Password Strength, Security and Encryption
0
Greetings everyone. Because I am an IT by profession and because we hear more and more stories of passwords being stolen, cracked, lucky-guessed and so on, I thought it would be a good idea to cover some best practices that the user can use to make his online experience a little more secure. I know nobody asked for my input, but here it is. :p
Topic 1: Password Strength
We get blasted with this all the time. "Make your passwords strong! The stronger the password the better! Change them frequently!" and so on and so forth. But some people aren't sure what that means. And, those of us who are bad at remembering longer passwords have trouble making longer passwords, or when they feel like it'd be a good idea to change their password they can't think of one. I'll tell you how you can not only make a long, secure password, but make it memorable.
So perhaps I should start by defining what it means to have a strong password. A password does not necessarily have to be overly long. Generally 14 characters is long enough (though longer IS better in most cases), and while that might seem a lot, there's a reason for that, which I shall explain in a moment.
The more variation in a password's character sequence, the harder it is to crack or steal (you still have to worry about shoulder surfing if you type your passwords in public areas, but having a complex password will inhibit people from being able to replicate your keystrokes in those specific situations). Assuming the site you are using the password for has no restriction on what characters you can use, every symbol that you can type on a keyboard or insert using the ALT codes found here are viable options. Generally I stick to the ones I can type easily such as !@# and so on. Shifting between lowercase and capital letters will also allow your passwords to be more complex. Adding numbers adds further complexity.
Now, with all this in mind, it may not be a good idea to simply take a bunch of random symbols, letters and numbers and arrange them in a line. You're likely to forget the sequence (unless you've got a really good memory or they're ordered somehow), so what I do is I create a word-based passphrase for myself and change letters to numbers and symbols.
For example, the following passphrase:
BIGTITTIEDLADY (14 characters)
...becomes a password such as:
61gti77!Edl@D/ (14 characters)
Here, as you can see the B was changed to a 6 (alternatively I could have used "|3" or something), the I's were changed to 1's and !'s, and so on. Be creative. However, please do not just take this password, as it's entirely possible that someone could read this and try to hack someone's account if they think the password is in use.
In creating a password this way, you not only have a point of reference for yourself to remember the password, but the end result doesn't look like anything at all, and you make it so complex that it would take millions of years to hack, even with a supercomputer. And the longer and more complex your password is, the more time it would take for a computer to guess it.
There are other similar means of creating complex passwords, and if something works for you, then by all means do it that way.
That said, if the connection between your computer and the website you are trying to visit does not appear to use encryption (unless I'm mistaken, Fakku's login page does not), there is no way to ensure the security of your password in the first place. Generally I do not waste effort creating complex passwords for websites that do not use encryption. Instead, I use a relatively short, moderately complex password that isn't connected to any other accounts that I wish to keep secure.
Topic 2: Password Security
You might think that this is the same thing as password strength. Nope, this actually deals with keeping your passwords out of the hands of others who might wish to use them. In becoming an IT, I have learned (in some cases, the hard way) that that the best way to keep our accounts secure is to secure our passwords.
Never lend your password out to another person. This might seem obvious, but there are people who share accounts. The more people that know your password, the less secure it is. If you have a shared computer, do not stay logged in to websites that you use frequently. While it might seem like a hassle to log into a website and then log out every time you want to use the site for a few minutes, if it's something you care to keep hidden or wouldn't want other people messing with, you should keep it locked down. If there's specific reasons you share accounts that means you MUST share your password, then I won't tell you not to do that; however, it might be worth looking into WHY that is the case and suggesting that there be two separate accounts in which you can access a common set of resources.
Refrain from writing down your passwords if you can help it. Sometimes it helps you remember them or order your thoughts, and that's fine... at least temporarily. The longer the password remains written down, however, the less secure it will be. All it takes is for you to be pulling something out of your pocket, and that paper slips out without you noticing. Someone can pick it up, log into your account, and write a lengthy confession to your boss saying you've been sleeping with his wife. Next thing you know they're having to remove your teeth from your small intestine. Sure, a worst-case scenario, but who knows what they could do with your account? If you write your passwords down, learn them quickly, and destroy the paper as soon as possible.
Never use the same password in more than one location. It might seem safe if both websites are using encryption, but all it takes is for one password to be compromised, and then every website in which you use that password could potentially be compromised as well. Imagine using the same password for dozens of websites and then having to go through and change each one because one website reported that it had been hacked and its password database stolen.
Ah, one last thing on this topic. If you have the option of setting a Display Name on your account that is different from your username, do so. Displaying your username gives a hacker half the information he needs to hack your account. Keep your account as secure as possible.
Topic 3: Encryption
If a website uses encryption, that means that the passwords are significantly more difficult to steal. Despite what you may think, it's not impossible to steal even encrypted passwords. All it takes is a small breach or exploit and a hacker could get EVERYTHING. This is usually mitigated by any number of security features, but the possibility still exists.
Normally, with websites that do not use encryption, the passwords are sent in clear text across the internet, then merely hashed and stored in a database on the server. If a hacker is listening in on the connection (the technical term is actually "sniffing"), the passwords are not secure in transit and could be stolen by anyone who wanted to do so. It might still be illegal to do so according to local, state, or federal law, but since when has the law ever stopped someone from committing a crime?
All encryption is not the same, either. Without getting into a more technical aspect, there are ways to make standard encryption methods more secure. One such method is called "salting" the passwords. I'll let you look that up for yourself if you so choose. Passwords that are salted are much harder to hack due to the way passwords are hashed in a system. A hacker will generally query the password database for common passwords in an attempt to see if those passwords exist in the database. If the passwords are salted, the hashes will very likely be different than what he is attempting to look for and his evil plot will be thwarted! Ha-ha!
I thank you for taking the time to read through this and I hope this helps someone somewhere keep their system just a little bit more secure. Drive safely!
Topic 1: Password Strength
We get blasted with this all the time. "Make your passwords strong! The stronger the password the better! Change them frequently!" and so on and so forth. But some people aren't sure what that means. And, those of us who are bad at remembering longer passwords have trouble making longer passwords, or when they feel like it'd be a good idea to change their password they can't think of one. I'll tell you how you can not only make a long, secure password, but make it memorable.
So perhaps I should start by defining what it means to have a strong password. A password does not necessarily have to be overly long. Generally 14 characters is long enough (though longer IS better in most cases), and while that might seem a lot, there's a reason for that, which I shall explain in a moment.
The more variation in a password's character sequence, the harder it is to crack or steal (you still have to worry about shoulder surfing if you type your passwords in public areas, but having a complex password will inhibit people from being able to replicate your keystrokes in those specific situations). Assuming the site you are using the password for has no restriction on what characters you can use, every symbol that you can type on a keyboard or insert using the ALT codes found here are viable options. Generally I stick to the ones I can type easily such as !@# and so on. Shifting between lowercase and capital letters will also allow your passwords to be more complex. Adding numbers adds further complexity.
Now, with all this in mind, it may not be a good idea to simply take a bunch of random symbols, letters and numbers and arrange them in a line. You're likely to forget the sequence (unless you've got a really good memory or they're ordered somehow), so what I do is I create a word-based passphrase for myself and change letters to numbers and symbols.
For example, the following passphrase:
BIGTITTIEDLADY (14 characters)
...becomes a password such as:
61gti77!Edl@D/ (14 characters)
Here, as you can see the B was changed to a 6 (alternatively I could have used "|3" or something), the I's were changed to 1's and !'s, and so on. Be creative. However, please do not just take this password, as it's entirely possible that someone could read this and try to hack someone's account if they think the password is in use.
In creating a password this way, you not only have a point of reference for yourself to remember the password, but the end result doesn't look like anything at all, and you make it so complex that it would take millions of years to hack, even with a supercomputer. And the longer and more complex your password is, the more time it would take for a computer to guess it.
There are other similar means of creating complex passwords, and if something works for you, then by all means do it that way.
That said, if the connection between your computer and the website you are trying to visit does not appear to use encryption (unless I'm mistaken, Fakku's login page does not), there is no way to ensure the security of your password in the first place. Generally I do not waste effort creating complex passwords for websites that do not use encryption. Instead, I use a relatively short, moderately complex password that isn't connected to any other accounts that I wish to keep secure.
Topic 2: Password Security
You might think that this is the same thing as password strength. Nope, this actually deals with keeping your passwords out of the hands of others who might wish to use them. In becoming an IT, I have learned (in some cases, the hard way) that that the best way to keep our accounts secure is to secure our passwords.
Never lend your password out to another person. This might seem obvious, but there are people who share accounts. The more people that know your password, the less secure it is. If you have a shared computer, do not stay logged in to websites that you use frequently. While it might seem like a hassle to log into a website and then log out every time you want to use the site for a few minutes, if it's something you care to keep hidden or wouldn't want other people messing with, you should keep it locked down. If there's specific reasons you share accounts that means you MUST share your password, then I won't tell you not to do that; however, it might be worth looking into WHY that is the case and suggesting that there be two separate accounts in which you can access a common set of resources.
Refrain from writing down your passwords if you can help it. Sometimes it helps you remember them or order your thoughts, and that's fine... at least temporarily. The longer the password remains written down, however, the less secure it will be. All it takes is for you to be pulling something out of your pocket, and that paper slips out without you noticing. Someone can pick it up, log into your account, and write a lengthy confession to your boss saying you've been sleeping with his wife. Next thing you know they're having to remove your teeth from your small intestine. Sure, a worst-case scenario, but who knows what they could do with your account? If you write your passwords down, learn them quickly, and destroy the paper as soon as possible.
Never use the same password in more than one location. It might seem safe if both websites are using encryption, but all it takes is for one password to be compromised, and then every website in which you use that password could potentially be compromised as well. Imagine using the same password for dozens of websites and then having to go through and change each one because one website reported that it had been hacked and its password database stolen.
Ah, one last thing on this topic. If you have the option of setting a Display Name on your account that is different from your username, do so. Displaying your username gives a hacker half the information he needs to hack your account. Keep your account as secure as possible.
Topic 3: Encryption
If a website uses encryption, that means that the passwords are significantly more difficult to steal. Despite what you may think, it's not impossible to steal even encrypted passwords. All it takes is a small breach or exploit and a hacker could get EVERYTHING. This is usually mitigated by any number of security features, but the possibility still exists.
Normally, with websites that do not use encryption, the passwords are sent in clear text across the internet, then merely hashed and stored in a database on the server. If a hacker is listening in on the connection (the technical term is actually "sniffing"), the passwords are not secure in transit and could be stolen by anyone who wanted to do so. It might still be illegal to do so according to local, state, or federal law, but since when has the law ever stopped someone from committing a crime?
All encryption is not the same, either. Without getting into a more technical aspect, there are ways to make standard encryption methods more secure. One such method is called "salting" the passwords. I'll let you look that up for yourself if you so choose. Passwords that are salted are much harder to hack due to the way passwords are hashed in a system. A hacker will generally query the password database for common passwords in an attempt to see if those passwords exist in the database. If the passwords are salted, the hashes will very likely be different than what he is attempting to look for and his evil plot will be thwarted! Ha-ha!
I thank you for taking the time to read through this and I hope this helps someone somewhere keep their system just a little bit more secure. Drive safely!
0
I just learn a combination of keystrokes then remember where the fingers are supposed to line up on the keyboard. That means I never really know what my password exactly is, but I still know how to type it out.
0
mibuchiha wrote...
This had to be done.
44 bits of entropy are completely useless when you can use a simple dictionary attack to crack the password. Most cracks are done locally and the 'plausible' attack is utter nonsense unless he's referring to remote service technology that was around in the mid nineties.
0
Lal3 wrote...
44 bits of entropy are completely useless when you can use a simple dictionary attack to crack the password. Most cracks are done locally and the 'plausible' attack is utter nonsense unless he's referring to remote service technology that was around in the mid nineties.
This comic actually takes into account a dictionary attack as its weakness, and assumes the attacker knows the password scheme.
11 bits of entropy = a 2048 word dictionary
times 4 for the 4 words = ~44 bits of entropy
if anything this should be bigger, but we don't really care about a order of magnitude, as long as they are not in the comic's favor.
Assuming a brute force method... we would be looking at (27)^28. So while a dictionary attack does MUCH better. It is still not really plausible.
for more: http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength
0
Moeiful wrote...
Lal3 wrote...
44 bits of entropy are completely useless when you can use a simple dictionary attack to crack the password. Most cracks are done locally and the 'plausible' attack is utter nonsense unless he's referring to remote service technology that was around in the mid nineties.
This comic actually takes into account a dictionary attack as its weakness, and assumes the attacker knows the password scheme.
11 bits of entropy = a 2048 word dictionary
times 4 for the 4 words = ~44 bits of entropy
if anything this should be bigger, but we don't really care about a order of magnitude, as long as they are not in the comic's favor.
Assuming a brute force method... we would be looking at (27)^28. So while a dictionary attack does MUCH better. It is still not really plausible.
for more: http://www.explainxkcd.com/wiki/index.php?title=936:_Password_Strength
Actually it doesn't take any of that into account. Taken from your very source:
Explanation wrote...
Now, what is not clearly addressed:
Will these passwords have to be entered manually? And if so, how difficult is it, mechanically, to enter an each character of the password? On a keyboard it's easy, but on a smartphone or console... not so much.
How easy are these passwords to remember?
How sophisticated are the password attacks?
In other words, will they actually attempt common schemes like "dictionary words separated by spaces", or "a complete sentence with punctuation", or "leet-speak numb3r substitution" as implied by xkcd?
I have seen this comic more than a few times and it simply shouldn't be used, it is not a thorough explanation and it sends a false message. Real crackers do not use simple brute force or dictionary attack algorithms, those are for script kiddies who have no idea what the fuck they're doing. Real CB algorithms use a variety of complex methods to generate possibilities, they do not simply test every single combination they possibly can, that is the last resort, the fallback. Even then, no experienced cracker is going to run a simple brute force algorithm for years just to get someone's password. Any password that's worth spending that much time on is likely going to change by the time it's cracked.
Truly secure passwords should not be easy to remember, passwords that are easily memorized are easily broken. The best way to defeat a strong crack algorithm is to take into account:
- How frequently a symbol is used
- Varying case, special characters, numbers
- Length
Y>,:~w&7%^0{Xu:|&!"r*8)Z is stronger than Dog................................. or correcthorsebatterystaple and will take many times longer for an advanced algorithm to guess. We are not living in the eighties or nineties anymore, stop relying on strength calculations that are eons old.
0
Actually it doesn't take any of that into account. Taken from your very source:
The "Now, what is not clearly addressed:" deals with the usability of the password. I will agree that long passwords are difficult to enter on a phone. As for how easy they are to remember, I will digress and say that maybe they are not easy to remember, not my field, but they seem easier to me.
The "How sophisticated are the password attacks?" only seems to make me think that the crackers will go for low hanging fruit, and you might not even "really" need a password as strong as xkcd is recommending. Or, at least that is my interpretation.
not a thorough explanation
Very true, though a thorough explanation would not be as funny.
Truly secure passwords should not be easy to remember, passwords that are easily memorized are easily broken.
Yes, though by that logic it would seem that you would not even be able to remember your own password. That would mean you would probably write it down, or store it on your computer. Or, this is what most people would do. Which a lot of the time is a greater security vulnerability than a weak password.
This comic was just pointing out the ridiculousness of using short passwords with simple number and symbols added.
How frequently a symbol is used
Varying case, special characters, numbers
Length
Yes, I will agree that those are all good tips.
Y>,:~w&7%^0{Xu:|&!"r*8)Z is stronger than Dog................................. or correcthorsebatterystaple and will take many times longer for an advanced algorithm to guess. We are not living in the eighties or nineties anymore, stop relying on strength calculations that are eons old.
the o in Dog is supposed to be a 0. Also, "D0g................................." is actually REALLY strong. Of course, if you were expecting this format it would be bad. I would agree that this would probably fail in a real environment. Mainly due to the repeated ....
Y>,:~w&7%^0{Xu:|&!"r*8)Z is am extemely complex password that definitely trumps correcthorsebatterystaple. Though a comparable and "memorable" password could be generated with more words added.
We are not living in the eighties or nineties anymore, stop relying on strength calculations that are eons old.
I am sorry, I mostly read up on security as a passing interest. Though, I have not seen a movement by experts that rejects these strength calculations.
0
I have 3 different passwords for everything I use.
My password is so dumb that no-one will ever figure it out.
My password is so dumb that no-one will ever figure it out.
0
Flaser
OCD Hentai Collector
Beside all this academics, here's something practical:
http://keepass.info/
It's a password manager, so you can easily generate strong passwords, use a different password for every site you visit and finally only have to remember one strong password or better yet, use a more complex scheme (like a key file) to protect your passwords.
Frankly, expecting users to live up to all the "advice" given by security experts is woefully naive as it puts an inordinate workload on them. Software like this can make you a lot safer.
Yes, it creates a single point of failure, but at the same time, said point can be well protected and strongly defended. IMHO the trade-off is well worth it.
http://keepass.info/
It's a password manager, so you can easily generate strong passwords, use a different password for every site you visit and finally only have to remember one strong password or better yet, use a more complex scheme (like a key file) to protect your passwords.
Frankly, expecting users to live up to all the "advice" given by security experts is woefully naive as it puts an inordinate workload on them. Software like this can make you a lot safer.
Yes, it creates a single point of failure, but at the same time, said point can be well protected and strongly defended. IMHO the trade-off is well worth it.
0
Flaser wrote...
Beside all this academics, here's something practical:http://keepass.info/
It's a password manager, so you can easily generate strong passwords, use a different password for every site you visit and finally only have to remember one strong password or better yet, use a more complex scheme (like a key file) to protect your passwords.
Frankly, expecting users to live up to all the "advice" given by security experts is woefully naive as it puts an inordinate workload on them. Software like this can make you a lot safer.
Yes, it creates a single point of failure, but at the same time, said point can be well protected and strongly defended. IMHO the trade-off is well worth it.
Yeah, I agree completely.
I personally like to put everything in a encrypted keyring. Which is either on a usb, my encrypted phone, or I can remote into a machine with over ssh.
