December 9 2019 - Last month, we received an email at our firstname.lastname@example.org address offering to help us with our password strength. We get lots of emails, some spam, some not, but most require a little investigation before we decide to engage or not. Any guesses as to whether this email was benign or malicious? It was interesting enough that I plan to talk about it in the next blog post. But regardless of their intentions, it did get me thinking about password security, and I thought I would post a few friendly reminders
First of all, even though you want to make sure that your password is sufficiently strong, be careful with any online password strength meter. I’m not talking about the password strength meters that show up when you are signing up for a service – most of those are client side (meaning your password isn’t sent over the network to be checked) and just give you an indication based on some well-known rules. I’m talking about the ones that are more like “send us your password and we will score it for you”… these are more likely to be password collection schemes.
Next, many password best practices advise replacing letters with symbols based on some mapping. This is typically called leet speak, originally created to escape keyword searches; i.e. “leet” -> “1337”. Although it is good to include symbols, many password cracking tools know these mappings so it doesn’t make it any more difficult for them to guess your password. Using p@ssword instead of password provides a false sense of security. Here are a few quick tips that increase password security:
- Include randomness! The word we use for randomness in the cryptography world is entropy and the better your password’s entropy, the less likely it is to be easily guessable. For example, the words “talk”, “brick”, “ice”, and “lamb” are pretty random – there isn’t an obvious relationship between them. However, the words “I”, “like”, “to”, “paint”, have drastically less entropy. Essentially, if you use a pattern to come up with your password, even an acronym of a sentence, an attacker could use a similar pattern to guess it.
- Don’t reuse passwords! When adversaries are able to retrieve passwords (be it from a poorly protected database, brute-force, or another method) they are able to test these known passwords against other targets. If you reuse passwords, this could leave you more vulnerable.
- Make sure your passwords are sufficiently long. In general, the shorter your password is, the easier it is to guess. Think about how long it would take someone to try all possible combinations of a 4-digit PIN vs. the time it would take to try all possible values of a 12 character alphanumeric passcode… 4 digits 0-9 would take way less time to guess than 12 characters A-Z and 0-9!
As it turns out, a good password manager can help with all three of these. My personal favorite is Dashlane, but there are other reputable password managers and you should pick whichever one you like best, so you’ll be more likely to use it! The point is to reduce the reuse of the same password by storing your various passwords somewhere secure.
Whichever one you choose, be sure to pick a password manager that has a password generator as well. These password generators will typically generate a password with a certain amount of entropy based on guidelines you give (like number of characters, use of symbols, etc.).
To sum up: good randomness, minimal reuse, and sufficient length are best-practice for passwords. Remember, a trusted password manager can help you keep track of your strong passwords!