Basic Security 3: Sort Out Your Passwords

Once your software is all updated, the next thing to do is to sort out your passwords. You probably use the same password on more than one site, and your passwords are probably not strong enough.

There are a lot of websites that have user accounts, and they are not all as secure as they might be. If a website gets compromised, an attacker can get hold of their database of user names and passwords. The passwords should be hashed and salted — I will explain this process in a future post, but it means that neither the attacker nor the website itself can see your actual password. However, the website may not be following proper security guidelines, and might store your actual password. And if you use a common password, the attacker can find it even if it’s been properly hashed and salted.

What Makes a Good Password?

Here is a list of 1,000 commonly used passwords. Search that list for any of your passwords, and immediately change anything that’s on the list. Anything that’s widely used is definitely a very bad password.

Short passwords are vulnerable to an attacker just trying every possible password. Suppose your password is all lowercase letters, but you’ve made it properly random, and it’s something like “alzqoa”. There are just over 309 million possible passwords containing six lowercase letters (or six uppercase letters). That sounds like a big number, but an attacker might be able to try 1,000 possible passwords per second, which means it would take on average around 150,000 seconds or less than two days to crack your password.

Now, if you mix it up and include a mixture of uppercase and lowercase, something like “aLZqOa”, things get better. There are nearly 20 billion such passwords, and it would on average take 114 days to crack at 1,000 attempts per second. That’s still not ideal.

So add digits and punctuation characters as well, maybe “aLZ7[a”. If we add 10 digits and 30 punctuation characters into the mix, we have over 600 billion passwords and about five years average time to crack. Which is probably good enough for now, if your password is genuinely random (I’ll talk about randomness in a future post).

But technology keeps getting faster. If an attacker gets hold of a websites database of hashed passwords, and they used a fast hash function like MD5, they may be able to make 10 billion attempts per second. And in a couple of years, that may be a trillion attempts per second. And that password that would take five years to crack and seemed safe now takes less than a second.

Of course, websites should stop an attacker from trying different passwords for the same user 1,000 times per second, and they should use a slow and computationally expensive hashing algorithm on their passwords, but you have no good way of telling which websites have competent security and which do not. So it’s safest to assume that none of them do.

I therefore recommend that your passwords should contain lowercase letters, uppercase letters, digits and punctuation, and that they should be at least 12 characters long. They should also be reasonably random (“P@ssw0rdP@ssw0rd” satisfies the other requirements, but is a terrible password). And you should use a different password for every website. For passwords that you need to type frequently (especially on a phone keyboard) into software that’s securely designed, a shorter length may be OK, but certainly no fewer than 8 characters.

There’s obviously no way anyone can remember a different long random password for every website. So you need a way to not do that, while still having good passwords. There are two ways to do this.

Password Managers

The first is to use a password manager program. I do this — I use 1Password on my Macs, iPhone and iPad, and have access to all of my passwords all the time. Other good choices include LastPass and KeePass. As well as storing passwords for you, they will generate strong random passwords using criteria that you choose.

(Do not under any circumstances store your passwords in an unencrypted file on your computer, since if an attacker manages to get access to your computer they will then have all of your passwords. I personally would not entrust my passwords to anything that’s not designed as a password store, so I wouldn’t put them in (for example) an encrypted Word document, Excel spreadsheet, or Zip file, but if you must do that then it’s much better than an unencrypted file.)

All three of the programs mentioned above have versions for Windows, OS X, iOS and Android. 1Password costs a few tens of dollars, LastPass is free but charges for premium features, and KeePass is open source software that anyone can download and install freely.

You need to be able to trust a password manager program both to store your passwords safely in a way that doesn’t allow them to be accessed, and not to put in any deliberate backdoors that give the software company access to your passwords. For that reason, I’d recommend sticking with a big and well-established company (or widely used open-source software like KeePass).

You also need to decide whether or not to allow your passwords to sync over the Internet, which is an option for all of the programs I mention above. I do; I sync my passwords between my 1Password installations using DropBox, as I trust both DropBox’s security and 1Password’s encryption, and both of them would have to be breached at once for my passwords to be exposed.

I should mention here that LastPass suffered a security breach in June 2015. Some user data was revealed, but no user password databases were exposed, and their proper use of security best practices reduced much of the impact. They handled the whole thing pretty well, and it wouldn’t put me off using LastPass as a password manager.

When using a password manager, you obviously have to remember the password that you use to access the password manager itself, and it has to be a strong one. I suggest using initial letters of a phrase that has meaning only to you (not a literary quotation), and replacing some letters with digits or punctuation. For example, “KeePass keeps all my passwords safe at all times” could become “KPk@mp5aat”, which is reasonably good.

If you’re using a password manager, your passwords can be even longer, since you’re not remembering or typing them anyway. I have 1Password set to randomly generate 16-character passwords containing three digits and three punctuation characters.

Some websites are badly programmed, as we have already discussed, and they can break password managers in two different ways. First, they may have inadequate rules for their passwords that don’t allow your strong randomly generated password, either because they have a very short maximum password length or because they disallow some (or all) punctuation characters in passwords. There’s no good excuse for either of these, but if you come across them you’ll have to change your password recipe until you get something that you can use.

Second, some websites have the deeply misguided view that it’s more secure if your users can’t paste their passwords into the login screen, and they prevent you from doing this. Their idea is that they don’t want you storing your password on your computer, which is reasonable if it’s not in an encrypted password manager program, but they can’t tell whether or not it is. So they make you use a short and non-random password that you can type easily and remember, which is very bad for their security. If you come across a website like this, I suggest complaining — they might listen to their users if enough of them complain.

Password Schemes

If you don’t want to use a password manager, the alternative is to have a single strong password that you remember, and a way to customise it for each website. At its simplest, but making the last two letters of the password the same as the first two letters of the website name is very much better than nothing.

Use a similar scheme to that suggested above for your master password. “I do not want to use a Password! Manager! program” might become “Idnw2uaP!M!p”, which is a pretty decent password that you should be able to remember (but obviously, don’t use this specific password). Then your Twitter password would be “Idnw2uaP!MAptw“, your Facebook password would be “Idnw2uaP!M!pfa“, and so on. The occasional duplication between websites that happen to start with the same two letters doesn’t matter much.

Of course, if anyone does get hold of one of your passwords and they’re read this blog post, they can then reverse-engineer your scheme and easily deduce your passwords for other websites. But that chances of that happening are very small, partly because they’re good passwords that are less likely to be discoverable and partly because nearly all password attacks will be entirely automated and no one will every actually look at your password. If you’re worried about it, you can disguise what you’re doing by mixing the letters up more. But I can’t describe a way to do it in a public article, since the bad guys can read this as well — you’ll have to invent your own way to do it.

Change All Your Passwords

Having either installed a password manager or come up with a good master password and scheme for varying it, you now need to change the passwords on all of your websites. I suggest doing the most critical ones right now — your email, online file storage, financial websites, social media and so on. For other websites, every time you log into a website with a weak password, change it there and then.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s