Having excellent passwords easily
By using a password manager or other methods
Have you been thinking lately if your password habits are in excellent condition for the dozens of websites or services that you use?
Do you successfully have none of the passwords same as an other one?
This video was kind of a revelation for me on how passwords can be cracked out of leaked hashes (even though they were only MD5). The video is well made, short and to-the-point. Also this and this were good.
It’s interesting to see how quite long and relatively strong passwords are easily getting dug up.
Like mentioned in this great article and elsewhere, very recommended habits nowadays are:
- To not use the same password in more than one place
- Turn on 2-step Verification wherever possible, especially for e-mail
- To use a password manager for storing most of the passwords
Nnngh, that takes effort :(
It can be hard to find motivation for truly changing one’s password habits. For some people these facts might help with that:
1. Your usernames, passwords and/or other information might be already leaked. You can check that with the service mentioned in that article. (If one wants to immediately know when new security breaches happen, Twitter mobile notifications can be set up.)
2. It might come as a surprise that using a password manager can actually be more effortless to maintain than the method you’re currently utilizing. At least so it was for me.
3. Crackers have never been stronger. They have vast amouts of plain text passwords to analyze and include to their dictionaries from the previous leaks. RockYou’s password leak had 32 million of them.
4. Many people tend to use the browser’s password remembering feature for easy access to forums and services. However, there are opposing opinions if that feature should be used and it can be surprising how utmost non-secure these features actually are. I tested in Chrome in Linux that all of my saved passwords can easily be checked in plain text straight from Chrome’s settings: Settings > Show advanced settings… > Passwords and forms > Manage passwords. This means that any outsider that could even only briefly sit down on my unsupervised unlocked computer could access all the saved passwords in the browser in seconds. In Windows it at least asks your Windows user password to do that — and, in Firefox a master password can be set up.
Anyways, in some public environments locking your computer (Win-key + L in Windows) even for getting a cup of coffee is a recommended habit.
Password managers
“If you CAN remember all your passwords, you’re doing it wrong.” *
There are many password managers out there, like KeePass, KeePassX, Lastpass, Dashlene, Roboform, 1Password and others.
For example:
KeePass is used locally. It’s free and open-source. It’s a simple application with a modest feature set — but it does well what it’s supposed to.
Lastpass is used online through a browser extension.
It has recovery options if you’ve forgotten the master password, two-factor authentication and it can be used offline as well.
How do they work?
In general, you build up a password database (in KeePass a locally stored .kdbx file) that mostly consists of titles, usernames and very secure, long gibberish passwords that you don’t need to remember.
That database is heavily encrypted and accessible with a strong master password that needs to be remembered (in KeePass also on top of that with a separate Key file, if so wanted).
As an example, when one wants to sign in to a web forum by using KeePass:
- The password manager is opened
- The password manager’s master password is entered
- The forum’s password is copy-pasted from the password database to the forum login prompt (the password is kept in clipboard for 10 seconds)
- The password manager is closed
In some cases it’s acceptable to let the browser remember this password, but be very careful, like mentioned above.
If you’re using the database in multiple computers, it’s good to remember to save this database after adding anything to it, in order to prevent overwriting what you added there in another computer.
Making choices
I chose KeePassX because it’s open-source and compatible with Windows, Mac OS X and Linux, all of which I use in my everyday life. There are applications for this also for iPhone, for example. Hopefully they’re trustworthy.
Also, putting your database into Google Drive or Dropbox, for example, can be very beneficial — but it might be good to get educated about the downsides of keeping a password database in an online service. At the very least use the 2-step Verification in them. Other ways for syncing the database to other computers could be ownCloud, Syncthing or Resilio Sync, for example. Or just the good old SFTP (regular FTP not recommended).
As a sidenote, it’s recommended to increase the Transform rounds in KeePassX in order to increase the security a bit:
Also, concerning all local password managers, especially in the case of KeePass, using these applications in unclean or public computers can be very unsecure. See the section Threats below for more information.
Long and strong gibberish passwords
In order to generate those gibberish passwords that you don’t need to remember you can use the generator that comes with the password manager, a generator in internet or just simply whack the keyboard like so (nowadays also spaces are allowed in the passwords):
*Ö ‘ÖAJKf’efi38RH)#h9873(#=Y9+3+ päk39qjg0j=⁾ J#(=#RH3'ä-2'2-tä4'*Then just simply go and change all the weak passwords from different services you use to the strong gibberish ones and keep them safe in the password manager.
However, I prefer not to put my e-mail’s password into the manager since it’s the key place to go to reset all the other passwords if for some reason I lose, corrupt or lock the KeePassX file and can’t access it anymore — so, the e-mail’s password needs to be a rememberable one. Same goes for the computer’s login/administrator password.
Master password / Strong password
Using the password manager requires coming up with a strong and secure master password that you can remember.
Often a password is thought of during the making of a new account for a service and one just wants to get in fast to use that service. Creating and memorizing a long and secure password might not be a priority in that moment.
It makes sense to really dedicate some time for designing and practicing over and over to remember your password manager’s master password. It’s the key that holds all the other passwords, after all.
Creating a strong password
Here are some popular methods for creating a strong and easy-to-remember master password:
- Bruce Schneier’s / Mnemonic Method (Film, Other Film)
- Xkcd style Passphrase Method (The comic, Film)
- PAO style Passphrase Method (go here, search for PAO)
- Combination of these
1. Mnemonic method
In this method you make up a story or a modified movie line or poem and take the first letters of each word to form at least a 12 characters long password, like so *:
When I was seven, my sister threw my stuffed rabbit in the toilet:WIw7,mstmsritt…
Or *:
During winter, she would hope for snow and be bitterly disappointed (1984)DWswh4s&BBD84
Or *:
Where oh where is my pear? Oh, there.W?ow?imp::ohth3r
Or one classic example:
3 dollar Seville oranges eat 9 bananas in Tahoe3$Soe9biTahoe
- L33tspe@k style of character substitutions for Mnemonic method are encouraged, because the end result will be gibberish
2. Passphrase method
Xkcd has popularized another good way to form a good password. Just make up 4 or more random words and that’s it. However, the words must be truly random for the passphrase to be secure against dictionary attacks that check basic sentence structures.
Random words like:
shoes pocket simply storedOr:
featured plants above balticBut there are people who claim the Xkcd type of passphrases are still not overly secure. In here it’s stated that automatic “password cracker” programs now also check for complete dictionary words in a row, separated by spaces or not. So, it’s a good habit to always modify any dictionary words used in the passphrase, as mentioned below. Here is also some criticism (also this) against using full words in a password.
- It’s recommended is to mix up multiple different languages in the making of a passphrase
- special character injections, that break up the words, like ho£rse, are absolutely great. It’s computationally easy to check prepends and postpends of a word, but still difficult to check every possible position. So, one recommended way is to change every Nth letter to a special character, like so:
corr<ct hors< batt<ry stap<eWays to come up with words or sentences
- One way could be to go to Wikipedia and keep hitting Shift+Alt+X to get a random article to get inspired about different words or sentences
- Or maybe use the Urban Dictionary’s Random Word button and pick and combine interesting sounding words or phrases out them
- Other ways could be to use Random Word Machine or a Passphrase generator (has also other good password security related information) to pick out some words and perhaps to find synonyms to them via Thesaurus
But then again, all the words in those sites might eventually also be included into dictionaries that are utilized for password cracking, that’s why breaking the words is essential.
Draw it or write it down
If it’s still hard to remember the password, a good way is to draw a picture of the password and keep it in the wallet, for example. Also a good password written down and stored in a secure location is much better than a bad password memorized. Just don’t make it too obvious that it is a password and what it is for. *
Weak passwords
Here’s a great article on how people usually choose their passwords. Also, while cracking passwords, a cracker gets new ideas about how people ‘cleverly’ come up with new password patterns.
- Normal words that are found in any dictionary are a normal target for a dictionary attack. Also names. Non-English words and names are a tiny bit better. Brands are also a bit better, especially more unknown and foreign brands
- Use of lyrics, poems, movie lines, etc. can be beneficial, but too famous examples most probably already are in the dictionaries of crackers.
A long time ago in a galaxy far, far awayAltaiagf,fa or Alotiaginagafa,faawMost probably these are already on some cracker’s dictionary.
But, this kind of modifications of the phrase probably not that much *:
Long time ago in a galaxy not far away at all:
Ltime@go-inag~faaa!However, all the examples found in this or other password example guides sure are all included into a dictionary somewhere.
- When you do have to choose a password, one of the most important selection criterion should be how many other people have also chosen that same password. *
- More examples of weak passwords
Avoid patterns
- Capital at the beginning, digits at the end, all lowercase in the middle. It’s a pattern that can be programmed into an attack. Doesn’t get much better if $ gets thrown at the end of it.
- l33tspe@k. Character substitutions with @ , ( , $ , etc. are very predictable patterns. Be aware that automatic password cracker programs check for common symbol substitutions in words, such as zero for “o” and “$” for “s”. *
“The password myth that annoys me the most concerns Leetspeak,” Chester said in the password podcast. “They pick a nice word, and they say, ‘Well, it’s not a dictionary word. I added zero instead of o.’ But most password-cracking apps try that right off the bat, because they know how much people rely on this false sense of security from complicating their password. *
- Repetition. Pattern — weak:
,,,,,,<<<<<<baseballbaseball
- Keyboardwalk. Pattern — weak:
1234567890987654321“Hackers use keyword walk generators to emulate millions of keyboard patterns.” *
- Also the classic Xkcd’s correct horse battery staple example is a common pattern. It can be relatively good if it’s not a sensible sentence and the words are more unique — but it’s still a pattern (four random words in a row, could get to be a victim of a dictionary attack)
- If you’re reading instructions on how to form a good password, chances are those exact methods are already being utilized for password cracking as well. So, the more you try to invent even better and more clever new methods you haven’t seen elsewhere, the better off you might be. Like an orgy of smilies, why not.
Avoid Predictable Password Formulas
From this article.
Typically people:
- Use a name, place, or common word as the seed, e.g., “fido” (Women tend to use personal names and men tend to use hobbies)
- Capitalize the first letter: “Fido”
- Add a number, most likely 1 or 2, at the end: “Fido1”
- Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: “Fido1!”
“Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers (“F1d01!”) or appending another word (“G00dF1d01!”) wouldn’t help much, since hackers are using the patterns against us and appending words from the master crack lists together.”
Threats
A password manager and a strong master password aren’t enough on their own.
When you’re having most of your passwords in a single location, it becomes a good target for a cyber criminal (also this and KeePass’s response to it).
This means it’s essential to keep your computer clean and protect it from malware.
From the first article:
“The Citadel configuration files found by the IBM researchers commanded the malware to begin keylogging whenever Password Safe or KeePass started running.”
However:
“Despite the attack, password managers are still better than just using a few passwords, or worse, a single password, she said.”
“But it is important to keep in mind that these solutions are not sufficient in and of themselves — they have to be accessed from a clean machine.”
Same kind of news has also came up (also this) of Lastpass and other web-based password applications
Something else than a password manager
Instead of using password managers, there’s another similar method I have heard. A friend of mine uses a password-protected aes-256 encrypted Mac .DMG disk image file stored locally that includes (when mounted) a text file that has all the long gibberish passwords in it. From time to time he backups it to a remote computer.
One way would be to have it with you all the time on an encrypted USB stick as well.
Other ways from the top of my head could be to make a text file and use an encryption inside notepad++ for it, for example.
On the contrary, however, using an encrypted .zip to store that text file perhaps might store versions of the text file (all your passwords in plain text) into temp/cache folders when you edit the contents of the .zip, so maybe that is not something worth trying. That would be quite cumbersome also.
News about attacks against password managers to get master passwords, like mentioned above, increase the want to use just these simpler methods.
That’s all, folks.
I hope you’ve enjoyed the article and please comment below if you have anything on your mind about this :)
Cheers!
The main point of this article hopefully is to inspire people to consider starting to create and use long and secure gibberish passwords for their internet accounts and to use a password manager or a similar method for storing them securely.
The passwords mentioned in this article are NOT meant for use. They’re only examples.
Manu Järvinen
manujarvinen.com
@manujarvinen2016
“Having excellent passwords easily” is an article of the common general advice about password habits, collected from articles around Internet.
Constructive critisism and all kinds of feedback about this article is wholeheartedly encouraged. ❤
