Brad Stone | 21 October 2016
Passwords just won't die. For decades they've been a headache; a weak link in security. While new technologies forever promise to make them obsolete, still they cling on.
A short password is easy to crack. A long one is hard to remember. If you make a long password you can remember – a word and date, for example – it's easy to crack again. Even then, if you invest the effort to come up with – and remember – an amazing password… what about the 99 other places you need passwords? Reuse that good password and you’re back to square one next time Yahoo! gets their database stolen. Or LinkedIn. Or Adobe.
Floppy disks had the decency to die. The password problem won't go away.
The point of passwords is to authenticate us: to prove we are who we claim to be. But we are bad at them. We've yet to get details of the Yahoo! hack, but the Adobe hack revealed awful passwords – nearly 2 million of ‘123456’. These are obviously bad. To avoid this, many systems force us to use, ‘complex’ passwords. But these can be a fool’s paradise – often ending up as a simple stem-word – say, ‘station’ – with a few symbols and numbers at the end: St@tion6!
This would pass complexity, but would be cracked in no time: password crackers are onto this. They can run through massive wordlists, try every letter substitutions and thousands of number combinations in a few milliseconds. With decent hardware, in an offline attack, it’s possible to run hundreds of millions of guesses per second. Even ‘complex’ passwords are now hackable.
An approach that had some success was choosing simple words and sticking them together – as popularised by XKCD. For example, making a password of ‘DeskPineappleBicycleBend’. This is better than above, but crackers are starting to work on these too. Six or more random words is now recommended, which brings back the ‘how do I remember it’ problem.
An approach suggested by Bruce Schneier is to choose a phrase that has meaning and use that to form your password. Let’s say you’re a fan of 2000s pop duo Daphne and Celeste. Their top hit memorably instructed: “Ooh stick you, your mamma too, and your daddy.”
Easy to remember. Just taking the first letters of each word, you could get a password along the lines of: osyymtayd – not great, but with a little imagination, this could easily become: ooh!sU,yMAMA2&ydd!
Something like this can be genuinely tricky to crack. It’s not close to any dictionary words, not trivial to guess, and at 18 characters is long enough that brute force (trying every combination) should take at least a few decades. Great. Except that coming up with one of these for each thing you use – and remembering which is which – is going to be tricky again. Making strong passwords is easy – making strong passwords you can remember is hard.
The solution? Use passwords you can’t remember.
Many serious security people now talk about password managers. A password manager is a secure vault where all passwords can be safely saved, encrypted using a ‘master key’. Provided that master key is strong, then the passwords should be safe. Yes, there are risks, but vaults work well enough for banks.
Probably the most well-known Password Manager is LastPass – a popular cloud based service. For those that can’t quite trust the cloud with all the keys to the kingdom, KeePass is a popular choice. PasswordSafe also has a strong reputation.
Modern password generators can store all your passwords, either in a file or in the cloud. Some have found ingenious ways of avoiding storage altogether. Most will help automatically generate random, hard to crack passwords which you can use. So now you can use strong, genuinely secure passes everywhere – without limiting yourself to just things your poor old brain can remember!
Weak passwords are bad. Password reuse is worse. Writing them on a post it on your screen is probably the worst. A good password manager allows you to use different, strong passwords for every site, without ever writing them down for anyone to find, and without running into the human memory problem.
Instead, you can pour all your efforts into your one strong master password. Use your imagination. Pour your heart into this one. It just might be the last one you ever need.
Security is never ‘fixed’. Nothing is perfect. There are still risks and always will be. But a good password manager with a strong master password and steps to ensure that isn’t compromised – this seems to be about as good as it gets for now.
Ah, roll on reliable useable biometrics!