Password Security Best Practices: How To Secure Your Passwords

How To Choose High Entropy Passwords

When we think of securing our data online, the first thing that comes to mind is passwords. We have passwords for our online merchants, our online banking, to unlock our devices, and even passwords to secure our other passwords. Creating a high-entropy (complex) password is difficult, and there is an arms race between hackers and security firms around the world to stay ahead of one another on password selection.

We are always told that choosing simple passwords is bad, and that is true, but the evolution of password selection has moved far beyond avoiding the obvious passwords and into a new set of rules for this decade that will help users select the best possible choices.

Rules For Picking Strong Passwords In 2015

  1. Quality and length are key, not just length. The password “aaabbbcccdddeeefffggg” is long but not complex. Password guessing algorithms look for patterns these days and will seek out a password like this in relatively short order. The combination of complexity and length creates security.
  2. Do not use words exclusively. Full words are very easy for computers to guess. A high end password cracker can go through the whole English dictionary including short phrases, capitalization and lists of proper names in less than 20 minutes.
  3. Password crackers are on to “leetspeak” and other common letter substitutions. They will use common number and symbol substitutions to try to guess passwords. P4$$w0rd is not safe, nor any other simple word with common substitutions.
  4. Common phrases from TV, movies, and literature are also out. “i’mrickjamesbitch” is going to be found in short order.
  5. Be very wary of allowing others to select passwords for you with apps or algorithms. There can be weaknesses and patterns that are not visible to the naked eye.
  6. Be aware of Heuristic-Based attacks. Assume that your attacker knows everything about your hobbies, your musical preferences, the city you live in, and your pet names. In the age of social media the general public has unprecedented access into information that could lead them to your password.
  7. Be aware of human-behavior based heuristic attacks. Attackers know human behavior and password crackers will emulate the behavior of a site’s password requirements. If the site requires a capital letter, number and a symbol in the password, it is going to guess that you’re going to put those things at the beginning or the end of the password to meet those requirements. Knowing this, “Password1!” is no more secure than “password” to a cracker.

So knowing all of this information about the advances of cracking techniques, what is a hard and fast rule for creating hard to crack passwords?

We like the technique popularized by crypto guru Bruce Schneier. You take a sentence that means something to you, spice it up, and you get a very hard to guess password.

“My sister who lives in Chicago loves to eat at Wasabi 30 times per week.” Is easy to memorize.

We can take the first letter of every word, and the number, and insert some symbols to make a very difficult password.

“MswliClte@W!30tpw!” To anyone outside of you this password is total gibberish and very high entropy. It would take a dedicated attacker years to crack this password. And you can lengthen the password even further by incorporating more phrases or simple made up rules. Maybe we can throw in a dollar sign after every capital letter, and add the phrase “but she also loves Reno’s Pizza!”

This gives us “M$swliC$lte@W$!30tpw!bsalR$P$!” As you can see, toying with these rules gives you very substantial power over the strength of your passwords, and makes them unbelievably hard to guess, while not being too hard to remember for yourself if you came up with the phrases.

So we now know some tips for creating high-entropy passwords. What are some other password rules that we should follow? Are there any techniques out there that are a waste of time? Is there any controversy surrounding some of these techniques?

Should I Change My Password Frequently?

This one is disputed in the security community. Forcing users to frequently change passwords may not enhance security, as a high entropy password will be safe regardless for the length of time that it is used as long as it is never disclosed to anyone. The key is keeping your passwords secret. The mantra that you should change your passwords frequently circles around the fact that passwords may not be kept a secret, however rapidly changing passwords without using a password manager can easily lead to people writing down passwords or storing them somewhere insecure, which is far more of a problem than the age of a strong secret password.

Should I Use A Password Manager?

Password managers are interesting tools. They allow you to generate pseudorandom passwords and store passwords for many sites and services all in one place. However you need to be aware that these services are very juicy attack vectors. Your “master password” will allow full access to everything in your life. You have to trust that the password manager can keep your master password secure, and that the manager does not have access to your passwords without your master password being entered. Lastpass is the most popular service online. You should also be leery of allowing any service to generate passwords for you. There can be patterns or vulnerabilities in the way that the passwords are generated, with no outward signs that your passwords are vulnerable to attack. Lastly, when using services like Lastpass, you need to be very aware of the certificate that the website uses. A fake site with a fake certificate that is trying to get a hold of your master password will look exactly the same. You need to know how to identify a phishing site from the real site you are trying to visit.

Never Reuse Passwords

The only thing worse than a weak password is a reused password. You are at the mercy of the companies holding your sensitive data to keep the data and your passwords secure. Sometimes these companies screw up and your passwords are exposed. When this happens, you need to be sure that the damage is isolated to that one company and not everything you use. Do not reuse passwords, especially for sensitive data.

Two Factor Authentication

Another method to enhance your security is to use two-factor authentication when it is available.

Two factor authentication involves two separate methods of verifying your level of access separately, and both methods must be accepted to proceed. The most common versions of this tend to use something you have and something you know. The “something you know” is almost always a password, but there are many versions of “something you have” out there. Some of these techniques include:

Temporary Codes sent via automated phone call or text message to your personal phone
Biometric, Retina, or Fingerprint Scanners

Facial Recognition

Email Verification

Physical USB Keys (also known as security tokens)

Security Questions (when sites and services ask you questions like your mother’s maiden name, or the street you grew up on)

A lot of popular sites and services now offer two-factor authentication methods but they are disabled by default and you have to enable them in your user controls.

Caveats On Two Factor Authentication

With two-factor authentication you also have to consider the privacy policy of the company, as you are often giving them sensitive information about yourself. For example, both Facebook and Google offer two-factor authentication in the form of a text messaged code. However, both of these companies are known for mass data collection of their users (this is how they make money). You may not want to give these companies additional personal data if their privacy policies allow them to share this information with others.

Mutli-Factor Authentication is not also not a cure-all for security. For example, voicemails can be fooled into allowing an attacker to hear them through spoofing. It is crucial that if you use multi-factor authentication that you also practice good password etiquette as described above.