Wednesday, August 30, 2017

How strong is your password?

Peter emails to point out a broken link in an old post of mine that talked about how to make a strong password.  His company has a very good page that covers this better than I did.

The also have a password strength checker.  I didn't use any real passwords but did use made up ones that would be similar form to my real ones.  The check seems to give reasonable results.  They say that they don't record passwords entered.

There's also the required XKCD comic.

There are two changes I'd offer to their excellent advice about passwords:

1. I actually write down my wifi password (and login information for the wifi router) and take it to the wifi router.  I figure that anyone who gets physical access to my wifi device can do a factor reset on it and get in anyway, so the risk is basically nil.

2. I actually do not like to change passwords, and think that this is an area where security people have  given bad advice.  By making people change passwords all the time, we've made security more difficult and so people try to get around the security protections.  Overall, this seems to make things worse.  Instead, I choose very strong passwords, which means easy to remember but long (more than 12 characters, and I'll probably move to 15 soon). passwords.  These are extremely difficult for bad guys to crack and so it really doesn't matter that the password is more than 90 days old.

But other than that, the page has excellent password advice.


Matt W said...

Preaching to the choir! I'm also of the opinion that having policies like password changes every 90 days do more harm than good.

I also think that too many companies enforce high complexity requirements, while still allowing relatively short passwords (like 6-8 characters).

I would much rather see policies requiring passwords of 15 characters or more but ease up on some of the complexity requirements.

Divemedic said...

I use an app that is a password wallet. It's called LastPass. The only password you need to remember is the master. The passwords are stored as an encrypted file on the cloud, and shareable between all of your devices. This enables me to generate a long random password for each website. I am using 15-20 characters.

There are 2 obvious (to me) weak points: Your master password, and the strength of the encrypted file. I am not sure about the second. What is your opinion?

Aaron de Bruyn said...

Use linux. Run 'pwgen 16'. Open up your favorite editor, and type the characters given from the pwgen command repeatedly until you can do it from muscle memory. Wait a few hours and type the characters again until you are certain you have the muscle memory down. Change your password. I do this every ~6 months. For higher-security uses I join a few of the 16-character passwords I've memorized over the last few years into 24 or 32-character passwords. Bonus: Helps keep your memory fresh and elastic. ;) (My GPG passphrase is about 80 characters of random garbage long)

burt said...

Use pass *phrases*: several words strung together that have no meaning except for being able to remember, replace vowels with numbers, insert upper case characters at strange locations, and embed special characters.

Almost completely unguessable, passes all kinds of dictionary checks, and very VERY long (mine are always at least 18 characters long).

A phrase with random extra characters works really well too.

LastPass is a good tool... but remember to change your master password regularly and to keep a local copy of your database, just in case. I print mine out, stick it in a file folder, and delete/scrub the file from the system.

ProudHillbilly said...

Oh gawd. I'm old. I can't remember things. And this system and that system want me to change passwords every whip-stitch? I've been reduced to things like I*Hate*Passwords. Except then I had to change that one and I can't remember what I changed it to.

Chris said...

Gibson Research has several tools to check on and help you with security issues.

New Jovian Thunderbolt said...

My password is: I<3Borepatch69!

Been that way for years. I'll never forget that one.

Richard said...

Do passwords really matter? Why bother cracking into an individual account when you can hack Target or Anthem and get millions. I can see them for a system administrator but for a private account? Plus a lot of things that need passwords are things that I don't really care who knows like my medical records. I do care about anything connected to banking but the vulnerability seems to be on the other end. Increasingly, the whole thing seems like security theater.

Borepatch said...

T-Bolt, that's slightly terrifying. ;-)

Richard, the problem with Target and Anthem was not that the bad guys got passwords, but rather got credit card numbers. We don't have control over that, but we do have control over our accounts. No need to make it easier than it is.

New Jovian Thunderbolt said...

What? It's a STRONG password. 15 characters, upper and lower, number, and special characters.