since 1999

 

3 minutes estimated reading time.

Secure Passwords & Passphrases

{% render_partial _includes/series/encryption.md %}

Sometimes when someone sees me type my long password to log into my laptop, I get asked about why I use such a long password. I always sigh a little. Deep down inside, I reflect on how there is not a concise, easy, actionable answer that will help that person practice better password security. My laptop password is better than most, but even it would be potentially susceptible to long, sustained offline attacks.

If you want to ask how to secure something, you have to first ask secure against what? For me, the primary threat to secure against is the threat that one of the websites that I use will be subject to a data breach involving improperly stored password authentication data.

This has been a bad, bad quarter for passwords with a major breach at Adobe that impacted 38 million users and plain-text disclosure of 48 million accounts on Cupid Media, a network of popular online dating websites.

The password is a terrible security device. The average password is hard for people to remember, easy for computers to guess, and companies have a bad history of not protecting it adequately.

Pass-phrases, that involve punctuation, are better because they increase the length that is easily remembered, but even those are vulnerable to dictionary attacks. Therefore, even “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1” is not a safe pass-phrase.

The real answer is that passwords are fundamentally broken. But since we all still have to use them everywhere, here is an example of a reasonably okay password:

  7nQrp4wzIeFMh1g9N5e8+JrrYfwxvM+hUyhbUPCSrjCFQPF6j5hnOgIxAPhfGyVB0WkcKlhCqEIk7Jfb1p+sfg

It’s best to have one like that unique for each website. You probably will not be able to memorize that (especially when you have many like that), so remembering it so using software like LastPass or 1Password is a better idea.

In theory, storing passwords in one place is not as secure as remembering a password that is never written down. But in practice, people make up terribly insecure passwords and use the same passwords on multiple websites. That is why these big database breaches are far worse than they may otherwise have been.

I personally use a software password manager now. An update particularly sensitive websites with new 30+ character random passwords at least every 90 days. At least with this, when one of those websites that I use are have their account database compromised, my password won’t be cracked by rainbow tables and it won’t give the attacker access to my identity at other sites.

By the way, if you wonder how I generated the password used in this post, I did so by running the following in my Terminal (in Mac OS X):

  head -c 64 /dev/urandom  | openssl base64  -A | cut -d = -f 1

The password management applications will be able to generate you a good one for each and every site you use. Check out 1Password and LastPass and pick the one you like the best.

Additional Reading on This Topic