Security Resources

Password Strategies for an Internet Minefield

So much has been written about how to choose passwords, and yet here we find ourselves decades after the masses began going “online,” with poor standards, security implementations, and user behavior. What to do? Well, unfortunately, most of us can do little more than follow best practices and hope for the best – Rome wasn’t built in a day, and people won’t stop using “password” or “123456” anytime soon. Password criteria and real-time “strength meters” are a step in the right direction, but of course, we need only to look at a few recent lapses in website security to observe that even when good passwords are chosen, the mechanisms that store and verify them may be flawed. A few incidents worth reading about include: LinkedIn password leak, UPEK fingerprint software weakness, and the Mat Honan hack.

I’ve been a casual student of cryptography and data security for years, and I am often asked about how I manage the problem of selecting and organizing strong passwords.

For starters, there are a few bad habits that you must break yourself of before anything else:

  • Using the same password for more than one site
  • Using some “creative” combination of your initials, family/pet names, birthdates, etc… Most of these patterns are well known to crackers and their software tools.
  • Using short passwords and/or those based on typical words (even spelled backwards or with @ instead of an “a”)

Once you accept the above, then it’s surprisingly easy to get started with strong passwords. Here is my approach:

* Select a password manager. My preference is KeePass. It is free, open-source, cross-platform, and fast. Since KeePass runs as a traditional application, other options, like LastPass, are worth investigating if you desire a cloud-based service or tight integration to your browser. Even though KeePass has a number of plug-ins that add integration, I prefer to keep it completely stand-alone to reduce the number of ways my database could be compromised by a creative hacker or bad plug-in code. Choose your solution carefully – you will be trusting it with the “keys to the castle.” In addition to the backups (plural) you will want to have of the program database, consider exporting the contents to a text file that you either print and file under lock and key every so often, or store a digital copy in a secure way – NOT on your PC or on any drive/media attached to your PC! One of the primary reasons to use a password manager is to keep your information secure – and all of that value goes away if  “Password Backup.txt” is sitting on your desktop.

* Use your password manager to store all of your online identities as separate records. You can typically store notes and other types of records as well – which can be very helpful for all of those software unlock keys, garage door codes, and similarly sensitive data you might have lying around on sticky notes right now.

* When it is time to sign up at a new site or change a password, use a unique, secure password generated by your password manager – or if you prefer, follow another secure procedure for creating strong passwords. Here is an excellent online generation tool and tutorial on writing your own.

* Don’t forget the “little things” either. Before you embark on upgrading your passwords, be sure that your email accounts are well-protected. Some would advise using a dedicated email address for each online service – or at least the most sensitive ones. That way, if someone hacks into your primary email account and attempts to reset your password on – say – your banking site, the confirmation email will go to an account they (hopefully) don’t control. Be careful with security questions, too. For extra security, I will sometimes create dummy answers to the identity verification questions, and store them in the KeePass record for that site. That way, even someone who knows (or can find out) my mother’s maiden name, or the make of my first car, will be out of luck.

Finally, a few things to watch out for. This is not an exhaustive list, but there are several characteristics of bad security implementations that are worth watching out for. I’m not suggesting you avoid such sites, but I would be cautious about what information I provide them. In no particular order, and assuming no other ID method (e.g. two-factor authentication, etc…) exists:

  • Limiting passwords to a fixed length (not a maximum length – but a specific length).
  • Requiring passwords to be unusually short. There is no perfect number here, but anything below 12 characters, in my opinion, is asking for trouble.
  • Not allowing mixed case, numbers, and/or special characters.
  • Any service that can send you your actual password (in plaintext) if you forget it.

The reasons for the above are beyond the scope of this article – but they mostly have to do with proper hashing and storage of the passwords. It is also important to note (again) that even when security measures appear strong, there is usually no way to be sure. Unfortunately, it often takes a hack or other public incident to get companies to address security issues…

Hopefully you’re already doing these things – and more – to protect yourself online. If not – best to start today!


— EDIT November 4th, 2012 —

I thought I would add a list of the most common passwords, compiled (by others) from an analysis of cracked password databases. It is hard to believe that “password” and “123456” are still so common, but Mark Burnett analyzed six million passwords, and found that 91% of users had used one of the top 1000 most common passwords. Considering that a brute force password cracking program can run through those top 1000 in well under a second, there is virtually no protection afforded by any of them.

Here is the list:

Rank Password
1 password
2 123456
3 12345678
4 abc123
5 qwerty
6 monkey
7 letmein
8 dragon
9 111111
10 baseball
11 iloveyou
12 trustno1
13 1234567
14 sunshine
15 master
16 123123
17 welcome
18 shadow
19 ashley
20 football
21 jesus
22 michael
23 ninja
24 mustang
25 password1


— EDIT December 11, 2012 —

An article not to be missed about the advancements in password hash brute-forcing using multiple GPUs.
The Security Ledger: GPU Monster Shreds Password Hashes

Here is a look at the relative simplicity of the architecture. Those are graphics cards being leveraged for their extremely fast processing capabilities.


1 Comment