. Hackers share these files widely with each other, by the way.
Brute forces cracking
If the password file held by on online service provider uses strong encryption, then a hacker has more work to do on an illegally obtained password file before your passwords are compromised. It is pretty much all automated though, and they do not even have to use their own computer to do it as they can rent time (very cheaply) on thousands of home computers connected to the internet that have been compromised by viruses/trojans (or, if they are good at this, they will have compromised the machines themselves). The home users probably do not even know their machines are being used in such a way, just feel irritated that their computer computers are even slower than usual.
The work the hacker has to do involves running all large subsets of the millions of words in those dictionaries and lists I mentioned earlier, including all those little substitutions and combinations, through the same encryption algorithm as was used on the password file in the first place and seeing if you get a match to any of the encrypted passwords. This is so common, that the most popular “passwords” (another list that is in the millions) have been run through several such encryption algorithms already to produce so called rainbow tables, so then it is just a quick lookup.
What to do
Firstly, note that there is no such thing as 100% security. Just as is the case for your own home, if someone is determined enough, they can break in. What you have to do is make it harder and, hopefully, not worthwhile.
The Only Secure Password Is the One You Can’t Remember
The key recommendations are:
- use machine randomly generated passwords
- use password lengths that are at least eight characters in length – I usually use at least 12
- use more than just numbers and letters in your passwords (at least for the majority of services that allow such passwords)
- use a different password for every site you have an account on (many recommend using a different nickname for each account as well, also randomly generated)
Now, the problem with passwords meeting the above criteria, is that they are difficult to remember. Pretty much impossible for more than a few and you will probably have lots.
Saving the passwords on a file on your computer in plain-text form is not an especially smart thing to do for the reasons already described.
Relying on your web browser to save your passwords is similarly foolhardy as their security is very poor – just download another browser and see how easily, with a click of a button, it can read in all your passwords from another browser for “your convenience”.
Applications to help you
So, you either need to keep them off of your computer in a secure way (e.g. a good physical safe) – not very convenient – or use very strong encryption to protect the information on your computer.
There are free (and paid, but you really don’t need the paid) packages around that will generate and store you passwords on your computer using very strong encryption. This is encryption that the FBI is yet to crack. The good thing about such packages is that it leaves you in control. You do have to keep the password files synchronised between different computers if you use several of course.
You can also use free software like Truecrypt to encrypt parts or even all of your computer’s hard disk and your password file(s) can be stored in encrypted folders on your hard disk.
[UPDATE: 2017-03-05. Unfortunately, Truecrypt development was discontinued and the (anonymous) authors decided to pull the product from their website. Whilst the programme is still available from various sources, it is important to ensure that only valid, uncorrupted, versions are used and also to be aware that a number of bugs have subsequently been discovered and published. These bugs could compromise the security.
My personal choice for managing passwords is the free Lastpass service. which is an online service with browser integration that stores all of your passwords very securely using a master password only you know (a really good one, that is a phrase rather than a typical password) – they do NOT keep a copy of your password – and offers browser integration so, once logged in for a web session, your login details are filled in automatically just like your browser used to do itself (insecurely).
Some people do not like the idea of using an online service though. For those people, you might like to look at: KeePass,
Lifehacker.com, a great source of technical information, is also a big fan of Lastpass, but in recognition that some people prefer alternatives they wrote an article covering this and you might find another article on the problems explored in this post of interest as well.
Protect your email accounts well
As many sites will send a password reset message to your registered email address, it is worth both ensuring your email accounts are protected with good strong passwords and perhaps look at using 2-factor authentication if offered by your email provider. Google, for example, with its gmail service offers an application to run on smart phones (Android and iPhone included) that will generate a special token on request that you have to enter in addition to your password when you login (and you can have a print out of a set of one-time tokens to keep in your purse/wallet for those times when your phone is not available; even if someone steals these, there are no use without the password as well, and you can login and invalidate the stolen tokens). Lots of the decent email services now offer 2 factor authentication. Lastpass also offers a 2 factor authentication option in its free service, in their case you print a grid of codes to pop in your purse/wallet, but same idea.
In addition, Lifepass offer a subscription service (just $1 per month) that provides some additional features including support for more 2 authentication measures of which my favourite is support for a Yubikey – a hardware based token authentication device that you can plug into a usb port on any computer you are using (well, most Wintel and Apple PCs and laptops anyway) to provide at a push of a button on the key that second token instead of typing in a code from a smartphone app or a printed list.