Password Methodology

[Circaflex]

  On 20/05/2019 at 10:21, Sir Topham Hatt said:

How do you guys choose passwords? 

 

After someone mentioning about LastPass on here, I decided to give it a go. I'm a complete convert!

 

Although most of my low security passwords are the same, does anyone have any sort of pattern with theirs?

 

For example, do you use the name of the site within the password like neowin.netPassword123 for example?

 

Just interested.

Expand  

I used to just use a various combination of two or three passwords, which had different symbols and what have you. But, I've converted to using keepass and storing the database file locally and on the cloud, with a daily sync. I remember the master password and let keepass do the rest. If i need a new password, I use the auto-generator feature built into keepass to create a long, obscure password. Easy enough in my opinion.

[+Zagadka Subscriber²]

For personal stuff, I use a set of passwords... one for trash, one for low security, medium, high, and some in between. Email passwords are unique. I change them all except trash every 6 months. They are based on sets of motifs (one used to be radio station call signs and one is always 3 or 4 character randomly selected gibberish) and use capitals, lowercase, punctuation, and numbers (including sometimes replacing letters with 1337 and punctuation, and changing letters into words) and end up being fairly long. I also have extensions of a few characters for important passwords like my remote servers so those are always unique. They all end up looking fairly random.

 

I also use frequently different passwords and rarely store passwords on my mobile devices, including my Surface if I travel with it, even though it is password locked itself. I only have one email account on my phone (don't use my phone much anyway). I suppose my PC is pretty vulnerable if people got to it, but I probably have bigger problems if that is the case.

 

This is a nice balance of being able to remember them all and being secure. I know that having generated passwords is more secure, but it is both inconvenient when using a lot of devices and makes you totally reliant on one tool that, if ever gets compromised or lost, leaves you helpless. IMO, not being reliant on a program is part of security.

 

The only place I have one written down is in my sealed will in case I die, for convenience, though I do use Lastpass for most regular sites. I cringe that a lot of my family has little notebooks next to their computers listing every site and (crappy) password, but they never listen to me and use a secure program.

 

I do think that I replaced the ability to remember phone numbers with my ability to remember passwords, though. I barely remember my phone number. If I lose my wallet and phone I'm pretty screwed.

[ShadeOfBlue]

When it comes to password security, it's not about character length. It's about tokens. I'll define a token as a character or group of characters that may form part of a password cracker's guesses.

 

Tokens may include:

- Words found in the dictionary

- Site info, like the name or URL

- Personal info, like names, dates, locations, etc.

- Any other well-known word or phrase (e.g. movie titles or quotes)

- Any of the above that is modified in a very common way (e.g. "N30w1n)

- Any password that has ever been seen before by hackers in the wild (e.g. stolen in one of the many data breaches)

- Any password you have ever used before in your life (or portion of it)

- Any combination of characters that form a logical pattern (e.g. even numbers, every second letter in the alphabet, etc.)

- Any combination of characters that form a physical pattern on the keyboard (e.g. "qwerty", "qazwsxedcrfvtgb", "!@#$%^&()_+" etc)

 

The more complex and random the password is, the harder it will be to crack. And you have to set the bar pretty high because you don't know how securely your password is being stored on the remote site (actually, your password hash.. unless they are utterly incompetent and are storing the whole passwords). So figure a motivated cracker could make perhaps one billion guesses per second (both higher and lower are possible).

 

To make a guess, a cracker will use these tokens, and combinations of these tokens, to form each guess. Bruce-force checking of every combination of characters is simply not done, except for very short numbers and/or certain types of characters/patterns. So, as one example, they will try not just "tokentoken", but also "tokentoken0000" through "tokentoken9999". And "token0000token" through "token9999token". And so on.

 

The best way to keep your passwords safe is to use a password manger and have it randomly generate long passwords for you (LastPass, KeePass, etc.). This is what I do. There are plenty of apps that will even type the passwords for you when you go to sign-in. If, however, you think you may have to remember your password or type it in, then there are other techniques you can use.

 

To make a password memorable:

- Start with a long nonsense sentence, and then sprinkle some special characters, repetitions, and numbers into it randomly (e.g. "My cat really likes to attack my arms" becomes "myCATTTr##llylikestoatt$$ackMYarms")

- Create a nonsense sentence using special characters as words based on what the characters remind you of. For example, start with something like "I jumped and threw the 4 balls at the wall" and turn it into "(o)^&threwthe4(())s@the|".  (o)=eye, ^=jumped, (())=ball, etc. Even better, you can make the sentence(s) longer, but use only the first letter of the words (for words you aren't representing with symbols).

 

To make a password random, but easy to type:

- Generate random passwords (15+ letters), but group it to aid in typing (e.g. "MQPYEepvyrDEGPL"). Even if the attacker somehow knows the pattern of capital and non-capital letters, there are still 26^15 = 1,677,259,342,285,725,925,376 permutations of letters. That's over 50,000 years at one billion guesses per second to get through them all. Add a few numbers and special characters (making the password longer) if required.

 

Once you have your amazing new password, never use it (or any part of it) on more than one site. No matter how good it is, sometimes sites themselves mess up (e.g. Google just announced some passwords were stored in plaintext for a time). 10 similar passwords on 10 sites means 10x the chance that all 10 of your accounts are going to be compromised. Even losing control of a seemingly unimportant account could be cause for concern. For example, you probably wouldn't want anyone to consider, even for a brief moment, that you might be responsible for whatever bad/illegal thing the attacker does while logged into your account. Just something to think about.

 

Incidentally, "correcthorsebatterystaple" (from the xkcd comic) is made up of 4 common words. Figure 3000 common words in English. 3000^4 = 81,000,000,000,000 permutations. That's about 22.5 hours at one billion guess per second to find all 4-word passwords made of common English words. This is why using only a handful of common words in your passwords is an absolutely terrible idea.

Edited May 24, 2019 by ShadeOfBlue

[exotoxic]

It would take a computer about

3 sextillion years

to crack your password

 

Dictionary based, easy to remember and type.

[+Biscuits Brown MVC]

  On 20/05/2019 at 16:15, shockz said:

Do tell how I'd copy and paste a password from my phone to a computer?

Expand  

You don't. You either install the password manager extension in your browser on your desktop or log into your vault on the desktop. The only pain point is if you are on a public computer but then you have a long list of other security concerns anyway. 

[cork1958]

Edited:

Oops! Used the wrong analogy for what I was saying! Was looking at another sight just before typing what I wanted.

 

FWIW, I simply remember my passwords.

Edited June 2, 2019 by cork1958

[astropheed Veteran]

I use the same password everywhere, even on my luggage.

[PaulATMOS]

  On 02/06/2019 at 13:41, astropheed said:

I use the same password everywhere, even on my luggage.

Expand  

3 numbers? 🤔

[Haggis Veteran]

  On 20/05/2019 at 11:00, InsaneNutter said:

Let your password manager generate something totally random for you.

 

All my passwords are totally random like this: Ma^Ce@JZ}dZGA7+GnFg:ruI~1x3g19DhwxqRBp*jUn1i!E%Jeb and are unique to every website.

Expand  

I do this too

 

[sc302 Veteran]

let last pass generate...

 

alternatively look around you....make simple nonsensical phrases, more words the better.

 

7purple&chimichanga!nipples

 

let me know how long to brute force that one.  

 

https://www.grc.com/haystack.htm

 

 It is 27 characters long, but quite easy to remember....  The key is pass phrases, not pass words.   The variable is password length...hackers generally don't know it, brute force systems don't know it...You would have to mix up ever word in the dictionary without knowing how many combinations of words or combinations of combinations of spellings of words utilizing every possible replacement.  It is pretty secure due to the character length and unknown random characters even if they are placed at beginning/ending of words....really screw them up put a random character in the middle of a word.