Tuesday, January 20, 2015

Words on Password Security

Picture of a locked blue lock on a background of what appears to be a blue circuit
Image by: geralt License: CC0
UPDATED March 18, 2017 - LastPass has changed their business model and the mobile app does not require a subscription. I have also become aware of the Diceware passphrase generation technique. This post has been updated to reflect that.

Two years I wrote an article about an Offline Password Creator inspired the xkcd comic "Password 
Strength". Many things have changed in those two years. Most notably are the hacker tools that now take into account this xkcd comic.

In early 2014, Bruce Schneier wrote an article on choosing secure passwords and specifically stated the xkcd correcthorsebatterystaple method of generating passwords in no longer good advice.

Skip forward to present day, 2015. A friend of mine on Facebook discovered the aforementioned xkcd comic and other friends thought this advice useful. As someone with a bit of security knowledge through a university course and an enjoyment of reading security blogs, I felt I should help inform them. After typing a couple of hundred words in a Facebook comment, I realized I should write a new blog post to update you, my readers.

Below I will give my recommendations on maintaining a reasonable amount of security with your passwords.

Use a Password Manager
As I've mentioned before, I recommend everyone using a password manager.

A password manager typically requires you to create a "master password" that will be used to encrypt the password vault where all your passwords are stored. The manager often integrates with your web browser, making it very convenient to have a secure (long, random, unique, and a mix of character types) password for every website/application you use.

Choosing a Password Manager
So you want to use a password manager, great! Now you may find the task of choosing one to use a bit daunting so I will outline the options I recommend briefly below:

1Password - Cost: Paid (Free Trial) ~$50 (on Mac/PC ~$40 for students) - Platforms: Mac, Win, iOS, Android

1Password was the first password manager I used. It has a good user interface, is fairly straightforward to use, and has a browser extension. The browser extension is important to most people because it (most of the time) allows for a single click to fill in your username and password.
The password vault can be synced across platforms with Dropbox. The password vault is encrypted so this is fairly secure (always be mindful this is a relative term) but if you don't trust Dropbox I would not use this option.

Depending on how many platforms you use it can get a bit pricey, I paid for a student license for my Windows desktop and found it well worthwhile! However, I also use Linux (which is unavailable currently) and the Android client (at the time) was unable to add new entries.

If your use case is only on one or two platforms it's definitely worthwhile and is a friendly way to begin using a password manager.

Keepass 2 Professional Edition - Cost: Free (despite its name) - Platforms: Windows, Mono (Linux, Mac, BSD, etc). Unofficially on: iOS, Windows Phone, Android, Blackberry

Keepass is my current password manager. I wanted a free alternative to 1Password that I could use to create new passwords on my phone (Android) and on Linux. I use Dropbox to sync my password vault. The user interface looks okay, and functions well. There is a browser extension which is quite useful.

On Android Keepass (via Keepass2Android Password Safe) I highly recommend using the Keepass2Android keyboard to enter passwords. The keyboard simply has a "user" and "Password" button. This is safer than using the copy/paste method because any application can read from the clipboard (where the copied word gets saved) without asking for permissions.

Keepass is also open source, which is something I value.

This combination of cross-platform use, open source, and free helped make this my current password manager. If you don't mind taking the time to set it up (plugins required for the browser extension for instance) then it's well worth it!

(The following info on LastPass has been modified as of March 18, 2017)
LastPass - Cost: Free or Subscription ($12 USD/year) - Platforms: Windows, Mac, Linux, iOS, Android, Windows Phone, BlackBerry, Firefox OS, Surface RT

I haven't actually used LastPass, but I've heard very good things about it from my peers and would recommend it based on their recommendations and from my readings on it. During the Heartbleed incident LastPass was able to inform you of what passwords to reset. It also will rank your passwords and tell you which ones are weak. The subscription adds a few features (noted on the website) including a shared family folder.

Know Two Passwords
My recommendation is to know two passwords.


1) You need to know the password for you password manager, otherwise you can't access. So this one is very important. In the event someone steals your computer or hacks your Dropbox (or wherever the password vault lives) you want it to be very very difficult for an attacker to crack your master password.

2) In the rare event of your password manager breaking, the loss of your password vault (Dropbox has lost files after all), or other catastrophic event that results in the loss access to your password you need someway to recover them.

First of all: You should always make backups of files. Preferably following the 3-2-1 rule, but most of the time a simple external hard drive will suffice. But that's a topic for another post.

Second: In the case you still can't access your passwords even with a backup you want to be able to reset them. That's why the second password you should know is your email password. Almost all services let you reset your password via email, so this is crucial.

Now that you know why you need to know these two passwords, how will you remember them and how will you keep them secure?

You could:
  1. Create a Diceware password with a simple six-sided die (aka D6)
  2. Use a password manager to generate these two passwords
  3. Use something like the "Schneier scheme"

For a Dicware passphrase, roll a die 6 times and enter the number on this site which will create a word from a list. Do this for 6 or more words to create a strong password. Alternatively click the "6 Words" button.

Make them long, make them secure. Keep them secret, keep them safe. Bruce Schneier has suggested writing down your passwords and keeping them in your wallet, with your other small valuable pieces of paper (bills).

With these precautions, you now have two secure passwords in case anything goes wrong, and the password managers make sure you have a strong, unique password for every website and app you make an account for.

Image Sources:
Header photo: geralt on pixabay - License: CC0

No comments:

Post a Comment

I appreciate feedback and discussion on these posts! If you post a question I'll try and get back to you soon. Please be kind to others.