Jump to content
Moopler
Razz

Discussion Good practices for passwords

Recommended Posts

Dear Mooplers,

As there's been quite some rumors about keyloggers, old database leaks, new database breaches and other password-hacking related issues I decided to write a small guide containing a few good practices for picking, using and disposing passwords.

Good Practice I - Password Strength

There's quite some controversy on what is a good password. Some websites or services require you to use an uppercase letter, a symbol and a number while other services don't force you to use anything.

MjAxMy1mYzEzN2U0NzhlZWZmNDU3.png

Security 'experts' often argue that a password needs to be complex, as in: having atleast one uppercase letter, a symbol, a number, and must have a length of atleast 8 characters. Other experts argue that the only thing that matters is the length of the password, as this determines the amount of possible passwords. The word commonly used to describe these statements is 'entropy':

Quote
2. A measure of the disorder or randomness in a closed system.

Bruce Schneier is a popular security expert, who blogs a lot about security issues and security related issues. In this blogpost he talks about his vision on secure passwords and explains how passwords are being cracked: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

The scheme he describes is without doubt secure, but only slightly easier to remember than a pseudorandom password like the default ones on your router. Imagine taking Bruce's advice to heart about using the same password for multiple services, or rather not doing that: you would end up with atleast 15 passwords that all look like the following:

  • uTVM,TPw55:utvm,tpwstillsecure

Aside from the amount of work it requires to fill this in on mobile devices it becomes extremely hard to remember those. That's why I would like to introduce an extension of the (in)famous xckd scheme:

password_strength.png

Bruce rightfully mentioned that password cracking solutions don't necessarily lack behind anymore on passphrases or multi-word passwords. A combination of both schemes could work like this:

  • a base word to start your password with, it can be something simple such as an animal or car brand;
  • one or more words to describe the service the password is being used for. In netflix' case it could be movies;
  • a symbol that will separate the 'dictionary' part of your password from the pseudorandom gibberish;
  • a 'random' sequence of letters, numbers or characters that have some meaning to you.

Your password might look like this at this point: gazelletvshows#marvel16.

Other examples might be:

  • dieselenginebank{trump45
  • jetfuelcantmelt!st33lbeams

Please do note that this doesn't stop the password crackers from deciphering your password(s), as they will eventually get the right combination of dictionary words and 'pseudorandom' input. However, due to the addition of special characters, numbers or uppercase letters the password cracker will have to adapt to this formatting, implicating an exponential growth in possibilities. Please do also note that I'm no expert on password entropy, which is why this information might be incorrect or inaccurate.

TL;DR: Find your own balance between nearly impossible to guess or deduct passwords and passwords that can be remembered.

Good Practice II - Classifying services

Not every service on the internet requires a unique, hard to guess password. Your bank has a higher priority than some local newspaper you're subscribed to. I personally differentiate between the following classifications 'ranks':

  • High (Unique, less commonly used words, possibly native tongue instead of English)
    Services that involve money, widespread reputation, my personal life, government or employment and owned websites;
  • Medium (Unique 'clusters' of passwords, commonly used words)
    Services that involve (partly) anonimized social aspects, free services, games(NOT services like Origin and Steam),
  • Low (Easier to crack passwords)
    Services which I intend to use once or don't trust, services that offer no features that could harm me or others.

There is only a few services that are classified as Low. One example is: I used to own a blogspot/blogger account, but stopped using it and never bothered to upgrade my password.

Good Practice III - Password managers

I don't have much experience with them, but it might be useful to you. Some examples of password managers:

Good Practice IV - E-mail

Hackers are often relatively inventive people, so instead of cracking all your passwords it probably would be easier to crack the password of your e-mail and then reset all passwords for accounts linked to that e-mail address. This is the reason why your e-mail address must be secured by a exceptionally strong password and preferably some sort of two-factor authentication.

Good Practice V - Reducing your online footprint

You've probably signed up to a lot of websites and services using easy to remember passwords. All these services could fuck up the secure storage of your password and leak them to the outside world. Now people know a password you might use for one or more service and your security might be compromised as a consequence. Keeping track of your online footprint and request deletion of your account on websites and services you no longer use reduce the chance of your password leaking. Aside from the password story this also enhances your privacy, as there's less personal information to be found on the internet.

I hope you found this information useful. If you have any constructive criticism feel free to reply.

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×