Comments This post …"/>
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Secure Passwords & Passphrases


This post is part of our ongoing Encryption Series that provides in-depth coverage of OpenSSL. To learn more about encryption key generation, management, and use please see the posts in the Encryption category. Our tips and tricks are immediately applicable with examples that you can use right away. If you like this article, you may be interested in the Raspberry Pi crypto key management project as well as Rietta’s Application Security Learning Center, our catalog of video resources on how to succeed with web application security.

Sometimes when someone sees me type my long password to log into my laptop, I get asked about why I use such a long password. I always sigh a little. Deep down inside, I reflect on how there is not a concise, easy, actionable answer that will help that person practice better password security. My laptop password is better than most, but even it would be potentially susceptible to long, sustained offline attacks.

If you want to ask how to secure something, you have to first ask secure against what? For me, the primary threat to secure against is the threat that one of the websites that I use will be subject to a data breach involving improperly stored password authentication data.

This has been a bad, bad quarter for passwords with a major breach at Adobe that impacted 38 million users and plain-text disclosure of 48 million accounts on Cupid Media, a network of popular online dating websites.

The password is a terrible security device. The average password is hard for people to remember, easy for computers to guess, and companies have a bad history of not protecting it adequately.

Pass-phrases, that involve punctuation, are better because they increase the length that is easily remembered, but even those are vulnerable to dictionary attacks. Therefore, even “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1” is not a safe pass-phrase.

The real answer is that passwords are fundamentally broken. But since we all still have to use them everywhere, here is an example of a reasonably okay password:


It’s best to have one like that unique for each website. You probably will not be able to memorize that (especially when you have many like that), so remembering it so using software like LastPass or 1Password is a better idea.

In theory, storing passwords in one place is not as secure as remembering a password that is never written down. But in practice, people make up terribly insecure passwords and use the same passwords on multiple websites. That is why these big database breaches are far worse than they may otherwise have been.

I personally use a software password manager now. An update particularly sensitive websites with new 30+ character random passwords at least every 90 days. At least with this, when one of those websites that I use are have their account database compromised, my password won’t be cracked by rainbow tables and it won’t give the attacker access to my identity at other sites.

By the way, if you wonder how I generated the password used in this post, I did so by running the following in my Terminal (in Mac OS X):

  head -c 64 /dev/urandom  | openssl base64  -A | cut -d = -f 1

The password management applications will be able to generate you a good one for each and every site you use. Check out 1Password and LastPass and pick the one you like the best.

Additional Reading on This Topic

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security consultant, software developer, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.