With ‘cloud’ services meaning that so much of our critical data resides with offsite managed systems these days, password security has taken a leap into being one of the most critical arenas of personal information security. Your email address is public, so your password is the only thing that stops attackers from helping themselves to your email, address book, calendar, social networks, cloud storage accounts, and so on.
Password security is harder than it used to be
With cloud services having such huge uptake, an issue that used to be of lesser importance has suddenly been promoted. Of course, the construction of your password (and as such, its resistance to guessing) is important, but you also need to consider password inference.
The thing is that cloud services are such juicy targets for attackers that they will be compromised. The worst-case scenario for a situation like that is one where the attacker is able to get a copy of the email/password pairs, either in plain text or encrypted form. Ideally, the passwords that are stolen are salted and hashed – this shouldn’t give you the impression that your password is safe, though. All that salted and hashed data gives you is time to change your password.
Now, assume that the attacker has either stolen your passwords in plaintext, or cracked the salted hash – something that gets easier every day. If you haven’t changed your password, that attacker now has access to your data on that one single service.
What you’ll generally find, however, is that once a list of email addresses and passwords has been cracked, the primary target is your email account. If you use the same password, the attacker now has access to the Holy Grail of your Internet presence.
Your email account is the most important account you have
Someone else having access to your email account is a disaster. It’s potentially even more of a threat than someone getting access to your online banking account. Why? Password resets.
If you forget your password, which happens more often than you might think, sites need an automated way to ensure that only the account owner can reset it. The traditional way to do this is by email – you enter your username or email address into the site, and if it can associate a valid account with the email address provided then a unique reset link is sent out to that email address. This means that attackers could issue a password reset for anyone, but wouldn’t have access to the unique reset URL in the email.
That is, unless they have access to your email account.
It doesn’t stop there, either. Many webmail services provide easy setup for mail forwarding. While this is very useful, an attacker could (and they do – I have personally dealt with a situation like this) set up a rule to forward a copy of every single future email sent or received to an anonymous account that they can keep an eye on.
There are a huge number of sites that send your username and password to you after you sign up. This is terrible practice, but it is common. If a forwarder is in place, every time you sign up to a site that does this, the attacker gets a copy of your login details.
Individual password security
Let’s start at the natural beginning – choosing a good password in the first place. I’m sure that you’ve seen the traditional rules a thousand times. Use lowercase, uppercase, punctuation symbols, and numbers, and make it a long password.
It’s more complicated than that.
The use of l33t – the replacement of letters with similar-looking numbers, like ’4′ for ‘A’ and ’3′ for ‘E’ – has become so common that password crackers check for it. A good cracker doesn’t just work in alphabetical order, it uses real-world observations about peoples’ password habits to make the most likely guesses first and reduce the time required to crack. A good first pass for a password cracker will be a list of words, then the same list of words with l33t substitutions, then the same list of words with a single character of punctuation at various places. It will then combine each word with each other word, and run the same check of a single character of punctuation with the combined words.
That process is a massive oversimplification, too. A huge number of passwords have been compromised over the years, and the designers behind password cracking tools have analysed peoples’ habits. Your best defence to defeat this is something called entropy.
Entropy is the only thing that matters
Entropy is a measure of randomness. To optimise password entropy, you need a password that can contain (note: not “does contain”, because that rule would decrease the entropy simply because it is a rule) an indeterminate amount of characters from the full set of typable characters.
This is great, but it does end up making passwords that humans can’t memorise. If you use a password manager – something I recommend and will talk about later – this isn’t a problem. However, if you’re keeping it in your head, the ideal password is one that optimises for the perfect balance between entropy and ease of memorisation.
This was covered by xkcd a while ago -
xkcd: “Password Strength”
The ‘correct horse battery staple’ method shown above is actually pretty good when optimising for both memorability and security. Dumb brute force cracking would take a very long time, because while you lose out on character variability you gain in password length. It’s not as good as a password of that length made up of entirely randomly selected characters, but that’s a consequence of also optimising for memorability.
It’s worth bearing in mind that replicating this scheme exactly is probably a bad idea – I can guarantee you that hash crackers will add ‘four concatenated words’ as a cracking scheme if they haven’t already – but I’m sure you’re capable of coming up with something similar.
The xkcd comic also brings another point to mind: “password” is a misnomer. The correct term should be “passphrase” – a memorable phrase that is meaningful to you but meaningless to others (and can’t be inferred by others) makes a good password simply because of its length. Unfortunately, some less enlightened services cap your password length, sometimes even as low as 8 characters. There’s not a lot that you can do about that, other than not using the service. In the situation of being capped at 8 or so characters, you’re better off forgetting about optimising for memorability and just going for security if you can.
Stay aware of breaches
There’s no way to know about every breach out there, but usually when a significant number of account usernames and passwords are compromised they end up getting posted online as proof. A few services have appeared to take advantage of this – ShouldIChangeMyPassword will email registered users if their email address shows up in any publicised breaches, and PwnedList will do the same. It probably makes sense to sign up for both.
LastPass (which I’ll cover later) users benefit from their partnership with PwnedList in the form of the enabled-by-default LastPass Sentry. If any of the usernames you have saved in LastPass appear in publicised breaches, you’ll get an email.
One way of beefing up security is the use of two-factor authentication. Traditionally, this means that to gain access you have to verify something you know (a passphrase) and something you have (a device, usually generating a code that changes over time). While there exist dedicated hardware tokens for this purpose, the easiest way to achieve it is by making your mobile the thing that you have.
This is the approach taken by Google in its Google Authenticator mobile app, which has an interface that allows it to be used by other applications such as LastPass (more on that later) and Dropbox. Google Authenticator also supports sending codes by SMS for those without smartphones. Microsoft eschews a mobile app and uses SMS codes to verify certain sensitive activities on your account. Blizzard’s Battle.net Authenticator also uses time-based keying in a mobile app, as does the well-hidden Facebook Code Generator which also offers SMS codes. If a service offers two-factor authentication, it’s usually a very good idea to take advantage of it.
The best password is often one that you can’t remember
Remember when I said that if we want to optimise for entropy, we need a truly random password of significant length? These passwords are pretty much impossible to remember, with the possible exceptions of the ones that you use multiple times a day. Using a password manager to generate unique, random passwords for each service you use means that breaches are contained to the site they occur on as there’s no sharing of passwords, and the time you have to get the password changed before it’s cracked is as lengthy as possible.
I consider there to be four good options as far as password managers are concerned.
My personal favourite, LastPass is itself cloud-based. Alarm bells are ringing at this stage, I’m sure, but they don’t skimp on security. With a custom number of rounds of PBKDF2 brute-force protection running on a passphrase of unlimited length to protect the encryption key, Google Authenticator support alongside other methods of two-factor authentication (including a paper-based one), inbuilt integration with PwnedList called ‘LastPass Sentry‘ to notify you if your passwords are breached, incredible browser integration, and fantastic mobile apps, it’s an outstanding solution. There’s even a ‘security checker’ to warn you about which passwords are strong and which are weak, and it’ll even warn you if you use the same password twice.
The basic product is free, and for all features, the premium version is only $12 per year. Strongly recommended.
1Password has been on the market for a long while now. Originally for Mac OS X only, it has fairly recently been replicated for Windows and iOS. Android has a read-only app, but it’s not great, so if you’re not a fan of the Apple ecosystem then it might be one to avoid.
If you don’t want to use LastPass because you don’t trust its cloud storage aspect, but you want a nice user interface and good browser integration,1Password is a good choice.
PasswordMaker is the odd one out of the bunch. Instead of storing your passwords, it uses the URL of the site that you’re visiting (or any custom text, if you want to use it for non-Web resources) along with a passphrase and set of parameters to generate a password.
The idea is that every time you visit the same site, you’ll generate the same password, so there’s no need to save it. There are concerns about entropy here, but it can generate some seriously strong passwords as long as your master password is strong and kept private.
By the fact that it uses the real domain name of the site you’re visiting, there’s some inbuilt protection against some forms of phishing – if a site other than the one you expect asks you to log in, you’ll end up generating a completely different password.
It’s very lightweight, runs on pretty much every platform out there, and is free.
KeePass and KeePassX
An open-source contender, KeePass and its multiplatform counterpart KeePassX (which I’ll refer to jointly as KeePass from now on) work with a ‘container file’ that you can do what you want with. It’s strongly encrypted, so it’s feasible to keep it on some form of shared cloud storage.
Unfortunately, usability and browser integration suffer with KeePass, especially on platforms other than Windows. Still, it’s got a large degree of uptake, so it’s an option worth trying out.
It’s open-source, so both the code and price are free.
That’s about it
If you follow even some of the tips I’ve outlined above, you’ll be leaps and bounds ahead of most users in terms of password security. I’d love to know if you have any suggestions, tips, or tricks yourself – let me know in the comments if you do.