Password complexity vs security, Password managers, and diceware.com — the final solution

The password story continues.. I’m taking security again and its making me redo some things…

Also never use for any service that uses website to store password, always use file. https://www.tbray.org/ongoing/When/201x/2017/07/16/On-Password-Managers , Agilebits the company behind 1Password is trying to transition people from app based to web site.. (*What’s wrong with a Web site? · The problem is that the site has my encrypted data, and at some point, wants me to type in the password. Thus, in principle, they can peek and see my passwords. And hand them over to the NSA. Or to the criminal gang that abducted the CEO’s children. This makes me unhappy. *)

Terminology:

  • password — random & strong generated password, and by strong i mean 256+ bit entropy (usually has to be 40 chars long, generated by macpass)
  • passphrase — 5+ password made up of words only with spaces! (use a 10K plus dictionary when using online generated. Dont use song lyrics since they are published online and people already have it cracked). Doesnt need any alphanumeric or special chars. This would be confusing complexity with security. You can use the diceware wordlist game, which is randomly generate rolling the die 5 times and picking 1 word from this list http://world.std.com/~reinhold/dicewarewordlist.pdf, or you can go with sites that already do this for you https://password.diet/.

Get Secure:
1) Use MacPass/Keepass. File New. Add passwords for sites. File Save > type master passphrase without any alphanumeric special chars nonsense, use 6+ words from diceware game (or use password.diet). MacPass (https://github.com/mstarke/MacPass/releases MacPass-0.6.2-alpha.zip) or keepass (http://keepass.info/download.html).
2) sign up protonmail.com — use strong password and store it in keepass file, don’t provide backup email as this can be a compromise.
3) Sign up for sync.com & use protonmail.com as your email registration user. Again have a 6+ word passphrase should be a different than your master passphrase for your keepass file. Upload your keepass file there.

so in conclusion, all your passwords for sites/banks/fb/google/linkedin should be passwords that are strong and random, except for 2 things
a) keepass file uses master passphrase
b) sync.com uses new protonemail and a different passphrase

How secure should your strong passwords be?
if using “mixed case alpha-numeric with special chars” and “chosen at total random”, so generated by macpass or keepass… then 13 chars is 80bits of entropy.. which is OK for most sites, and 42 chars is > 256 bits entropy which is what you should use for Banking etc.

Links:
www.diceware.com/ — diceware game, the final solution
https://password.diet (automatically does diceware for you)!
http://world.std.com/~reinhold/dicewarewordlist.pdf — the diceware 7776 wordlist itself
https://xkcd.com/936/ — the problem
http://preshing.com/20110811/xkcd-password-generator/ — a solution?
https://www.baekdal.com/insights/password-security-usability
https://www.baekdal.com/insights/the-usability-of-passwords-faq

Memorable & Strong Password Generator

(Optional) Read if youve a 10 minutes more to spare about security & passwords

Point 0)
password.diet — A client-side diceware multi-wordlist password generator with complete source code
Its safe because its source is public on github https://github.com/password-diet or more specifically https://github.com/password-diet/password.diet/blob/master/app/scripts/components/home.js.

Point 1)
The https://www.baekdal.com/insights/password-security-usability link… shows that when you use 3 words from ‘common words dictionary’ itll take 2537 years to crack if youre “cracking” (or testing using dictionary attack) 100 words per second. He doesnt mention but his common dictionary is quite big at 20k (i had to do the math to figure out hes using 20k — “(20k³)/100 seconds to years”, most online are like 10k.

The diceware one which uses 7776 words… At 3 words its not quite 2537 years but 150 years not 1000+ years so its your lifetime which is good but not ‘forever’.
At 4 words is million years! lol But that’s if they crack at 100 words per second which is so slow :p
“These days, hackers could break 5 words using around 1,000 PCs with high-end graphics processors. That’s why in 2014, Reinhold revised his opinion: “Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word.” So 6 has become the new average. Go for 7 words, and it goes beyond the average online spy, thief or malicious user. We’re talking government agency-level. Want even more security? Use symbols instead of spaces between your words. It’s simple. And simplicity is why it works.”

Memorable & Strong Password Generator

Point 2)
Also read why https://www.baekdal.com/insights/the-usability-of-passwords-faq Q: If “this is fun” is 10 times more secure, wouldn’t it increase security to write it as “Thi3-Is-5un”? … That would be just as easy to remember.
A: You are kidding right? Yes it would be much more secure, but the whole point of this is to reduce complexity. People do not like being kicked in the groin every morning. There is absolutely no reason for adding that complexity in the first place. It takes 2,537 years to hack “this is fun”

Point 3)
Again from https://www.baekdal.com/insights/the-usability-of-passwords-faq , Q: When I test “this is fun” it shows up as weak in most password testers. A: Yes, this is simply because most password testing tools are completely useless. They measure complexity, not security.One example. If you head over to The Password Meter, they will tell you that “this is fun” only scores 19% = very weak, while “J4fS<2” scores 60% = strong. But, this has nothing to do with security. They specifically look for the presence of uppercase letters, numbers and symbols, which they then give a rank using a completely insane algorithm. These guys are only measuring complexity. It is an utterly useless tool. Mathematically, “this is fun” is 10 times more secure. This is one of the big reasons why I hate when IT people talk about password security. They favor complexity over actual security.

Technology fanatic.