What’s the deal with passwords?

--Originally published at TC2027 – Blog will Tear us Apart.

Passwords, oh passwords. The keys to our everything, definitely a pain in the arse.

This is my approach on the defense/user side of passwords, if you’re interested on the attacking approach, read Miss F’s post.

I’m sure we’ve all heard hundreds of times how insecure our passwords are, every year or so, another security blog or company sends in their updated new rules and minimal security measures, but as today, there are some basic principles.

  • Never use your name, birth date, security number, house address or telephone numbers. Neither your past ones, or a family ones
  • Never use sequential numbers. 123456Seven sucks, (ping me if you got that reference)
  • Never use words like “password”, “admin”, “qwerty” as a password. Please.
  • Never repeat passwords. Really, that’s just dumb.
  • Keep them long. Try to use at least 12 characters.
  • Add capital letters and symbols.
  • Do not share them, lass.

I know it’s kinda complicated to remember every password ever, so here I gathered some password making techniques.

Prefix-Suffix method.

I used to give a middle school digital crash course, and normally I used this method of password making. I call it the prefix-suffix method, this method is great for memorizing complicated-ish passwords and becomes an easy way to never use the same password. It’s great for defending against brute force attacks, and might help a little with dictionary attacks. Here are the steps:

  1. Choose the name  TV show, movie, character, song; anything you really like, the obscurer the better. For example, the name of a semi-obscure Jedi master: Plo-Koon.
  2. Now grab that name and scramble it in a way you can easy remember, give it a little twist, add some l33t, you name it; just keep it easy to remember, here’s with our Jedi: P1O^Kunn (Notice that I even misspell it). This
    aint.gif
    your suffix.
  3. This is the magic step, for each site you have an account, you need to add a suffix. This can be made up by the name of the site. In the case of Facebook, for example, we can use just the latter half: book. It is important to keep it readable and easy to remember, so don’t mess with it a lot. Still we can add a post-suffix, and play with lower and capital case, resulting on something like these: BOOk$$
  4. Finally, let’s glue everything together resulting in passwords like the following:
    1. P1O^KunnBOOk$$
    2. P1O^KunnTWIt$$
    3. P1O^KunnGLe$$
    4. P1O^KunnGRAm$$

This method is beginner entry, it really helps a lot when you compare it to your old “password” password. Yes, it might have some issues with dictionary cracking, but it’s a start, it really helps to children and adolescents understand the nature of passwords.

The xkcd method.

If you still want to get safer, you can use the xkcd method, named after the web comic where it was widely spread.

Now, as the computerphile’s video stated, this method is not yet perfect, and there’s a way to enhance it by using words that are rarely used by today’s standards, adding other languages help to.

But in the end…

aint.gif

Enter the magic of a password manager.

Password managers are services, commonly browser plug-ins, which keep record of your passwords and fill the log in forms, most of them are free with a paid upgrade option.

Services like lastpass not only keep them safe and easy to use, but also help you to generate really secure passwords, by generating random sequences of characters with length up to 100 characters, store them and let you use them if you have the plug-in.
Recently lastpass added a phone app and even a second-step verification, adding another layer of security.

Still the services require you to learn one password in order to access it, and you can use one of the methods I talked about to create it.

That’s it for now. Remember to read Miss F’s post about password cracking to get the whole picture.

Be safe.