Ask HN: Password best practices?
My password practices are an unsystematic mess. I keep different passwords of varying strength across all of my accounts.
I'm ready for a total overhaul with best practices in mind.
How should I go about this?
I'm ready for a total overhaul with best practices in mind.
How should I go about this?
75 comments
[ 3.1 ms ] story [ 140 ms ] thread1. https://lastpass.com/ 2. https://agilebits.com/onepassword 3. http://keepass.info/
I started to use 1Password (for my Mac) about two years ago, and it probably sat, unused, for the first six months. I knew that I was doing the wrong thing by not using 1Password, but I was also frustrated by the thought that every time I went to a Web site, I would need to click a few more times, instead of letting my browser fill things in.
At a certain point, I realized that the only way to use good passwords was to embrace the 1Password way of doing things. I slowly but surely changed all of my passwords, and I feel much, much more secure nowadays. Each site has a different, long, impossible-to-remember password -- but that's OK, because the whole point is that the password shouldn't be possible to remember.
It takes time to use such systems, but they're incredibly worthwhile. And after a while, their use becomes quite painless and natural.
[0]= https://news.ycombinator.com/item?id=6944929
Each password for a service is then randomly generated and stored in the archive; you don't need to remember them, you just need to access the archive.
For default, I have chosen 60-character password length, upper-lower-numbers-spaces-special characters mix (as a rule of thumb, a longer password is preferable to a more complex password).
For whatever reasons, some services refuse this combination - and that's a huge red flag: if the service at least hashes the password, it should get a uniform, eminently storable string out. If they care what characters go in ... well I ain't saying they're storing the plaintext, but it's close enough to arouse suspicion. One of the worst offenders seems to be Skype, with its "maximum password length: 20 characters, no weird characters allowed." If that happens, well, you can override the default and generate a weaker password for that one service, or vote with your feet and not provide your account details to such a suspicious contraption.
I ask because I wonder if I should go more complex with that one password I remember. Mine is about as complex as the example I gave.
There are WAY too many services that don't allow for 60 character passwords though. I use much shorter passwords by default (24 characters or so, I'm not even sure of the exact length) but it's not uncommon for a service to not accept my generated (by KeePass) password due to its length.
One more vote from me for KeepassX with both a long, unique passphrase and a keyfile. Once you start using a password manager it's impossible to go back to trying to memorize individual passwords (which is a good thing) and you'll be hooked for life at the convenience.
One tip: make sure to increase the number of rounds of key derivation for the master password (should be under "Database settings"). The default is relatively low. There's a handy button with a clock on it that will perf test your computer and pick a number of rounds that is approximately 2 seconds of CPU time.
> For default, I have chosen 60-character password length, upper-lower-numbers-spaces-special characters mix (as a rule of thumb, a longer password is preferable to a more complex password).
Yep when it comes to passwords, long beats strong.
For answers to "secret questions" (which arguably are one of the stupidest concepts in account security) I follow the same rule. Long, random gibberish answers. Ex:
I think it'll be pretty funny if I ever have to read one of those over the phone.>One of the worst offenders seems to be Skype, with its "maximum password length: 20 characters, no weird characters allowed."
Yes that's pretty stupid and it's not just Skype, it's also Hotmail/Outlook and "Microsoft accounts" in general (ex: Windows Azure). I don't remember if it was always like that for Skype or if it happened after the Microsoft acquisition though.
That would be the websites of nearly every financial institution I've ever come across.
Please contact us at support @ agilebits . com, no spaces. We'll be happy to help get things working. You're free to mention my name and someone will pass it along to me personally.
Include each device (like above) along with what syncing method you are using (Dropbox, wifi, iCloud).
This goes for anyone who has trouble. You're welcome to contact us for support, we do everything we can to help support our users if they run into trouble. Please don't hesitate to contact us.
Kyle Swank
AgileBits
We can sell the Mac version via our website or the Mac App Store (we do both). Purchases made on one cannot be easily converted to the other. In fact, we have no knowledge of any information about Mac App Store purchases besides total sales numbers and basic stats like that.
Windows, the only really straight forward way is from our website.
Android, technically we could distribute from our website and/or the Google Play Store. Distribution from our site is not something I'm all that familiar with, but I don't think it's all that common these days. I'm sure someone will correct me if I'm wrong here.
iOS can only be purchased from the App Store.
As you can see, there's really very little in common between various distribution methods. We would _love_ to be able to sell a pack that includes everything. It's just not an easy thing to do nor is it possible on some platforms.
The only apps that actually have a real license for them is the website version of the Mac app, and the Windows app. The rest are all tied to the ID you used for purchasing (iOS, Android). The app also includes a software licenses section so you can store those credentials in the app if you choose. Making this a lot easier.
Hope that helps explain a little bit about why it might seem difficult, but it shouldn't be all that hard in the long run. It's like any other software really.
Kyle Swank
AgileBits
Use a encrypted storage for your password, protected by a master password. This can be as simple as text files on encrypted volume, or a more complicate password manager.
When you can avoid using passwords, do so. For example, key based SSH auth prevents you from having to re-enter passwords all the time, and is generally more secure.
When given the option of 2-factor authentication, take it. 2FA + a weak password is usually better for security than a strong password without 2FA.
Password to lastpass is long and completely unique - not used anywhere else.
lastpass generates and maintains passwords for all sites - they are all 16 characters long (long passwords are key for preventing bruteforce typically), unique, and they all contain numbers, upper and lower case characters, and symbols.
The thought process is - if one of the passwords is compromised (hacked site, brute force, etc.), the same password will not be usable on other sites. I had this happen in my WoW days.
Edit: I have the lastpass app trusted on my phone so I have access on the go.
I don't use any american solutions due to Snowden's revelations. I don't want NSA on my passwords. Prefer an open source program.
If you want a cloud system, with keepass on your smartphone automatically updated, I think you should create your owncloud server.
And for the rest of the bunch, I switched to 1Password. It doesn't support Linux, but that's okay for me. I do most of my browsing on iPad and MacBook.
Yes, this means your GMail password security is likely more important than your bank's.
Specifically, if someone gains access to your physical computer and they figure out your LastPass password, what happens next?
If you choose to use LastPass, make sure you do it with a fantastically long, entirely random password.
Example: "3BA^h<VQgj+nL%KP$ (this was completely randomly generated at http://passwordsgenerator.net/)
For a little reasoning, look into how passwords are generally hacked. Usually, hackable passwords consist of words or l33t words (l!k3 th!5) that are somewhat related to the person. A massive number of people use the same words or patterns for these things, so a brute force attack informed by a l33t-smart dictionary (minus the definitions) often is the cause for a hack like this. Furthermore, in different languages, there are more frequently used letters and spelling conventions, which can inform the dictionary's ordering or choice of words. (Think: colour vs color)
However, if the person does indeed use a random sequence of characters, the average person doesn't usually go outside the alphanumeric range. If the password is only lowercase, that's 32 characters. If it contains uppercase, that's 62 characters.
So then, we can take that information and use it to understand the complexity of a brute force algorithm based on possible permutations and other info.
Take a look at this: http://www.passwordmeter.com/
(Disclaimer: I do not hold any type of CS degree or formal training in cryptography. I've listened to a few classes online though.)
An example of an algorithm could be the first two letters, the last two letters and place those around the name of the person who created the service. This is a poor and somewhat weak algorithm, but the main idea is given the service's name you are not only able to derive the password, but each service has a unique one.
Is it? = "Hacker News", "HackerNews", "Hacker news", "ycombinator", "news.ycombinator.com"... you get the idea.
Even if you have a 100% way to determine the name. Then the main problem why this doesn't work, is that the name might get changed slightly and ruin your scheme. And you can't remember the password because you didn't visit the site for 4 months.
Example: Hacker News -> News for Hackers, or the domain you used for name gets slightly changed.
Then what?
Also, if I wanted this to work with multiple accounts on a single website, I would have to include [account name] in the input to the hash function.
On the plus side, all this brain-damage does seem fairly easy to incorporate into an automatic scheme. Have another file that has a list of cutoff lengths for each site that has them, and another file with special characters to insert. Then the scheme becomes: hash [domain] + [secret] + [resets (if any)], add special characters to the start (if any), and cut off the end of the string (if necessary).
I recently went looking for a passphrase generator that supports the http://xkcd.com/936/ scheme, and failed to find one I thought I could trust. So I created [1], which is about as simple as it can get, is loaded (from my own server) over SSL and doesn't rely on anything server-side or use any frameworks, so you can easily verify it by hand. It does rely on Firefox at the moment as Chrome doesn't have the crypto functions it needs yet. I intend to clean it up and publish it properly, but I'm all out of tuits, let alone round ones.
[1]: http://ares.aylett.co.uk/pw/
edit: some numbers for scale: oclHashCat claims 2500M tries per second for plain SHA1 with single HD7970 GPU. That would mean that 4 of 2000 word passphrase would be cracked in 1.5 hours and 5 of 10000 word passphrase would take 1268 years.
More often, though, I'll be looking up credentials on my phone to enter into a different system. That's where having not-completely-random passwords becomes useful, as the output of `pwgen` is much easier to type.
I tried using tools keepass and dashlane. They are good, and work most of the time, but irritant with few sites, enough for me to not use them.
[0]: http://www.zx2c4.com/projects/password-store/
[1]: http://git.zx2c4.com/password-store/about/
On another note, the pass documentation recommends a filesystem layout that doesn't remember usernames. I used this scheme before going back to vim:
I'm currently storing everything in a separate OSX keychain with a strong 20+ character password but there seems to be very little out there describing how OSX encrypts the notes. I can only find articles from a few years ago staging it's 3DES but I would like to think its been upgraded since then.
You could use a password card[1]. Just print an keept it on a safe place (your wallet :-D).
or
Get a long and complex Password you can remember (there are lots of techniques to create and remember a passwort). After that add a site-specific phrase to your password. For example: [YourLongAndComplexPasswort]H4ck3rn3w$ As you can see, H4ck3rn3w$ is the site-specific phrase for the hacknews-website.
[1] http://www.passwordcard.org
This is not a good approach. The problem arises when some thrid aprty stores your password in clear text or some easily reverisible format that allows hackers to easily get this "[YourLongAndComplexPasswort]" part thus reducing your password to the easily predictable suffix.
If your unique Hack News suffix is H4ck3rn3w$ it's a fairly safe bet that $l4shd0t, R3dd!+, Gm4i! will also be easily predictable
* Use a passphrase of at least five random words.[1]
* Keep that passphrases secret.[2]
* Use a password manager like 1Password or Keepass to generate and manage all other passwords.[3]
[1]: Good passwords have high entropy and are easy to remember. For that reason, passphrases are preferred to passwords.
[2]: It's ok to write down your passphrase, but keep it somewhere safe -- like your wallet.
[3]: Password managers prevent password reuse and make life easier. Sync passwords across devices.
for more: http://bdd.io/security , with linked justifications.
Your method relies on a person not reading your password (or maybe two passwords) in clear text and seeing the pattern.
Let's say someone's e-mail is in their profile, and let's say it was listed in one of the compromised datadumps, or I was lazy and entered it in https://shouldichangemypassword.com/ and it found an entry or two. Without much work I find a couple of compromised passwords and now I have access to all of the other accounts.
I suggest instead:
Step 1: random passwords saved in a password safe.
Step 2: add 2-factor authentication
Along with security updates auto-installed, virus scanner, no untrusted programs, firewall, etc. etc.
I don't think your suggestion of common passwords with a prefix is good advice.
(I think you got the wrong thread)
For instance...
"Cause I know that time has numbered my days And I'll go along with everything you say"
Becomes...
ciktthnmdaigaweys
Becomes...
c1k77hnmd41g4w3y5
I use this system for all of my passwords. I try to use a different password as often as possible and never have to write them down. Frequently used passwords have gotten to the point where inputing them is an exercise in muscle memory.
Now I just use the xkcd method. e.g. forest monkey jump truck
I have a different password for everything, which is something like 50 different passwords. I know around ~15 of them by heart - the rest I almost never use (I store them on google drive behind 2FA for when I need them)
What I would really like to do is program a simple command line application that would generate and store all of my passwords. I started on one a while ago but never finished it; its on my to do list.
What do you do when you need to connect in a PC that is now yours? This happens to be very often in parties when people want me to use my spotify.
Also do you keep your rsa passphrase in the archive?
As for what I do now: I integrate the service name in my password in different ways depending on the name. The combination is long enough and has enough entropy that I feel comfortable against bruteforce attacks, but is quite a mind juggle to find my password sometimes.
Consider which are most important accounts (email would be prime candidate) and have the login details for them written up on a physical paper stored in a secure place. This is to prevent catastrophic data loss in the situation where your primary way of managing passwords fails for one reason or the another.
I copy my 1Password keychain onto a USB drive, space is cheap so a 16gig USB drive contains backups going back like 6 months. This drive also includes other bits of data, like tax returns.
There are now two of these drives. Once every two weeks, or after significant changes are made, I rotate them in and out of a safe deposit box.
At home I have the other in a fire safe.
One of my notes in my keychain is also instructions on what to do in case of my inevitable demise :) What credit cards I have, what services I use, all of that type of information.
The master password is stored in a safe location that only immediate family know about. Along with location they know how to handle my affairs if something were to happen to me.
It's a great backup system, but also helps handle taking care of things when I'm gone as 1Password stores data about whatever you want and keeps it secure.
Hope that helps with some more ideas for how to use your password manager to make your life easier.
Kyle Swank
AgileBits