best password practice

Discussion in 'privacy technology' started by garry35, Aug 27, 2015.

  1. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    479
    i am interested in how to make a password secure. my concerns are that passwords are more secure the longer they are, but longer passwords usually mean they are harder to remember so some ppl resort to writing them on paper which is itself insecure. or they can dont bother and try to memorize them, which works for a short time and without any reason you forget them. so what is the secure alternative. this is all assuming a home and NOT a work or other enviroment that brings other considerations
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Been some discussion regarding this here:
    https://www.wilderssecurity.com/thre...rize-but-that-even-the-nsa-cant-guess.374679/
    and the source:
    https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

    There are a couple of techniques for strong passwords people here like:
    a) Diceware, which uses dice rolls to select a sequence of random words from a list (as above). These are long (maybe 30-40 characters for some requirements), and surprisingly easy to remember. Good if you're proficient with typing.
    b) Sequence of first letters from some memorable phrase to the person, sometimes with decorations or substitutions.
    Both can be strong if well selected, diceware demonstrably so in terms of entropy achieved. Above all, do NOT rely on being clever, using stuff from your personal life - attackers can and will be able to guess those things with a reasonable level of accuracy (including by key-wording your disk if they have hacked your machine). The memorable data breaches of poorly protected password hashes have shown that people use dismally weak passwords (like password12345), and these will be programmed into attack tools, including common variations.
    In both cases, you should only be looking to have to memorise a very restricted number of strong passwords.
    Note that the required strength is different for system access authentication (where the system can lock you if too many failed attempts are made), versus hard disk encryption where the attack may try billions of combinations at their leisure. Unfortunately, many websites have not followed best practice in terms of password hashing which effectively turns the first instance into the second....

    Which brings us onto the next point:- use password managers for long strong passwords on things like most websites - there is no way you can remember a lot of unique strong random passwords, nor is it necessary to try, given the risk (for most websites). It's sometimes possible to add a "pin" as a decoration if you need some protection against password manager compromise. Browser-password storage has been found to have many weaknesses over time.

    Which brings us onto two-factor authentication. Really, websites should be using that for strong protection, because it helps against keystroke logging. But today, you can already use two-factor on the password managers (e.g. Lastpass, Keepass, Password Safe), as well as client login.
     
  3. PallMall

    PallMall Guest

  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    You can use some long sentence (or first letters...), add special characters and something unique to each login (for instance first three letters of specific domain name). This way you have long, relatively complex and unique password which you can remember.
     
  5. PallMall

    PallMall Guest

    I'd suggest using a password manager rather than to try to establish an easy to remember password construction scheme : like a knot on a handkerchief one may forget what the scheme was. And of course different passwords, always. Make them at least 12 characters with letters (capital and not), numbers, special characters !@#$%^&*()_-+/\.,?
    Also, no point in having a strong password if you provide a simple answer to the "Secret question" like you mother's or you pet's name : some intruders managed to recover an account with that. I often set as my pet's name, i.e., N,#_2KB6r2@.w@)_%@lwb%*//qgG,ggd - Always try to be smarter than the possible account hacker, that means try to be smarter than you would be naturally :confused: (I'm speaking for myself). Considering an enemy smarter than yourself is a necessary condition to hope for victory.
     
  6. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    479
    i already use a password manager for inside windows (after logging in and entering the password into the password manager) but my concern is what happens BEFORE i log into windows
     
  7. pwgen is NOT a password manager. It's a password generator that generates secure passwords. Check it out it's very good.

    And it doesn't matter when you log in to windows. Windows passwords can be very easily changed by certain software.

    If your talking about FDE and encrypting your hard drive then that's different.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Password managers don't work for FDE passphrases. Unless you run that in one "master" device. But then you need to secure that. Two-factor authentication is cool. But then you have some physical thing to hide.
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    @garry35 What OS are you running? Windows, Mac, *BSD, or Linux?
     
  10. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    479
    running mostly m$ OS windows 7 recently, but now win 10
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @garry35 Still not clear what process you're trying to protect here - is it boot/FDE protection or is it windows login or what?
    Given you're using W10, I'd be suggesting TPM+pin with Bitlocker, presuming you have all the requisites. You can also add a usb key to that if you want with group policy. If you're only relying on a password for FDE, as you would with Truecrypt for instance, then you need a strong password with decent amount of entropy. With diceware, this would normally be 6 or 7 words.
    Be careful with complex characters in FDE, as you can be locked out in case of keyboard layout differences.
    For Windows login itself, I use a password plus Yubikey HMAC/SHA1. I believe it works on W10 though haven't tested it (it works on W7 and W8.
    @mirimir - running a master device is not a bad way to go. This can be FDE and airgapped, and act as a strong password/key/certificate/secret repository, so that ultimately you only have to remember one long strong password, and if you happen to forget one of the subsidiary ones, then you can recover from there as a contingency. The important thing is never use that master password anywhere else. The system is also relevant as a master certificate generator and repository.
     
    Last edited: Aug 28, 2015
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    How will we manage 200 passwords in 2020?
    http://www.itproportal.com/2015/09/13/how-will-we-manage-200-passwords-in-2020/

     
  14. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think they do reference password managers, though the reporting of the advice seems quite flawed (including the statements about complex passwords).
    The truly nauseating aspect of this is the pretence that GCHQ are particularly interested in cyber-security and protecting the business infrastructure of the country, when their actions say precisely the opposite. A bit like all the window-dressing they do with protection of children from internet dangers.
    What they should do - immediately - is insist on a programme, to be completed in 2 years, so that ALL b2b communications & data are encrypted (in transit and at rest), and that businesses must offer secure communications facilities to the public. Easy. And then make businesses face far higher penalties for the current level of wall-to-wall security negligence, with some mitigation if they have a credible information security policy, and have had security audits and maintenance contracts.
    Oh, and they could also do with stopping passing on the country's B2B communications to all and sundry.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.