Secure passwords, layman's edition
August 11, 2017 11:42 AM Subscribe
The recent news stories about Bill Burr regretting his earlier advice about strong passwords made me rethink certain of my own passwords, and I hoped to bounce a couple of layman's password questions off of the hive mind's security boffins.
Nothing in this post is an actual password of mine, obviously.
First question:
There are a few password strength testers online. Here's one from Kaspersky. Are the estimates of cracking times on these generally speaking accurate-ish? E.g., I made up some passwords that uses a similar construction as an actual password I use, and I get times to solve ranging from 6 years to 28 centuries. Meanwhile, I type in something like:
Whosewoodstheseare%IthinkIknow1999
and I'm told it takes more than 10000 centuries to break.
My security needs, generally speaking, don't require millennia of uncrackability, but it's somehow sobering to think a 2017 password could be cracked in six years, given that the fake password above is pretty easy to remember.
Actual question: what level of strength should an average person aspire to for their core banking, email, etc., passwords? Assume I practice good password control otherwise (no reused passwords, not writing them on a post it, etc.).
Second question:
Given computing advances (particularly in the decades since the ubiquity of the home computer; I'm not looking to ENIAC), have there been any documented cases where law enforcement have gone back and cracked an previously strong password from a "cold case" using brute force and faster computers?
I'm thinking of the data equivalent to the use of DNA to test crime scene evidence from decades ago.
I'd think most passwords from bygone days (e.g., the early 2000s) were probably pretty weak in the first place, but it would be fascinating to hear some mob accountant's secure hard drive had been cracked 20 years later by a modern supercomputer (slash MacBook Pro) and the whole crime family was busted. Pure fantasy, but is there anything resembling actual fact in that vignette?
Nothing in this post is an actual password of mine, obviously.
First question:
There are a few password strength testers online. Here's one from Kaspersky. Are the estimates of cracking times on these generally speaking accurate-ish? E.g., I made up some passwords that uses a similar construction as an actual password I use, and I get times to solve ranging from 6 years to 28 centuries. Meanwhile, I type in something like:
Whosewoodstheseare%IthinkIknow1999
and I'm told it takes more than 10000 centuries to break.
My security needs, generally speaking, don't require millennia of uncrackability, but it's somehow sobering to think a 2017 password could be cracked in six years, given that the fake password above is pretty easy to remember.
Actual question: what level of strength should an average person aspire to for their core banking, email, etc., passwords? Assume I practice good password control otherwise (no reused passwords, not writing them on a post it, etc.).
Second question:
Given computing advances (particularly in the decades since the ubiquity of the home computer; I'm not looking to ENIAC), have there been any documented cases where law enforcement have gone back and cracked an previously strong password from a "cold case" using brute force and faster computers?
I'm thinking of the data equivalent to the use of DNA to test crime scene evidence from decades ago.
I'd think most passwords from bygone days (e.g., the early 2000s) were probably pretty weak in the first place, but it would be fascinating to hear some mob accountant's secure hard drive had been cracked 20 years later by a modern supercomputer (slash MacBook Pro) and the whole crime family was busted. Pure fantasy, but is there anything resembling actual fact in that vignette?
Response by poster: I already use 1Password, and frequently use it to generate passwords.
I'm more interested in memorable passwords, for what it's worth, like the Frost one above (though I think Burr's advice is random words, like the xkcd comic). How much security should I build in to something like a bank or brokerage password that I might type in daily, e.g.
posted by Admiral Haddock at 12:23 PM on August 11, 2017
I'm more interested in memorable passwords, for what it's worth, like the Frost one above (though I think Burr's advice is random words, like the xkcd comic). How much security should I build in to something like a bank or brokerage password that I might type in daily, e.g.
posted by Admiral Haddock at 12:23 PM on August 11, 2017
I've become rather fatalistic about passwords for security. They just aren't very good on their own.
Yes, battery horse staple correct is still very good advice for passwords - but so many sites have weird restrictions on password length, or character combinations required ("Upper case AND lower case AND special character OR number BUT no more than 11 characters") that it's all sort of pointless.
I feel pretty good about 2-factor requirements, and I've turned that on wherever possible. The canonical access validation is to verify something you know, something you have, and something you are - password and security token and fingerprint, for example - and 2-factor gets 2/3rds of the way there, at least.
But other than that, you're just trusting to the security of herd membership, and picking up the pieces afterwards.
posted by RedOrGreen at 12:41 PM on August 11, 2017 [1 favorite]
Yes, battery horse staple correct is still very good advice for passwords - but so many sites have weird restrictions on password length, or character combinations required ("Upper case AND lower case AND special character OR number BUT no more than 11 characters") that it's all sort of pointless.
I feel pretty good about 2-factor requirements, and I've turned that on wherever possible. The canonical access validation is to verify something you know, something you have, and something you are - password and security token and fingerprint, for example - and 2-factor gets 2/3rds of the way there, at least.
But other than that, you're just trusting to the security of herd membership, and picking up the pieces afterwards.
posted by RedOrGreen at 12:41 PM on August 11, 2017 [1 favorite]
My personal opinion, as someone who has spent some time professionally in information security but is not an expert, is that I don't give a hoot about time to crack my passwords. I have seen a massive number of account compromises of various types over the years. The vast majority come from either phishing or password re-use on multiple sites and one of those sites gets compromised. In a distant third place might be people with knowledge of the specific target guessing the password (e.g. an ex-partner guesses that you've used your pet's name as your password).
In the site compromises, a harder to crack password can help you. But that really only matters in two cases. First, it matters in that the attacker could then use it to access your account on the site they stole the credentials from. I don't worry too much about that; if they've already compromised the site enough to get the account list, they probably don't need to use passwords to login and get your data. Secondly, it matters if you re-use the same password elsewhere. You should never do that.
Therefore, my opinion is that on the list of security things to worry about, this doesn't even rate. As long as it's not going to get picked off by a dictionary attack or a knowledgeable attacker, I think it's good enough. (That said, I do tend to use completely random passwords via 1Password -- the only two passwords I have memorized are my computer password and my 1Password password. Both were generated via DiceWare.)
posted by primethyme at 12:41 PM on August 11, 2017 [2 favorites]
In the site compromises, a harder to crack password can help you. But that really only matters in two cases. First, it matters in that the attacker could then use it to access your account on the site they stole the credentials from. I don't worry too much about that; if they've already compromised the site enough to get the account list, they probably don't need to use passwords to login and get your data. Secondly, it matters if you re-use the same password elsewhere. You should never do that.
Therefore, my opinion is that on the list of security things to worry about, this doesn't even rate. As long as it's not going to get picked off by a dictionary attack or a knowledgeable attacker, I think it's good enough. (That said, I do tend to use completely random passwords via 1Password -- the only two passwords I have memorized are my computer password and my 1Password password. Both were generated via DiceWare.)
posted by primethyme at 12:41 PM on August 11, 2017 [2 favorites]
Really the big risk isn't that your specific password is going to be guessed. Most passwords are compromised because the service/database storing them was stolen and cracked. See Yahoo breaches. If the databases encryption is cracked, they can see all the passwords. Hopefully the service used a salt. That's why you don't reuse passwords so if one of the services you use is comprised, they won't get a common password you use across services.
This video is informative on how much computation is required to bruteforce a password properly encrypted. So I'd say any future encryption break won't be from brute force, but from an unknown flaw in the technology. There's no way to predict that.
I try to use at least 12 character passwords but I've read the minimum you should use is 20. If you're using a password manager, why not go long.
posted by LoveHam at 12:44 PM on August 11, 2017
This video is informative on how much computation is required to bruteforce a password properly encrypted. So I'd say any future encryption break won't be from brute force, but from an unknown flaw in the technology. There's no way to predict that.
I try to use at least 12 character passwords but I've read the minimum you should use is 20. If you're using a password manager, why not go long.
posted by LoveHam at 12:44 PM on August 11, 2017
Any password strength test which does not include scanning a large rainbow table (most don't) is likely to give you some misleading results.
The thing that makes a password secure is randomness.
The thing that makes a password memorable is highly correlated with being non-random.
For most purposes 14 random characters (A-Z+0-9) will be enough.
Heres a table with the entropy worked out.
posted by Lanark at 12:49 PM on August 11, 2017 [1 favorite]
The thing that makes a password secure is randomness.
The thing that makes a password memorable is highly correlated with being non-random.
For most purposes 14 random characters (A-Z+0-9) will be enough.
Heres a table with the entropy worked out.
posted by Lanark at 12:49 PM on August 11, 2017 [1 favorite]
I use phrases that aren't in English but are easy for me to remember and I usually deliberately misspell them. All th password crackers say they're 10,000 years or whatever so that's nice. I have had several accounts be compromised by the account owners management of my password though, linked in etc. So I never use the same password twice. I have a system for generating them that's easy for me to recall and would never make sense to anyone else, ever.
Having said that I know a ridiculous number of other peoples passwords. Mostly because they told me them or because they use the same password for everything. The other day someone I barely know casually mentioned that my office number was the same as their ATM pin. If you searched my office email for "password" all kinds of stuff pops up where people have emailed me login info go all kinds of accounts. My cousin has a job making encryption for banks but he hasn't changed his home network password in 15 years. I'm 99% sure it's his personal laptop password too.
So as long as you change your passwords a lot and don't constantly tell people what they are you're doing pretty good.
posted by fshgrl at 3:04 PM on August 11, 2017 [2 favorites]
Having said that I know a ridiculous number of other peoples passwords. Mostly because they told me them or because they use the same password for everything. The other day someone I barely know casually mentioned that my office number was the same as their ATM pin. If you searched my office email for "password" all kinds of stuff pops up where people have emailed me login info go all kinds of accounts. My cousin has a job making encryption for banks but he hasn't changed his home network password in 15 years. I'm 99% sure it's his personal laptop password too.
So as long as you change your passwords a lot and don't constantly tell people what they are you're doing pretty good.
posted by fshgrl at 3:04 PM on August 11, 2017 [2 favorites]
I cannot think of any examples that you are looking for that are similar to the DNA thing, but it is certainly a possibility. As it stands right now, computing speed and power have slowed recently, but there will likely be more unknown advances that would make a "secure" password more easily crackable in the future.
This doesn't necessarily even matter that much, because if it would take like 100 centuries now, and then we advance so that computing is 1000% easier, it would still take a decade to crack the password. By then we likely will have improved security as well.
Right now the worst risks are a) using a website that doesn't hash, salt, or otherwise encrypt stored passwords, b) sites not using https or encryption for sending the info through the wire c) using the same password or username/email for everything especially if some sites require "security questions" that would then make stealing your identity easier (eg, mother's maiden name or place of birth).
I try to avoid doing security questions whenever possible (who knows what my first grade crush's name was, so I always have to pick something that is likely publicly available) and consider any sign up to an unknown company a security breach. EG random social media site = use throwaway info and a fake name not tied to anything. Not worth the risk.
Your specific password example likely takes so long to crack because it is not random (and most crackers now are trained to randomness), because it is two english phrases that are fairly basic and a year and a special character. It is also quite long. If those interested in hacking passwords change their methods I could see the pw taking much shorter (comparatively) to break but seems like the trend nowadays is more advanced phishing and man in the middle attacks.
I am wary of most two factor authentication because it seems like a really easy way for someone to cut your finger off and steal your phone and gain access to literally all of your accounts all in one nice place. Of course someone could get access to some of my stuff if they did that but it would be less than if i enabled 2 factor for everything. Also major problems if you lose access to your device or computer using most 2 factor mechanisms or password managers today. Example: I hose my personal computer and drop my phone in the toilet while panicking about it.
I don't break stuff a lot but that doesn't seem outside the realm of average experience to me. While these tools are useful they tend to make all your information easily available all in one place by cracking a single password or obtaining a single machine.. thus making me wary.
posted by love2potato at 5:08 PM on August 12, 2017
This doesn't necessarily even matter that much, because if it would take like 100 centuries now, and then we advance so that computing is 1000% easier, it would still take a decade to crack the password. By then we likely will have improved security as well.
Right now the worst risks are a) using a website that doesn't hash, salt, or otherwise encrypt stored passwords, b) sites not using https or encryption for sending the info through the wire c) using the same password or username/email for everything especially if some sites require "security questions" that would then make stealing your identity easier (eg, mother's maiden name or place of birth).
I try to avoid doing security questions whenever possible (who knows what my first grade crush's name was, so I always have to pick something that is likely publicly available) and consider any sign up to an unknown company a security breach. EG random social media site = use throwaway info and a fake name not tied to anything. Not worth the risk.
Your specific password example likely takes so long to crack because it is not random (and most crackers now are trained to randomness), because it is two english phrases that are fairly basic and a year and a special character. It is also quite long. If those interested in hacking passwords change their methods I could see the pw taking much shorter (comparatively) to break but seems like the trend nowadays is more advanced phishing and man in the middle attacks.
I am wary of most two factor authentication because it seems like a really easy way for someone to cut your finger off and steal your phone and gain access to literally all of your accounts all in one nice place. Of course someone could get access to some of my stuff if they did that but it would be less than if i enabled 2 factor for everything. Also major problems if you lose access to your device or computer using most 2 factor mechanisms or password managers today. Example: I hose my personal computer and drop my phone in the toilet while panicking about it.
I don't break stuff a lot but that doesn't seem outside the realm of average experience to me. While these tools are useful they tend to make all your information easily available all in one place by cracking a single password or obtaining a single machine.. thus making me wary.
posted by love2potato at 5:08 PM on August 12, 2017
One of the biggest unconsidered factors in account compromises is that almost everyone uses the same e-mail address everywhere. This is extremely dangerous, as it sets the groundwork for things like the Honan hack. Because so many websites expect you to log in using an e-mail address, this is almost as important as the password. Unfortunately, the large e-mail hosting sites do not make it easy to be clever about this sort of thing, so despite there being an immense amount of namespace available in potential e-mail addresses, you're kinda hosed.
For each organization that I deal with, and often for an individual interaction with that organization, I generate an e-mail address that's specific to that interaction. These addresses are in a domain that by default blows by spam filtering, because if I issued an e-mail address I presumably want their e-mail, and also allows me to specifically block a given address, so that if it is compromised, I can just turn it off, and both the organization and any bad guys who got the address are out of luck.
The average person who hasn't been running Internet mail services for decades may not be able to do this, but at a bare minimum you can set up a few different e-mail addresses, one for true interpersonal e-mail, one for general junk, one for your financial accounts, etc.
The other thing is, don't answer all those account recovery questions with "honest" answers. Create a file folder in your desk drawer at home with a separate sheet for each account you create, and use a fake word generator to make up random answers. If someone is trying to penetrate your account, it isn't hard to discover that your circle of high school friends includes Jack, Bob, and Jill, and Patty, and the answer to "What was your best friend in high school" is likely to be one of them.
posted by jgreco at 1:15 AM on August 13, 2017
For each organization that I deal with, and often for an individual interaction with that organization, I generate an e-mail address that's specific to that interaction. These addresses are in a domain that by default blows by spam filtering, because if I issued an e-mail address I presumably want their e-mail, and also allows me to specifically block a given address, so that if it is compromised, I can just turn it off, and both the organization and any bad guys who got the address are out of luck.
The average person who hasn't been running Internet mail services for decades may not be able to do this, but at a bare minimum you can set up a few different e-mail addresses, one for true interpersonal e-mail, one for general junk, one for your financial accounts, etc.
The other thing is, don't answer all those account recovery questions with "honest" answers. Create a file folder in your desk drawer at home with a separate sheet for each account you create, and use a fake word generator to make up random answers. If someone is trying to penetrate your account, it isn't hard to discover that your circle of high school friends includes Jack, Bob, and Jill, and Patty, and the answer to "What was your best friend in high school" is likely to be one of them.
posted by jgreco at 1:15 AM on August 13, 2017
Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power). ... But luckily this usability/security trade-off doesn’t have to exist. ...
~~~~~
I use a completely bombproof password generated using this method.
And then I use that bombproof password to access LastPass, which generates insanely difficult and totally random passwords for each account I have.
Also: Two Factor Authentication.
And then it's a done deal. Just a bit painful to set up but once set up it's bombproof.
posted by dancestoblue at 3:55 AM on August 13, 2017 [1 favorite]
It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power). ... But luckily this usability/security trade-off doesn’t have to exist. ...
~~~~~
I use a completely bombproof password generated using this method.
And then I use that bombproof password to access LastPass, which generates insanely difficult and totally random passwords for each account I have.
Also: Two Factor Authentication.
And then it's a done deal. Just a bit painful to set up but once set up it's bombproof.
posted by dancestoblue at 3:55 AM on August 13, 2017 [1 favorite]
« Older Theory re User Experience's Impact on Human... | Can't contact friend, I'm worried, what to do Newer »
This thread is closed to new comments.
Get a password manager like 1Password. This allows you to always be playing to the site's maximum password strength and not have to remember 500 different passwords. Further, they let you batch change your passwords quickly to thwart any breaches like your email from spreading further.
The combination personal password/security key that's stored somewhere secure locally and airgapped somewhere else (like a safe deposit box) is about as good as you're going to get.
posted by notorious medium at 12:03 PM on August 11, 2017 [1 favorite]