Password Management Methods

[Hack&Lube]

Quote:

Originally Posted by darklord700

Many good suggestions thanks.

Question to the expert: would a password like "applecore2015" or "2015applecore" be easier to brute force crack than one like "a2pp0lec1or5e"?

With dictionary/rainbow tables yes, but the other one isn't tough to break either. Anything short of 15 characters is crackable with consumer hardware you can buy at memory express (strap a few GPUs together). As I mentioned in the last post, length is everything.

[Krovikan]

To generate a long password that is easy to type on most devices, I like to use the method of building a random phrase that is easy to remember; however hard to guess for example:

"remaining extreme discovery settled"

Makes no sense; is hard for a computer or human to guess however easy for a human to remember, xkcd did an excellent comic on this method: https://xkcd.com/936/ (just noticed this was already linked )

Looking for random text, there is a site for that: http://randomtextgenerator.com/

[DoubleF]

Quote:

Originally Posted by darklord700

Many good suggestions thanks.

Question to the expert: would a password like "applecore2015" or "2015applecore" be easier to brute force crack than one like "a2pp0lec1or5e"?

I'm under the perception most websites have brute force prevention built in. Bruteforce also puts in all sorts of random gibberish anyways. Even a crazy awesome password can be bypassed easily via keylogger or phishing scam if you're being silly. You merely need to choose a reasonable password that isn't mass used by many/easily guessed that you won't forget.

I mean, "applecore2015" or "a2pp0lec1or5e" won't matter if it's gift wrapped to the hacker via keylogger or entered into their legit looking web page. One is way easier to forget than the other though. IMO, your "difficulty" may increase by putting appl instead of apple perhaps to get around the dictionary method discussed below, but if someone wants to target you specifically... I think you'll be hacked regardless.

You're more likely to be social "hacked" or keylogged/phished than password guessed/brute forced IMO.

[Rathji]

Quote:

Originally Posted by Hack&Lube

Length is everything.

https://xkcd.com/936/

Quote:

Originally Posted by Krovikan

To generate a long password that is easy to type on most devices, I like to use the method of building a random phrase that is easy to remember; however hard to guess for example:

"remaining extreme discovery settled"

Makes no sense; is hard for a computer or human to guess however easy for a human to remember, xkcd did an excellent comic on this method: https://xkcd.com/936/

Looking for random text, there is a site for that: http://randomtextgenerator.com/

Except these methods fail to account for dictionary attacks which merge words togeter, which is the first thing any brute force attack would try.

From https://www.schneier.com/blog/archiv..._secure_1.html

Quote:

Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.

Modern password crackers combine different words from their dictionaries:

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

[Matata]

To keep things organized, I keep a list of the mnemonic devices I use to remember the password (so I don't write the actual password anywhere).

ie - "calgarypuck.com = stupid kid x4" This reminds me that I use a password I came up with as a stupid kid for CP, and the "x4" reminds me which variation of the password I'm using.

[Hack&Lube]

Quote:

Originally Posted by Rathji

Except these methods fail to account for dictionary attacks which merge words togeter, which is the first thing any brute force attack would try.

From https://www.schneier.com/blog/archiv..._secure_1.html

Yes, I agree as alluded to in my other post about dictionary and rainbow table attacks. Character substitution or punctuation addition also doesn't work that well.

Personally, I don't have any trouble remembering a few long strings of random characters. Psychological theory shows that people are able to remember things in blocks so breaking down long things into small blocks makes it manageable. That's why you can remember a 7 digit phone number easily.

Over the years, I've memorized a few different strings of completely random characters that I've gotten from various places and mix them up along with personal word associations and I have some 32 character passwords that I would never forget.

[PeteMoss]

Unless you're hiding some kind of crazy secrets or have something of big value - it would seem wildly unlikely that some is going to spend hours trying to crack your password.

Obviously you don't want to use password123 or 1234567 but as long as you keep your main password somewhat complex and use two factor authorization if possible for important accounts that could be used to get other passwords (email, facebook, etc), you're likely more protected than you'll need to be.

[Krovikan]

Quote:

Originally Posted by Rathji

Except these methods fail to account for dictionary attacks which merge words togeter, which is the first thing any brute force attack would try.

From https://www.schneier.com/blog/archiv..._secure_1.html

There are several problems with that article, one of the big ones was at the end though where the author suggest "tlpWENT2m" as a good password. Using a cuda cracker in brute force mode, that would take a two weeks to crack an encrypted string or hash containing that value with my video card, let alone a system actually built to crack encrypted strings.

To crack the password I suggested you will have to use a full dictionary attack and the ability to guess the number of words, plus guess the format of those words. As you may have noted I did not use the same format as the xkcd article, something as simple as adding spaces really affect the ability of an attack utilizing a dictionary or similar methods.

That said, you should also use two factor authentication on all password vaults, as well as a long password.

[DoubleF]

Quote:

Originally Posted by Hack&Lube

Yes, I agree as alluded to in my other post about dictionary and rainbow table attacks. Character substitution or punctuation addition also doesn't work that well.

Personally, I don't have any trouble remembering a few long strings of random characters. Psychological theory shows that people are able to remember things in blocks so breaking down long things into small blocks makes it manageable. That's why you can remember a 7 digit phone number easily.

Over the years, I've memorized a few different strings of completely random characters that I've gotten from various places and mix them up along with personal word associations and I have some 32 character passwords that I would never forget.

Heh. It annoys some friends/family members to no end that my "easy password" to several semi communal computers and shared (with no payment data) accounts is a 10 digit student ID from Jr High (ie: Spotify and Netflix). Friend's routers with hexidecimal passwords drive me up the wall. No one can ever find the damn key which creates a huge headache setting up something to connect to wifi for them when they can't get in themselves without a phone call to some service rep somewhere or waiting for my mom for instance to look up a ridiculously overcomplicated password she penned down in a notebook somewhere (which she cannot find).

Curious question for some password gurus. I've on occasion helped individuals set their wifi passwords to a home phone number or cell number preferably unaffiliated with the internet plan. I've always believed it to be safe enough from general misuse (if someone war drives you, you're kinda screwed whether you know your own password or not) without being so complicated that average users don't always call me up and say "it's broken because I can't get it to work". Is this adequate or no?

Agree with PeteMoss though. As long as it's good enough and practical and you're being prudent, IMO that's all you really need. Anything more is pretty much overkill.

[#-3]

The password thing has gotten out of control. Having people use P4s5w0rd! As their password does not make it any more secure, and having the formula so complicated that people either need to save the password to their divice, write it down or use the forgot password button every time they need to log must actually lower overall security.

To me the best solution would be if networks could set up rulers that would limit passwords to 1 occurrence / 500,000 users or something. Then people could use whatever the hell they want, would have an easier time just knowing the password, and it would eliminate the people of extremely concerned man passwords, which is 90% of the battle.

[Azure]

Like it has been suggested use a random phrase you'll remember, and add random numbers and symbols. Then use two-factor authentication. If you use LastPass, there are different methods of two-factor you can use.

[DownhillGoat]

Quote:

Originally Posted by photon

If the app supports a fingerprint sensor then that can help.

My concern with fingerprint sensors (for 1password, or on a phone in general) is it's really easy to get access if you're a) passed out drunk, or b) drugged at a bar/club. Not saying that's a concern for everyone, but I know more than one person who's been burned that way.

[gottabekd]

I use the following:

• Keepass2 password database protected wtih a decent passphrase (should really add a second factor...)
• ...saved to Dropbox
• with an app Keepass2Android on my phone
• and an extension called CKP - KeePass integration for Chrome

The end result is on any device I can access any of my passwords quickly, including a hot-key to have Chrome fill in my passwords, the password database is naturally distributed (for redundancy/backup), and it doesn't rely on an online service as a single point of failure. This means I have no qualms about using an insane generated password for signing up on a website, and can use a different password for each thing I sign up for.

One thing to keep in mind is that the greatest attack vector is not someone trying to brute force your password, or break into your home and find your post-it with it written down, it's the danger of using the same email/password combo everywhere. If you use the same email/password on 50 websites, it just takes one getting compromised to reveal your credentials to all those other 49 sites. It doesn't matter how long or how many special characters you have, or how securely salted and hashed your password data is maintained on those other 49 sites, it just takes one lazy or compromised site to open up your access to the other sites. Naturally, someone getting a hold of your email/password combo won't know what other sites you used it on, but you can bet Facebook, Twitter, Gmail will all be tried.

[Rathji]

Quote:

Originally Posted by Krovikan

There are several problems with that article, one of the big ones was at the end though where the author suggest "tlpWENT2m" as a good password. Using a cuda cracker in brute force mode, that would take a two weeks to crack an encrypted string or hash containing that value with my video card, let alone a system actually built to crack encrypted strings.

To crack the password I suggested you will have to use a full dictionary attack and the ability to guess the number of words, plus guess the format of those words. As you may have noted I did not use the same format as the xkcd article, something as simple as adding spaces really affect the ability of an attack utilizing a dictionary or similar methods.

That said, you should also use two factor authentication on all password vaults, as well as a long password.

Thanks, I didn't notice the slight difference in your method, which makes it slightly better than the XKCD method. I still wouldn't use it personally for my master LastPass password.

About 5 of my passwords I actually know, the rest are 16-24 character gibberish.

[Flames89]

Quote:

Originally Posted by Rathji

Except these methods fail to account for dictionary attacks which merge words togeter, which is the first thing any brute force attack would try.

From https://www.schneier.com/blog/archiv..._secure_1.html

Interestingly, all the geeks that replied to this blog posting refuted his argument against the XKCD. So I am sticking with that.

[Krovikan]

Quote:

Originally Posted by DoubleF

Curious question for some password gurus. I've on occasion helped individuals set their wifi passwords to a home phone number or cell number preferably unaffiliated with the internet plan. I've always believed it to be safe enough from general misuse (if someone war drives you, you're kinda screwed whether you know your own password or not) without being so complicated that average users don't always call me up and say "it's broken because I can't get it to work". Is this adequate or no?

The problem with WiFi is not the passphrase, it's the technology, WEP and WPA2 are relatively easily cracked. And it's next to impossible to build a true security protocol that would be secure due to the nature of WiFi. This is why Shaw, Telus, ect have moved to captive portal technology instead of AP based security.

Your security for WiFi should be via a secondary method, for example having all WiFi connections segregated from your network. For average users I would ideally want to setup a password that only friends of the user could easily remember. For example, I like using video games and important dates for my WiFi password. That way my neighbor and/or random person can't look up the information easily; however when I give it to my friends they can easily identify it with me. For example "WorldofWarcraft2000".

Also for WiFi turn on user isolation at all times, I love connecting to a friends WiFi, turning on a packet sniffer and reading their unencrypted communication back to them as they type it.

[devel]

When creating a password that I want to be extra secure like a master password, I usually add an ascii character(s) in there somewhere. Beginning, end, in place of a word, maybe instead of spaces in a short phrase I will use ♥ (alt+3), ♂ (alt+11), ♫ (alt+14), etc.

For example you could take the common phrase, "What happens in Vegas, stays in Vegas" and turn it into: "WhIv,SiV♥♦♣♠". Song lyrics into: "♫♫ Happy Birthday 2 Me!"

The best is to come up with something that you don't have to write down. But if you do have to write something down then maybe just a clue that would trigger your memory like "Las Vegas" or "Feb 11th" (whatever your birthday is) for the above two passwords in a more common place? Then the real password in a safety deposit box, parents safe or something.

For the record I have never used those passwords. And of course you need a full keyboard to type it, so not suitable for all devices. It's just something I've done forever. I don't know if password crackers generally check for ascii symbols or not but I don't think ascii is commonly used.

[photon]

Quote:

Originally Posted by #-3

To me the best solution would be if networks could set up rulers that would limit passwords to 1 occurrence / 500,000 users or something. Then people could use whatever the hell they want, would have an easier time just knowing the password, and it would eliminate the people of extremely concerned man passwords, which is 90% of the battle.

Not really, the real risk from poor passwords isn't the someone randomly guessing your password because so many people use 123456, it's someone stealing a poorly secured and poorly implemented database of passwords and being able to do billions of guesses per second and coming up with passwords related to millions of email addresses in one shot, a big chunk of which are also the passwords to those email addresses themselves, opening up everything else.

Plus no one can EVER agree on a standard way to do things, so it'd be impossible.



One good thing would be if all websites had to meet certain standards of password storage or something (if every site used a hashing algorithm that would take .5 seconds to guess a password mass hacking of password databases would cease instantly). But the XKCD comic applies to this too.

A better solution is to not have passwords at all. To gain access to a site, the site emails you a link with a token in it that lets you in. Until it doesn't (it expires, you change browsers, whatever), then you click the link and it emails you another token. This depends on your email being secured of course, but that's one thing instead of hundreds.

[photon]

Quote:

Originally Posted by Krovikan

That said, you should also use two factor authentication on all password vaults, as well as a long password.

Good point, I'd also say 2 factor authentication on email is almost more important.

[sun]

I follow the xkcd method as well. Easy to remember if you visualize it.

I always see those gfycat urls and think they would make good passwords:

UnsteadyHandmadeBlackfly
PerfectTenderBug
GrouchyElegantArmadillo
SillyImpeccableJaeger

and so on. Mix and match as needed.