This is the third and final part of Strong Passwords for the Security for a New Year series.
Security for a New Year Part I: Strong Passwords – Part 1
Security for a New Year Part I: Strong Passwords – Part 2
In part 1 of strong passwords I covered the use of entropy and character space to create strong passwords and how the length of the password is the best defense against a brute force attack. In part 2 of strong passwords I covered methods for creating a high entropy password that is resilient to almost any dictionary attack. In both parts I mentioned that the second problem that comes with passwords is remembering them.
The memory problem leads to typically two very bad password practices. The first of which is writing the passwords down in a convenient place. While there are many arguments for both sides of this, but for security purposes (thus the reasoning for passwords in the first place), you should never write passwords down, at least not in any place that is easily accessible. The primary places where people keep their passwords are in one of the following locations:
- On a post it note on the computer desk or monitor
- On a piece of paper on the desk
- On a piece of paper under the keyboard
- In a notebook on their computer desk
The pattern that emerges from this is the consistent location. You should only have a password written down if it is safely away from the computer when you are not there. If you must write your password down, you should keep it on your person at all times, and only take it out when absolutely necessary. An ideal location to keep it would be your wallet or purse. In addition, this piece of paper should ONLY contain the passwords themselves. It should not contain your usernames or the websites they are for.
Before I go further into managing a list of strong passwords, there is one more important item I must discuss about password documentation. While the purpose of passwords is to keep others out of our accounts, there is one thing we have to keep in mind, and though morbid to think about, that is our own mortality. There are some accounts, such as bank accounts and possibly even our social media accounts, that we should keep our passwords documented for. In the event of our untimely demise, we would need our family and loved ones to be able to access those accounts. It is for this reason that we should maintain a document listing these accounts, their usernames, and passwords. Since this document violates everything else I have discussed about passwords thus far, it is critical that this document be kept in an extremely safe place. There are only two places that I would recommend: the first and best choice would be a safety deposit box, alternatively would be a safe in your home. Again, though this single document opens access to our entire online identity, it is still a very important step in maintaining strong passwords. While we must do everything in our power to secure our accounts and identity, we must also ensure that we do not leave our loved ones with any more burdens or hurdles to go through after our passing.
Back to the less morbid aspects of security, the second bad habit that comes from having a strong password, and perhaps even worse than having your password on a sticky note attached to your monitor, is password reuse.
Before I go into further detail on this, here is another excellent XKCD comic regarding password reuse:
(For those of you not aware of the XKCD web comics, I highly recommend them. The artist covers many technical issues as well as a myriad of other topics. You can view them all for free at XKCD’s website.)
While the comic is entertaining, it covers the majority of the issue with password reuse. And while there are many legitimate sites out there, I can assure you there are twice as many illegitimate sites out there probably using this exact tactic. Furthermore, even if the sites are legitimate, there is always a chance they could be hacked. If their site is hacked, and their database containing user information is downloaded (which it typically is in a website attack) then the only defense for your password is the security measures the site owners had in place on their server. Unfortunately, as attacks such as the one on Sony has shown us (Troy Hunt “A brief Sony password analysis”), there are a lot of big companies out there with very poor practices for storing customer data. The thing that astonished me from this article was this:
Sony stored over 1,000,000 passwords of its customers in plaintext
In the web security world this is probably the first and foremost cardinal sin with customer data. There are many steps that can be taken to secure customer data, but at the very least, passwords should be one way hashed with a random salt. In the future I will write an article on server side security, but it will not be part of the Security for a New Year series as it is beyond the scope of the articles. For more information on the Sony hack this article from Computer World may be helpful.
Before I digress further, let us recap over the password reuse issue. If you use the same password across multiple sites and one of those sites is hacked and they had poor server side security practices, then all of your accounts have essentially been compromised as well. However, this brings about another issue with password memory. While one strong password can be memorized after a short amount of time, a dozen strong passwords proves to be far more difficult. This typically leads back to the first memory issue of writing passwords down in convenient locations, and thus the cycle seems endless. For online accounts there would seem a very simple solution, most modern web browsers offer to remember your passwords for you. While this seems like a viable solution, it is actually no better than writing your passwords down and leaving them on your computer desk. Typically, these passwords are simply hidden (appear as ‘*****’) in your browser but not actually encrypted or hashed. This means that all someone needs to do to view your passwords is to open your browser options and show the passwords.
So aside from writing the passwords down, what other options are there? This is where password vaults or password safes come into play. These programs typically have a master password to open the safe, and then it allows you access to all of the rest of your passwords. These programs usually offer a strong encryption algorithm to protect the rest of your passwords, and this leaves you with only one really strong password to remember. Furthermore, most of these programs offer options for generating long high-entropy passwords so you do not have to come up with them on your own. While there are many options out there, my personal favorite is KeePassX. You can download it for free from KeePassX’s website. There are several factors that make it my favorite among the password safes, but one of the greatest advantages is the cross platform support. This means if you use a Mac, a Windows PC, and a Linux PC the software is compatible with all three. There is also an app for Android phones. The safe that it creates can easily be stored in a cloud based service such as Dropbox or Google Drive or it can be saved to your computer or a flash drive. Next I will cover the basics for setting up KeePassX once you have downloaded it and extracted the archive.
(If you are unfamiliar with archives they are a way of “zipping” files together into a single file. A very nice open source program for using archives is 7zip. You can download it for free from 7zip’s website.)
*A section regarding KeePassX usage has been removed with blog migration.
While there is not an official documentation page for KeePassX, there is one for the project it has branched off from. While not all of the options from KeePass are available in KeePassX most of the documentation for KeePass 1.x should apply. For the KeePass documentation click here.
While there may be more options for KeePass than KeePassX, KeePass is not cross platform, and therefore is not as useful to me.
This concludes the third and final part of strong passwords. We have covered a lot of information in this sub series of Security for a New Year. Look for more articles of the series in the coming weeks. I hope this series has helped you gain a greater understanding of how passwords work, and how important they are in securing your online identity. You now have the methods and tools for creating high entropy and high character space passwords. In the process we have also covered several bits of useful open source software such as KeePassX and 7zip. As always, I look forward to any feedback.
~Michael
This article was originally posted 2-12-2013, but has been updated to still be valid.