This post is part of our ongoing Encryption Series that provides in-depth coverage of OpenSSL. To learn more about encryption key generation, management, and use please see the posts in the Encryption category. Our tips and tricks are immediately applicable with examples that you can use right away. If you like this article, you may be interested in the Raspberry Pi crypto key management project as well as Rietta’s Application Security Learning Center, our catalog of video resources on how to succeed with web application security.
Sometimes when someone sees me type my long password to log into my laptop, I get asked about why I use such a long password. I always sigh a little. Deep down inside, I reflect on how there is not a concise, easy, actionable answer that will help that person practice better password security. My laptop password is better than most, but even it would be potentially susceptible to long, sustained offline attacks.
If you want to ask how to secure something, you have to first ask secure against what? For me, the primary threat to secure against is the threat that one of the websites that I use will be subject to a data breach involving improperly stored password authentication data.
This has been a bad, bad quarter for passwords with a major breach at Adobe that impacted 38 million users and plain-text disclosure of 48 million accounts on Cupid Media, a network of popular online dating websites.
The password is a terrible security device. The average password is hard for people to remember, easy for computers to guess, and companies have a bad history of not protecting it adequately.
Pass-phrases, that involve punctuation, are better because they increase the length that is easily remembered, but even those are vulnerable to dictionary attacks. Therefore, even “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1” is not a safe pass-phrase.
The real answer is that passwords are fundamentally broken. But since we all still have to use them everywhere, here is an example of a reasonably okay password:
It’s best to have one like that unique for each website. You probably will not be able to memorize that (especially when you have many like that), so remembering it so using software like LastPass or 1Password is a better idea.
In theory, storing passwords in one place is not as secure as remembering a password that is never written down. But in practice, people make up terribly insecure passwords and use the same passwords on multiple websites. That is why these big database breaches are far worse than they may otherwise have been.
I personally use a software password manager now. An update particularly sensitive websites with new 30+ character random passwords at least every 90 days. At least with this, when one of those websites that I use are have their account database compromised, my password won’t be cracked by rainbow tables and it won’t give the attacker access to my identity at other sites.
By the way, if you wonder how I generated the password used in this post, I did so by running the following in my Terminal (in Mac OS X):
Additional Reading on This Topic
- On December 6, 2013, Hayden Wreyford published a good post called This Is Why Your Account Got Hacked, which covers this topic at a less technical level. This is also a good one to share with your mother who is on Facebook.
- On June 7, 2013, Bruce Schneier published A Really Good Article on How Easy it Is to Crack Passwords, a commentary on the Ars Technica article entitled Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.