Passwords From a User’s Perspective

With Gawker’s hack hot in the news (google), I want to remind folks regarding some password best practices.

  1. USE long passwords
    Passwords should be at least 8 characters. Passwords shorter than that are typically easier to guess than longer ones. There are huge caveats to that statement as listed below.
  2. DO NOT USE full words in your password
    If the word can be found the dictionary, then its probably one of the 10,000 most common words in the English language. If this is true, then it probably exists in a rainbow table making it easy to guess. Websites typically “hash” passwords so as to not store passwords in cleartext. To work around this, malicious hackers established tables of the most popular words (and passwords) and their equivalent popular hashes. If a hacker gets your hashed password and can look it up in a rainbow table, they know your password.
  3. DO NOT USE the same password for all web sites
    If a website is poorly architected, like Gawker, then a password can be recovered, linked to your username, and tested at all of the popular banks, social media sites, and email systems quickly and easily. If a website gets hacked, you just lost one website, don’t lose your entire online identity because you used one password for the entire web.
  4. USE letters, numbers, and special characters
    Use all three sets of characters to make your password strong. Also, don’t think you’re being crafty by “randomly” typing keys. Humans are not random. Dice are random. Flipped coins are random. The Random Number Generator in Excel is not random (its pseudo-random, but for purposes of this, its good enough).
  5. DO NOT USE common passwords
    Thanks to errors like Gawker’s, we can determine common passwords. Do not use these passwords, even as starting points for adding complexity. Here is a list.
  6. You MAY Store your passwords*
    You can store your passwords by writing them down. However, treat them like they were a gold brick from Fort Knox. If some one broke into your home, you’d expect them to try and find your gold brick and take it. You’d put it in a safe place, like a fire-proof safe. Same thing with your password. Your refrigerator is not a safe place. A sticky note on your monitor is not a safe place. Your document box in your gun safe is a good start. Also consider safe deposit boxes at a local bank. Consider also storing a list of all the places you have a password, like your bank, your email, social media, the IRS, etc. That way you know where to go to update passwords if you do get hacked.
    Another way to store passwords is electronically in a password manager. Only use a password manager that uses VERY STRONG encryption. A good example is passsafe by Bruce Schneier.
  7. Consider using OpenID for low priority systems
    Consider using your Facebook account or other openID account to log into other low priority systems like blogs, etc. This mildly violates the “Use unique passwords”, but does so in a way that should prevent security breaches from being too painful for you.

My recommendations for passwords:

Pick a word at random. Use diceware to pick a word. Then, use diceware to pick a letter and replace it with a random number. Then use diceware to pick a letter and replace it with a random special character. This is your base password. To create a ~unique password for each site, “seed,” or append, it with an abbreviation of the specific website. For example, use “fcbk” for Facebook or “gm@1l” for GMail. An example password could be:

druidlarkin >> dru7dla$kin >> dru7dla$kinfcbk

That is a highly secure, random, unique, password. It was two random words from diceware chosen by dice with a number and a special character with a facebook seed added. Even with the advanced knowledge that we used diceware, that starts with 244,140,625 combinations. By the time we add in special characters and a seed, the ability to crack it becomes more costly the the gains of having your facebook password (is it really that important I tarnish your facebook account temporarily?).

Update:  I found a writeup discussing password strength and rainbow tables. Another good reason to use special characters and numbers and upper and lower case letters.

Leave a Reply

Your email address will not be published. Required fields are marked *