Password "security" ?
 

A question for the IT wizards out there: I tend to use a small number of passwords for multiple IT systems and sites (yes, I know :rolleyes:, but my aging memory doesn't allow for dozens of unique passwords). What gets me is that different IT systems use different rules for what are supposedly "secure" passwords. Must be x characters long; must contain at least one upper case letter; must contain at least one number, etc. No two seem to have the same set of rules :mad:.

To make things worse, some systems force you to change passwords every three months, six months, or whenever the IT person's genitals itch.

So my normal workaround is to use a proper noun that means something to me, followed by a number. When I'm forced to change I simply increment the number by one. On one system I'm up to 14. More recently I ran across a new one: the password had to contain a "special" character such as ?!#*, etc. :mad::mad::mad:

Now the question: does all this horse manure *really* make things more secure, or is it just window dressing to make the IT geeks look like they're doing something useful???

First, it's equally important to use different usernames.

Second, you are doing better than most based on what you already said but there's always room for improvement.

See this article for greater insight:
‘Password’ and ‘123456’ Once Again Top Most Popular Password List for 2015 (So Please Change Yours)Above appeared in FBT, where I serve as EdDir.

Yes, I saw that article, which is what started me thinking about it. It's one thing to be just plain dumb about passwords, and another to use rules and passwords that actually improve security. That's my point.

If we want to really improve security, we would get rid of passwords and use something more secure such as biometrics.

Remember what Henry Ford is supposed to have said: "If I had asked people what they wanted, they would have said faster horses."

The problem is that simple passwords are easy to break via so-called "dictionary searches". The horse manure is supposed to address that. But the problem is that "password" and "password1" and "passw0rd" are in the bad guy dictionary. And all of those are short, and thus easier to break than longer passwords.

The most secure approach requires two (or more) forms of authentication, like a password and a fingerprint, or a password and a code sent to your cell phone.

But getting back to how you generate passwords: you should use a better scheme that's easier to memorize. Here's a well explained venerable approach in cartoon form.

I just use a password database program; my passphrase for that is a long sentence I'm unlikely to ever forget (not mine, and a little shorter, but think of "A long time ago in a galaxy far, far away...")

Passwords for important stuff are unique, randomized, and completely unmemorable -- I keep meaning to see if my most secure ones will let me use non-roman characters, to really randomize it. 20-randomly selected printable unicode glyphs is even more entropy.

A few sites where I need to be able to sign in without copy and paste got randomized sentences.

One problem with phrases/sentences is that while from a number-of-characters perspective they're very good, as people use them more they're actually pretty predictable given how standardized languages are... so if you know they're using a passphrase of english words separated by spaces, generating random multiword phrases/sentences is much quicker than generating meaningless strings of characters in between.

I use 1Password on my Macbook, it creates very random passwords for you and stores logons, all encrypted. Just have to use a single memorable passphrase to unlock the 1Password menu, you can also store other sensetive stuff in there and I've had no problems with it so far.

I use a password manager on my iPhone (I use Codebook, by Zetetic), and it allows me to hold numerous passwords/logins/emails/PINs/account numbers (sorted under categories of my choosing, like "travel", "work", "financial") - all under a single password. THAT password is a weird one like it's supposed to be, with a few lower case, a few upper case, a few numbers, and a few symbols (and not a word in any language). That way I can look up different passwords or PIN numbers as I need them.

The program can even generate random passwords if you want it to -- I don't. I use variations of a theme for most everyday passwords (like shopping sites or frequent-user cards), but I know I can easily change a password any time I want or need to, and I can always look up the new one on my iPhone if I forget it. It's particularly helpful for the ones I don't want to use that variation on a theme (like banking), and for passwords I use rarely.

I used to do the same thing, sopwith, and did still at my most recent job where we had to change our passwords every 3 months. But for the last several years I've just used a password manager that generates a unique long random password for me, remembers it, and auto-fills it on the web page for the site in question. There are a bunch out there - 1Password, KeepPass, and LastPass come to mind.

I use LastPass because it syncs online across all my devices and is easy to use. It also encrypts all your passwords on your computer and only passes the encrypted file over the internet. The company has been very open about how their software works, and the security reviews of it I've read all say it seems in order. It's free on on one device and I think $12/year if you want it on multiple devices. The iPhone app is easy to use.

But to answer your question more directly, having a password that includes various character types (letters, numbers, punctuation) and is over 8 or 9 characters in length greatly increases the likelihood that the password won't be vulnerable to a dictionary attack.

I am with Dave on this ^

It does make a difference to security as most folks use a simple word etc. BTW, if any site of yours got compromised and your password was spotted to be "Labrador 8" or some such, you can guess that they would try Labrador 9, 10, 11 etc on that and other sites where you might operate!

Having used LastPass for a few years now I am a happy customer. You are not too old to learn, but learning how to do things efficiently is the most important lesson ;)

For a few dollars a year it makes life very simple for me on a laptop, desktop, ipad and phone.

You can have it set up to change passwords automatically at intervals so that is one less think to have to worry about. You can set the standard "offered" password for new sites to be any combination of letters numbers and symbols, also adjust it for each site. It really is easy. You can, for example, set a standard 15 characters letter/number/symbol combination for each different site that you could never remember and when you are revisiting a site and logged in to LastPass it automatically populates the webpage and logs you in.

My white haired old head is very content with this as I now have a devilishly difficult different password for every site that I use now that no brute force cracking attack is going to get near anytime before I am pushing up daisies!

Bump +1 for 1Password.

I prefer over LastPass because it doesn't sync over cloud. But you can manually sync across various devices regularly....yes, it's a pain in the bxxx but LastPass did get hacked last year!

Everyone gets hacked - and "hacked" is a term that can mean different things. Did the attackers gain access to a database? A thermostat? The TV in the lounge? If they got into a database, did it have sensitive information on it? If it contained user passwords, did they get the data? In what format?

LastPass's response to that particular breach was stellar. They said what happened, they said what they did to strengthen defenses, and they were transparent about it. Even if people got my entire encrypted password store from LastPass, there's very little they can do with it since I use a strong master password.

So I'm not worried, and I like the seamless online transfer and update of my passwords to and from my various devices.

LastPass is great on mobile devices that have fingerprint recognition. No need to enter your long password, just authenticate using your fingerprint, and the passwords autofill.

Principles of mathematics explain the rules of password security pretty well--since they're used both by security personnel and hackers--so that you can understand the rationale for your IT department's rules. Ignoring for the moment the likelihood of use of a popular password--such as "password"--the limit of password possibilities is established by the number of available characters with the number of characters in the password indicating the number of times I multiply the number of available characters against itself. The keyboard I'm using for this post has 92 different possible characters, counting each letter twice for uppercase and lowercase (thus, the rationale for some IT departments requiring at least one uppercase letter in a password).

For the purposes of an example, I'll also ignore normal minimum password length rules for a moment (although the example illustrates the reason for the rule). If my password is 2 characters long and the password contains all characters--no spaces and no nulls, there are 8464 possible passwords. Give me reasonable access to a computer (a weekend) and no lockout program, and I don't need to use a software program to figure out the password--I'll just keep entering character combinations until I happen on the right one. Now, add in insight to the human probability of using something standard, such as the words "an," "on," "at," or even "pm" or "TD" or the number "10," and I may not need a whole weekend to figure out a password. As you can imagine, a hacker using a computer program can figure out that password in much less than a second.

Now you can see why many password security protocols require at least eight characters for a password as well as numbers, uppercase letters, and symbols (since that uses the full character keyboard rather than just the subset of lowercase letters, which yields only 676 possible two-letter password combinations). Under the same assumptions as above, there are now over 5 quadrillion password possibilities (92 to the eighth power as opposed to 92 squared). You've completely taken human interaction to solve a password out of the equation, but computers can still figure this out within an hour. And now, more sophisticated probability programming (lazy users are more likely to use a word than nonsense thus the dictionary attack gfunkdave references and hackers also eventually figure out that folks will substitute a "1" or "!" for "i" or "I") can shortcut the search by promoting certain more likely combinations instead of pursuing a brute force attack--which makes sense because the longer the password, the more complex the password so a more sophisticated method of attack must be employed.

Finally, the requirement for changing passwords recognizes that with enough time to search, there is no secure password, no matter how long or confusing you've made it. Now, most confusing passwords will withstand attack for a very long time, but as an extra layer of security, IT departments, such as my employer's, have made it a requirement that you change your password every 90 days. The random password generators out there take this principle to its logical conclusion: if your password constantly changes, there is an even lower likelihood that it'll ever be cracked.

So yes, this stuff works, but it's just like putting lighting up around your house, installing locks, getting a guard dog, and buying a security service to monitor your home. The principle in both situations is to decrease the likelihood of something bad happening, but there's no way to eliminate the possibility.

From my perspective, my accommodation to these necessary levels of security is to use an organizing principle to generate my passwords while trying to exceed the minimum security rules--in effect, a more sophisticated application of the use of a familiar name, such as your kid's or your dog's, to create a password. I tend to use my personal interests--golf and travel--to generate passwords that are easy to remember while somewhat more difficult to crack. And I try to consider less used characters (I think we know "1", "!", "@," and "3" are pretty well trod) but in a place where I'd expect them to be.

As a result, last fall, I went to the Outer Banks of North Carolina for a week. My password at work leading up to that trip was "OBX--October." Not impossible to crack, but a lot harder than "OBX". I've also used "I loved playing Pebble!" since the security protocol at work allows spaces between words--not all do. Even something as simple as my hometown, "Norfolk, Virginia" becomes a relatively difficult password to crack because I've used a comma and spacing--still two things that aren't as likely to be used in passwords. This is still an easy password (and organizing principle) to remember while creating something harder to crack than "password1." Since I generally have some trip upcoming, I can also change the password more frequently than every 90 days to account for my next trip.

I realize this post was a bit long, but I think it helps to understand the reasons your IT department pushes the rules they do.

What does everyone here think of Keychain?

My biggest problem with the sites that use more obscure rules and force you to change the password frequently is that I'm not convinced it's really making things more secure because I find the harder it is for someone to remember their password, the far more likely it is that they'll write the password down somewhere, and frequently that somewhere will be easily located from where the computer is. This is something that I frequently have to harass my users about (among other things, we had a security audit a number of years ago, and this is one thing they specifically were looking for in the building). I have a few users that have pages of notes of sites and passwords sitting next to their computers. Thankfully, they're not generally the same faculty members that leave their office door wide open and wander off for hours at a time (in a building that has had occasional thefts occur in it). We do have one annoying piece of software in our department that makes you change the password every 6 months, and with the last update we had, they went from remembering the last 10 passwords to the last 50 (and I'd consider the last 10 to be excessive).

I was pretty resistant to it myself for a long time, but I've ultimately gone to using lastpass for things. I'm still kinda transitioning to it, but so far it's been pretty reasonable for me. We've also used keepass for stuff that we didn't really want stored online (although note, if you store the file for that on a network drive, when you can't access said network drive it becomes very difficult to retrieve the passwords you need from it in an emergency :) ).

Sadly, my employer blocks the use of password managers like lastpass. The also require an extremely long & complicated passphrase with multiple numbers, symbols and capitalized letters. It means that everyone just has a post-it with their password affixed to their monitor.

So use a local password manager like Keepass on your personal phone, and just copy it over from there.

So why not use a password manager on your phone, and use that to access your password? Certainly more secure than a Post-It beside your monitor!

Good for you!

^^

http://arstechnica.com/security/2013...our-passwords/

For less than $5US, it is possible to purchase a GPU rig that can do ~80 Billion guesses per second. Hint: Right now, a guaranteed-good (stolen) credit card can be purchased for $4.80US.

Password "security"
 

Great answers so far, great question, great thread.

First I'll comment on "does all this junk I'm asked to do really make a difference." Let's look at how to make a hard-to-guess password, and start with some EASY math.

If you could only use digits 0-9 for a password, the number of different passwords for a given password length is (10^3) -- OK stop stop stop, math is scary. No, let's say you could only have 3 digits -- 10 to the 3rd power, or 10 * 10 * 10 - picture this -- 0-9 (10) TIMES 0-9 (10) TIMES 0-9 (10). 1000 combinations.

If you make that more complicated and have 0-9 plus a-z plus A-Z, you have 10 + 26 + 26 = 62 different characters, to the power of whatever the length is.

Obviously, however complicated (what characters are allowed) and the length of the password both factor in here. (OK, giggle ladies, length is important ha ha)

What's not obvious is that length is more important than variety; 10^5 (100,000) is bigger than 5^10 (9,765,625; that's 97 TIMES more complex, get a calculator out and check).

So ... making people use crazy letters and symbols is basically stupid. Using a "passphrase" is basically really smart. In other words "Oy, my aching left foot" is way better than "#4fTTg6Q$%" and it's a lot easier to remember.

Here's another thing that may make IT people mad. Forcing you to change your password is STUPID. The only "attack" that helps against is if someone steals the password file. They should KNOW if the system was compromised, then force everyone to change their password. Unless someone gets the password file and cracks it, your 14 year old password is just as secure as it was when you created it. It's math.

What does this all mean?

Use a password generator anyway, and if your employer blocks things like 1Password and Lastpass (I prefer lastpass), they're stupid and oh well, find a way to work around it, like copying and pasting on your phone, or using Pushbullet, or some of the other GREAT ideas people have shared.

Now go make your passwords LONGER and easier to remember, or use a tool to make them equally long and impossible to remember. :)

Yes, my password life revolves around variations of passphrases (plus my user names are different and unique to a specific site.

The passphrase I use is a variation of "ourcomputernevercrashesdoesit" and for ..... and giggles I insert a few random numbers in, such as "our1computer2never3crashes4does5it" . This is just an example and don't try to log into my FT account with it please.

I cosign the greatness of 1Password and 1PasswordAnywhere lets you log in via browser after you've set it up. But you can also just have the app on your phone and then type in the password as others have said.

Listen to Edward Snowden's suggestions on better passwords: http://www.cnet.com/news/margaret-th...o-john-oliver/.

Makes sense....

Whilst Mr Snowden's advice is good, the need is usually for different passwords for multiple sites and remembering that is hard. But other ways can also significantly alter a 'known' word, such as adding punctuation - so Flyertalk (9 chars) becomes F.l.y.e.r.t.a.l.k. (18 chars) or Flyer;;;;;talk (14 chars). Unguessable and not going to work as a brute force attack anytime this century. This Steve Gibson explanation of needles in haystacks is fun:
https://www.grc.com/haystack.htm

Whilst handy for extending and complicating an easy password it only gives you one example and if a site gets compromised and you have used that password elsewhere you have a problem. Many sites store your email address and password and it is if that single site is compromised that causes problems as you probably use the same email address for all your logins - hence why different passwords for each site are important.

But the password manager advantage is that it will give you a randomised 20 character password that is different for each site. If one site ever got compromised the email address and that password does not help the hacker get in anywhere else.

Even if you keep those passwords encrypted on your phone and have to manually input it to keep an employer happy it is way better than the post-it beside the monitor!

The New York Times had an article on password managers today, http://www.nytimes.com/2016/01/21/te...an-region&_r=0. Not necessarily endorsing the conclusions but adding this here because of its timely relevance to this thread.

All the gimmicks mentioned for passphrases, are already used by crackers, and for which hashcat rule sets already exist.

Use long, random machine generated passwords ... Kinda like my username. Use Nothing from a dictionary. Among the passwords I have cracked using hashcat, my favorite stupid password: You w!ll n3v3r b3 abl3 t0 brut3 f0rc3 th!$ l3ngthy passw0rd!

Hashcat cracked it in the first 24 hours using an 8-GPU rig, street price: $4.80US

And thus the rationale for frequently changing passwords (and although not always emphasized, usernames as well) and not reusing passwords. Your suggestions certainly increase the security of a password, but given enough time, any encoded information can be deciphered. There is no 100% safe solution--only best practices.

Your post, though, does demonstrate that the tools for decryption continue to evolve, and the best practices from five years ago or 2013 or even last year may no longer be safe.

Sites are dumb if they allow brute force attacks. It's easy to allow only 3 attempts and then block further attempts for 5 minutes. Then a billion attempts would take over 3000 years!

True and that mostly doesn't happen. The bigger issue is a data security breach where the bad guys get hold of tons of encrypted information in one fell swoop. Now, you can take advantage of time and programs like Hashcat to decrypt at relative leisure. And since most people use the same username and password at multiple sites, all that's necessary is a good program to ramble around the internet randomly entering usernames and passwords at banking and retail sites until--boom!

Sophisticated hackers are like good burglars and robbers. If they get your credit card information, they may not directly use your credit card but instead use the information they obtain to open another account that you're not aware you have--until you get the first month's bill for $10,000.

This doesn't resolve OP question but for everyone else, recommend enabling two tier authorization whenever available. In theory, the only way to access/login, even if pw cracked is to steal your phone.

The particular example he's giving is of recovering a password from a file, where the password is hashed into something like an encryption key using a standard algorithm. If you've stolen the file, you can then recover the passwords using various mechanisms.

There are various levels there, but the speed of brute-force lookup you can do on a file of password hashes exceeds the theoretical network rates -- it's not simply a matter of slowing things down, even a site with no blocking mechanism is going to only be able to do a few tens of thousands of login attempts per second on a single account, and as you say, adding some kind of throttling and lockout is pretty easy.

By contrast, if you've got the file locally, you can try depending on the example, up to nearly a trillion and a half possible passwords per second. The encryption type matters a lot, though -- the best algorithms are about 1,000 times slower to test per http://hashcat.net/oclhashcat/ and there are other techniques that can slow down the test rate by a roughly equal amount.

That's still at least a million tests per second locally, something that's virtually impossible against any kind of individual public network endpoint unless you've got an entire botnet at your disposal (and maybe not then -- and a million failed logins in that time frame are going to register on someone's console even at a site like Facebook or Google.)

the only protection is being inconvenienced and building VERY large passwords with mixed characters, and the only way to manage this is with Keepass or Lastpass and with a long passphrase and make sure you don't have malware on your computer such as keyloggers.

Two tier authorization is nice for some apps, but for Google I tried it and it was so onerous that I had to turn it off.

You misunderstand how passwords are cracked. Professionals crack passwords off-line, not on-line.

> GRC Password Haystacks ...

The tools that estimate password strength are ... crap.

According to one popular password strength meter, BandGeek2014 should
take 74+ centuries to crack; another estimated six [6] years. Big spread, eh?

Reality: Hashcat cracked it in less than 90 minutes.

12 characters and no symbols. Still better than "starwars" or "password" though :D. How fast does Hashcat do 20 random multi symbol types? Just for my personal interest ;)

... and how does it know it has cracked it, if it reads gibberish on every iteration?

Google is probably one that I would use the two tier system. For 'trusted' devices, once you do it the initial log-in, usually don't ask again unless you clear cache/history/cookies. And there's always the authenticator app as backup to getting a text message to smartphone.

Other sites I use include amazon, eBay, PayPal, iCloud. POV ;)

Cracking passwords, in that sense, works backwards.

You have a hash (examples here) and try different passwords until you generate the matching hash value.

Of course, you need a dump of passwords first.

If it's going to be single-factor authentication, more complex passwords are more difficult to circumvent than biometric passcodes.

Biometric passcode locks are not all that difficult to circumvent, even as it would tend to localize the password circumvention at first. For example, there are people who have used their sleeping/hung-over roommates' fingers to access the data of phones that get unlocked by a fingerprint. And there have been examples of people using photos -- even of fingerprints -- to access devices locked with biometric passcode.