Resources‎ > ‎

Password tips

What the risks are

To access your account on an email system, or on a social website, there are about three ways an attacker can try.

The hardest way is brute force guessing from the “front door” – repeatedly browsing to the web site and trying different passwords until they get in.  This can take weeks or years, and as long as you’re not using a very short password, they’re unlikely to succeed.

The second method is more targeted guessing with a dictionary.  In this sense, a dictionary is merely a word list without definitions.  It may contain lists of common words, password lists from hacks that have been published on the Internet, or such kids’ or pets’ names as you have made public.  They’re still slowed down by whatever defenses the site has put on their “front door” but if you used a common password or a word that someone might associate with you, it’s much faster than a brute force attack.

The most dangerous method is when hackers manage to download the encrypted list of users and passwords from a service.  The encryption, if done well, protects the passwords for a short time; but the hacker is no longer slowed down by the “front door” defenses and can try millions of guesses per second, presuming a modest investment in computer hardware.  You have to have a very long, random password for it to last under this kind of attack.

Even very long passwords are not supposed to resist this kind of attack indefinitely.  The purpose of a very long password is to give you time to change the password after you’ve been notified that the service provider was compromised.  Once you’ve changed the password, what the hacker eventually discovers is a useless old password.

This is also why you should use different passwords for each account.  A hacker who gets your facebook password shouldn’t automatically get your online banking password as a bonus.

There are things that no longer work.  Real words in any language already appear in dictionaries (word list files) and will be quickly guessed.  Putting a few numbers behind the word will not help either.

Multifactor Authentication

You will often hear about Two-Factor Authentication or MultiFactor Authentication.  These are promising technologies, but they can be expensive to implement.  Some implementations are better than others.

If your bank offers multifactor authentication, by all means take advantage of it -- have a code sent to your phone, for example.  Just realize that it will be a long time before we're all carrying key fobs that work on all devices and accounts -- there's a lot of infrastructure work ahead of us.

Strong passwords made easy

Best practices

You want a password that’s long – the longer the better.  Changing an eight character alphabet-only password to a nine character alphabet-only password makes it harder to crack than changing an eight-character alphabet-only password to an eight-character mix of letters, numbers and symbols.  But of course, you should still mix letters, numbers and symbols.

Hashing a Phrase

Here’s how to make an alphabet-soup password you can remember.  Hashing is the process of transforming something you can easily remember into something that looks like completely random garbage.  It makes passwords that are much harder to crack, because they aren't dictionary words.  This particular hash process is something presented by Mat Neufield at a SANS conference, probably over ten years ago:

  • Pick a phrase, such as "This is a demo which I shouldn't really use"
  • Eliminate spaces, and all but the first and last letters of the words:  "This is a demo which I shouldn't really use" becomes "TsisadowhIstryue"
  • Do some substitutions.  Pick any substitutions that you can remember, and BE CONSISTENT, so that you do remember.  For example only:  "T515@d0whI5tryu3" -- this substitutes 5 for s, 1 for lower case i, @ for a, 0 for lower case o, and 3 for lower case e.  You could also preserve the apostrophe if you wanted, and if you would remember it later.
  • Place a before-and-after character around the phrase.  In the presentation, I have sometimes used ! and sometimes #.  It can be almost anything, and is a good opportunity to put punctuation in a password that might not otherwise have it.  Example:  ~T515@d0whI5tryu3~

Remember that you can pick your own substitutions, your own before-and-after symbol, your own process -- this is provided solely as an example of hashing. It will take some practice to get used to, but once you have the hang of it, your protection gets a lot better. Jumbled hashes are stronger than passwords!

Bonus -- a short discussion for kids on strong passwords from Ed Skoudis of the SANS Institute.

Password managers

Even with your hashed passphrase, you may have too many different accounts to remember unique passwords for each.  Your author has about sixty different accounts to keep track of, and most certainly doesn’t remember them all.

Consider the use of a password manager.  These come in two flavors:  Cloud based, and portable via a thumb drive.  The advantages and disadvantages are similar to those listed for backups; for most people, the balance of risk is going to favor a cloud service.

Here are some password managers to consider.  There are other good ones as well; this list is just a starting point.

  • LastPass - This is the one that's online, backed up for you, but you have to have Internet access to use it
  • KeePass - This is the one you keep on a thumb drive and have to religiously back up
  • DataVault (for smart phones):
InfoWorld did a review of password managers in 2012