Let's talk passwords

I began this post weeks ago, but with the recent Heartbleed problems, it's even more timely and I feel like I need to finish this and get it out there.

Passwords have been an issue for some time, and they will continue to be more and more of an issue. There have now been a few large scale compromises--that we know about--and there will only be more as time goes by. I thought I'd bring this blog (at least briefly) out of retirement to talk about them.  I'm going to knock down some password myths, discuss how to build good ones, and give you some best practices, some good practices if you don't follow the best ones, and some okay practices.

First of all, passwords are terrible.  They're just an awful concept, but we use them because they're approximately the least-worst of several bad options.  Passwords are naturally easy to guess, and hard-to-guess passwords are necessarily hard to remember.  For good security, you need to use a different password everywhere, but the human mind doesn't work that way.  Passwords are a way that vendors, developers, and admins push the responsibility for security onto their users, because passwords are easier and cheaper to implement than actual, functional security measures.  One day, if it hasn't yet happened (it probably has, but you may not know), a password of yours is going to be compromised; know that when it happens, it is not your fault, but rather that the way the world is currently set up guarantees it over a long enough time window.  The best you can do is minimize the frequency and the impact of a compromised password.  This means using passwords that are:

  1. Hard to crack, but more importantly,
  2. Unique to the service you're using them on

If you don't read any further into this article, the best way for a layperson to do this is to use password management software. Password managers have their issues, but they are far better than your other options.  I personally use and love Lastpass, and know other people who swear by 1Password and Keepass, but the fact of using a password manager is more important than which you use.  Note that those are direct links, and there's no kickback involved for me in this (although I don't control the ads that show up on this site in the sidebar).

The reason to use a password manager is that it takes out of your hands the need to come up with a new password for each web site, something people are terrible at doing and so generally won't do.  Come up with a very strong password for the manager (we'll discuss those later), and then import almost all of your passwords into the password manager.  The exception is this: do not use the password manager to hold your primary email password. Come up with a separate (and again, strong) password for this service.  You'll be required to manage two passwords, but this means that an attacker that compromises your password manager doesn't have access to your email, and most services will allow you to reset or retrieve your password using your primary email address.  Likewise, someone who compromises your primary email password doesn't immediately get access to all of your other services, although you'll need to establish a new email address ASAP and start moving things.  What to do when a password is compromised will have to wait for another article, as this one is going to be long enough.

Going forward, you'll want to use the password manager to generate randomized passwords for everything you log into.  Your existing services will take some time, but for any new service, always use the manager rather than coming up with something manually.  Try to be disciplined about this: whenever you log into something, immediately change the password if you haven't already to something randomized.  The benefit of this is that when one of these services is compromised (as one of them will be), the attacker only gains access to that service.  When you reuse passwords, if someone compromises that password in one place they gain access to every place that you use it.

Now, some people are not going to use password managers, for various reasons.  Distrust of third parties, self-reliance, inability to install software on their work computers, all valid things.  In addition, some services can't be used with your manager, and you may not have access in the office.  Many people will require passwords that have not been generated via software.  We're going to go through a few things for you, and for those passwords that simply can't be stored in a password manager.

This is my personal method for coming up with a strong but memorable password.  I'm going to give you an example. DO NOT USE THE EXAMPLE PASSWORD. The example password is also not a password that I have used anywhere, but I encourage you to try it.

Step 1: come up with a nonsense word or phrase.  Not something random, like jkasdgkjashg.  We're going to use the brain's language capabilities to give us something both unique and memorable.  Phrases are particularly good, because they include punctuation and spaces.  Let's use "aggle mibble" (we'll be omitting the quotation marks).

See how easy that is to memorize? You've probably already got it down.  It's also not crackable using dictionary methods, because those aren't English words (If you google them, you'll find one is a Gaelic word and one is a name for a code library, but coming up with entirely unique nonsense words is not worth the time for this exercise).  It includes a space already, which means that to crack it with brute force will take orders of magnitude longer (check it against GRC's password haystacks, and you'll see the the single space takes the "massive cracking array scenario" from around 39 seconds to around 7 months).

Step 2: Strengthen your nonsense phrase with some capital letters, numbers and/or symbols. Use the old "change a letter to a number" chestnut, and starting with a cap, gives us Aggle Mibbl3.  Try this against the above cracker, and you'll see that our offline attack scenario is now in the centuries.  Now, look back at that password.  Isn't that much, much easier than the sorts of passwords you'd expect to be that strong?  We've used your brain's ability to handle language to reverse the normal scenario; this password is now very easy to remember and very hard to crack.

Optional step 3: Remember what I said about unique passwords?  Well, even if you're generating passwords with your own mind and not with a software tool, it's still possible to remember a unique password for every site and service.  I'll show you how.

Imagine you log on to yourbank.com, and are asked to create a strong password. You've already followed the process above, and now you'll remember Aggle Mibbl3 for the rest of your life.  Now, to make a unique password for this site is as simple as embedding the site itself somewhere in the password.  We could go with:

yourbank Aggle Mibbl3

or even better:

yourbank.com Aggle Mibbl3

But better still is:

Aggle yourbank.com Mibbl3

Now you have a phenomenally strong, easy to remember password that is impossible to crack with a dictionary and virtually impossible with brute force.  It is also unique to this site, and therefore if compromised it won't automatically compromise everything else you log into.


 - Obviously, if this password is compromised, and a human looks at it, they'll probably recognize the pattern.  If that happens, they can attempt to use it against other sites, so if this is compromised you should still go through the process of resetting passwords anywhere you've used the same pattern.  However, if this is compromised programmatically, it is unlikely that an automatic password cracking implementation can recognize the pattern and reuse it, and that's the greatest danger.  Of course, if similar patterns become popular, they will begin to do so.

 - Some sites limit your password length.  These sites are very poorly implemented, but they likely include places you'll be absolutely required to log into, such as your bank.  There is nothing to be done here, and for these I highly recommend the password managers described above.

 - Similarly, some other poor site implementations omit certain symbols, like the spaces we used.  You can replace them with dashes, or dots, or anything else that you feel you can remember, but the fragmentation of password requirements is going to cause you problems.

Ultimately, the real fixes for this need to be on the industry side, but it will probably require a few more high-profile, internet-wide breakages before anything is done on a large scale.  The best you'll be able to do in the meantime is to protect yourself, and fixing your password usage is the first and most important step to doing so.

Happy internetting. I'm sure the more tech savvy of you are already poking holes in my reasoning, so feel free to do so in the comments.