Ever since the Snowden leaks, people seem more conscious than ever about their privacy and how vulnerable they are to spying by ISPs or cybercriminals. When data is leaked online, like with the iCloud leaks, the media is quick to label the perpetrators as hackers. The truth is that iCloud was never hacked. It was a phishing scheme and could have been prevented had victims set up a strong password.
Ryan Collins, 26, from Pennsylvania, was arrested for illegally accessing the email accounts of over 100 individuals, mostly celebrities. He used fake emails and a few tools to trick individuals into handing over their passwords or answers to their “secret questions,” which generally aren’t all that secret.
Thing is, there’s one simple thing standing between an attacker and your data: your password. We’ve discussed what you need to know about cloud security before, but the truth is that behemoth corporations like Apple or Google are usually far more secure than the media would have you think. The weakest link is almost always the user.
Today, we’re going to show you how to set up a strong password and we’ll also discuss best practices for password security. We’ll also be presenting you with two handy password generator tools that will help you determine whether you’re current password is strong enough and, if not, another which will create one for you. First, however, we’re going to look at a few tools that will make your life easier when it comes to passwords.
Every website has different password requirements, often requiring a mix of alphanumeric characters in upper or lower case and at least one symbol. We all have dozens of logins for the various websites we use, and memorizing every password we need is almost impossible, unless you have an eidetic memory.
That’s why you need a password manager. Popular choices for password managers are:
All three are easy to use and work on multiple platforms. The way a password manager works is simple: the software creates a database to store your passwords, which you will encrypt with a lengthy, secure passphrase. A keyfile may be used as well, which is essentially a file of seemingly random gibberish that is used to encrypt or decrypt data.
The downside to secure passwords is that you need to remember them, which is especially tough if you have more than a handful you use regularly. This is why a password manager is highly recommended — you only have to remember one password to open it, with the rest of them stored safely inside the database.
The master password you use to open your password manager should be your strongest password. We’ll go into details below, but remember: your master password is what stands between attackers and the rest of your data. Keep it secret, keep it safe.
Why Use a Keyfile?
Secure authentication is often broken into three categories:
- Something only you know
- Something only you have
- Something only you are
The first one is your master password, in regards to a password manager. You memorized your password and no one else knows it.
The second one is your keyfile. This isn’t something you should share or store in the cloud — it should stay local, on your physical devices. Without your keyfile, a password is not enough to access your encrypted password database.
Two-factor authentication with apps such as Google Authenticator or a device like the Yubikey are also part of this second category. LastPass is the only provider out of the three mentioned here that provides native, easy-to-use two-factor authentication with both software and hardware tools. Note that using a keyfile in addition to a password is often enough.
The third category is essentially biometrics — your fingerprint or your retina, for example. It’s an interesting field but far beyond the scope of this article and not very useful for our purposes considering the state the technology is in right now.
Choosing a Password Manager
1Password and LastPass both create a keyfile, used to encrypt and decrypt your password database. KeePassX provides the option to create a keyfile but does not do so automatically. LastPass is cloud software, requiring no installation, so you can use it across all your devices. They provide mobile apps and browser extensions for all the popular platforms.
If you’re worried about storing your passwords in the cloud, the good news is that LastPass stores the decryption key on your device, rather than their own servers. Your master password is never sent to them, making them a zero-knowledge security service (if this aspect is particularly important to you, we have a list of the best zero-knowledge cloud services for you).
The encryption/decryption process occurs locally, on your device, so the contents of your “vault” are known only to you. You can read more about the technology LastPass uses on their website. 1Password can be accessed on the web or installed locally on your devices. As with LastPass, your credentials never travel over the Internet, and 1Password does not have access to your master password or secret key.
KeePassX is a free, open-source port of the original KeePass software. It’s a cross-platform app designed for “people with extremely high demands on secure personal data management.” As a long-time Linux user and privacy freak, I started using it before services like 1Password and LastPass became popular. It’s less user-friendly than those other tools, but offers greater control over your data.
With KeePassX, you can store your password database with any of our best cloud storageservices or a self-hosted solution, allowing you to access your passwords from anywhere. This database is stored in an encrypted format and protected by a passphrase when you create it and, optionally, by a keyfile. I use a keyfile stored on a USB drive, and keep two copies of that keyfile backed up and stored off-site.
What Makes a Strong Password?
With that out of the way, let’s talk a little about actual passwords and how to create one that is both strong and not easily guessed. When signing up for a website, you’ll usually see password requirements like:
- A mix of upper and lowercase letters
- At least one number
- At least one symbol
- Specific length, i.e. 8-15 characters
This has done more harm than good. Security researchers agree that people are terrible at choosing truly random passwords and cracking techniques have evolved over time. Password guidelines don’t encourage randomness; they encourage predictability. Brute-forcing was the most common password cracking technique, which used a large dictionary to randomly try different combinations of letters, words, numbers or symbols.
Researchers now train software with the millions of leaked password databases available online. Rather than going through a dictionary list, password crackers run through the most commonly found passwords first, trying various iterations of the passwords found in those leaked databases.
Let’s say you were signing up for Redbox, for example, and had to choose a password with the requirements I listed above. You also want to be able to memorize this password, so many users would choose something like this:
These all seem like secure passwords at first glance. Kaspersky’s online password checker says the last one, R3db0xm0v13$ would take 11 years to crack.
This might be true of brute-forcing and basic wordlists, but let’s say an attacker is targeting Redbox accounts specifically — unlikely, but suitable for this example.
Instead of using a basic dictionary, an attacker could feed in a list with an emphasis on movies and entertainment. Common variants of the word “redbox,” even with numbers and symbols added or in place of letters, would be the first thing to try.
Again, the human element is the weakest link. It’s hard for humans to come up with truly random words. Edward Snowden, the NSA whistleblower, stated it best in his interview with John Oliver: “shift your thinking from passwords to passphrases.” Of course, this only works when the password requirements don’t restrict the size of the password or you can generate a phrase using Schneider’s method, which we’ll discuss later in this article.
Creating a strong, secure password can be tricky. There is a great deal of conflicting advice, even amongst experts. An oft-cited example of secure password advice comes from the popular web comic XKCD:
The creator, Randall Munroe, is a physicist and former NASA employee, so it’s safe to say he understands the mathematics behind password entropy. Yet Bruce Schneier, a security expert, disagrees with his advice. Schneier believes Munroe’s method is no longer safe advice, stating “password crackers are on to this trick.”
The essence of creating secure passwords boils down to two things: randomness and length.
The minimum password length for many sites and services is eight characters. According to Richard Boyd, a senior researcher at Georgia Tech Research Institute, this is no longer sufficient. If using only the letters of the alphabet, such a password is cracked in mere minutes. He recommends a minimum of 12 characters.
Security researchers talk about entropy when it comes to passwords. Sparing you the boring mathematical details, the gist is that the strength of your password lies in the length and randomness of the characters.
Even adding a few bits of entropy greatly increases the computing power required to guess a password, making an attack too costly or impractical. Size matters, but only when it’s truly random. The password “qwerty1234” is longer than “qwerty1” but trivial to break, nonetheless — both “qwerty” and “1234” are easily guessable, non-random choices.
The trick is ensuring your password is truly random, and as we said earlier, humans are not good at this. Below we have several ways in which you can generate a secure password, but before we do so, let’s first test out how good your current one is. Below you can find a password strength checking tool Cloudwards.net has put together, especially for this purpose.
Test my password strength
Password data will not be stored on a server and is only processed in the browser
How to Generate Passwords
Chances are that entering your current passwords in the tool above was a faintly scary experience for you. This section is all about making your passwords a lot safer. There are several ways to do this, let’s start with the most old-school way we can think of: dice.
Diceware is a method for picking passwords using dice and a special Diceware word list. The Electronic Frontier Foundation also released a list last year with several improvements on the Diceware list, such as eliminating short, three character words.
To use the Diceware method, all you need is a couple of dice, a way to record the results of your rolls and one of the word lists mentioned above. You’ll have to decide how long you want your passphrase to be. Diceware advises a minimum of six words, and provides further clarification on their site. Each word on the provided lists have five digits to the left of them. You roll the dice until you have enough numbers to match the word length you’ve desired.
Example: A seven word passphrase would require 45 dice rolls, five for each word.
Of course, there are computer programs that offer to simplify this process, but generating truly random numbers on a computer can be tricky. Diceware advises against using a program for this, so keep that in mind.
- Roll the dice and write down the results, five numbers to a row.
- Once you have enough numbers to match your desired password length, match each set of five numbers to the word list and write each word down in order.
- Memorize this new passphrase and either destroy the paper or keep it somewhere very safe.
That’s it — simple and old-school, albeit time consuming. This is an excellent option if you require serious security or you’re performing sensitive work. If you use an air-gapped (not networked) computer, an operating system such as TAILS or need to generate offline encryption keys, you can’t go wrong with the Diceware method.
The Diceware method is essentially what was illustrated in the XKCD comic and it generates secure passwords, but Schneier has an excellent alternative method. Schneier first described it back in 2008, in an article on his blog. It’s straightforward and easy to use, allowing you to generate a seemingly random password from a sentence.
“So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m.” That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.”
This is an excellent method to use if you have to create a password with a size limit, say 10 or 12 characters. That’s too short for a passphrase, but stripping a phrase down into a password is manageable.
Ideally, it’s something personal that only you know. Depending on your threat model, adversaries targeting you specifically would use all the information known about you, like birthplace or your dog’s name. While Schneier’s method works and can produce secure passwords, I’m not a fan. The mathematics behind Diceware and password entropy are strong and I suggest using it before Schneier’s method.
Generate Passwords Securely and Automatically
Putting together a good password is, as you can see, not the easiest task in the world, which is why we here at Cloudwards.net put together a secure password generator. This handy little tool will not only allow you to experiment with different password lengths, but also with what kind of characters you can throw in there. Feel free to play around with it for a while and see what’s possible.
By James Crace | Cloudwards
More password tips at >> cloudwards.net