wiki:Public/Docs/SafePasswords

Version 5 (modified by Boris Horner, 6 years ago) ( diff )

Safe passwords

Generally, there are many well-known strategies to choose and maintain safe passwords. This is particularly important for systems (like most web-based systems) that are visible directly on the Internet and not behind a VPN).

However, one must not think of future quantum-computing-based attacks to find out that many passwords are unsafe.

This is obviously true for passwords like these:

  • 123456
  • password
  • Birthday
  • Wedding anniversary

However, even passwords that seem safe are not necessarily. Here are some reasons:

Many attacks in the past retrieved a large number of user credentials from major platforms like LinkedIn. These credentials are publicly available on the internet, and can be searched on sites like HaveIBeenPwned.

A common approach to attack systems is to guess an account name (like firstname.lastname or an email address) and try large databases of stolen passwords to log on with the guessed user name.

This is based on two assumptions:

  • People tend to re-use passwords across many sites to avoid remembering many of them.
  • Some people choose so-called passphrases as passwords, that means, they choose passwords like "Flew in from Miami Beach BOAC" (which is the first line of the Beatles song Back in the U.S.S.R.). This seems valid at first, because the password is complex, safe against conventional dictionary attacks and can be memorized easily.

Alas, this password is surely among the passwords in the common password hacking databases.

It does not help much to replace characters with 1337-style numbers (B347135 instead of Beatles) or other common techniques, since databases are prepared for this.

So what can be done?

  • Passwords should be impossible to guess or derive from any other information, like databases with stolen credentials, phrases from songs, literature, religious text or quotes. Random sequences of alpha-numeric and perhaps other characters are impossible to guess. Example: q31E85Z_92.
  • Short passwords of the random type described above are hard to guess, but attackers just automatically try out all permutations. Since in most systems, many guesses per second can be tried, the password must be long enough to make it impossible to find it by trying in a reasonable time. The password given in the example above is too short. Safe passwords should be significantly longer, if possible, 50 characters or more.

    NOTE: Alas, some sites restrict the lengths of passwords (without any evident reason to do so). This forces users to choose unsafer passwords than they would otherwise.

  • "If possible" relates to the question: how can I remember such a password, or even many of them? The solution is very easy: there are password databases available (see (1) for a good example). A password database allows users to store their username / password combinations along with other information belonging to the account in a strongly encrypted store. To unlock the store, only one, safe password must be remembered.

To generate a safe, memorizable password, a variant of the passphrase method is a good approach. Instead of choosing phrases that appear somewhere in common text, a random sequence of words, names and other tokens can be chosen. Example: Bolt911HammerWeatherFishTomato123upsideChicago. This can be memorized and is probably not in public databases.

  • If the site offers it, use Two-Factor-Authentication, that means, log in with your password and a second key received by SMS, an app on your smartphone or on a specific One-Time-Password token.

(2) provides a very good overview of server and general security.

References

Note: See TracWiki for help on using the wiki.