Mastering Security, Part 1: How to Manage and Create Strong Passwords

I've seen numerous tutorials on how to create a "strong" password. This makes me laugh. These titles imply "one" password, which is wrong in and of itself. A person should have many passwords, all different, and all extremely long. People may ask how they're supposed to remember lengthy passwords and why their current password isn't good enough. Well, I'm going to show you.

In this Power Byte, I'm going to show you what goes into making a strong password. I will make a password, crack it in its hashed form, then show you how we can make the password stronger. After, we are going to review some safe practices and techniques to use for keeping passwords safe, plus creating a good password management plan.

How Passwords and Accounts are Compromised

Passwords and accounts are compromised in a number of ways:

  • A website gets hacked with your password hash in the database, and it is relatively short, thus easily crackable.
  • You wrote it down somewhere, and someone stole it.
  • You have a password that can be guessed easily (birthday, anniversary, etc).
  • Your password recovery information on your email is something anyone could find out (first pet's name, favorite place, where you were born, etc).
  • You store your password in your browser.
  • You tell people your password.

These are all bad practices. A person who knows anything about you, or even the most unskilled hacker could get into your accounts and cause some serious trouble.

Safer Practices & Why They Are Safer

1. Don't use the same password anywhere.

If you use the same password for everything, someone who gets your password to a silly flash-game site could get on your email. Once an attacker has your email, it's over. They can reset your passwords for anything. Bank accounts, PayPal, Facebook. All of it would be gone forever, with little or no chance of getting it back.

2. Don't surf the web on unencrypted wireless.

Anyone on the same network as you with a packet sniffer could get your login credentials for any websites you visit that don't use SSL/TLS (Secure Socket Layer/Transport Layer Security), which leads me to...

3. Don't surf the web without using SSL/TLS encryption on logins.

Make sure every site you log in to has "https://" in front of it on the URL. This means that the connection is encrypted and secure (for the most part). Your credentials cannot be sniffed with a packet sniffer, however, if someone performed a man-in-the-middle attack on you. With a tool like SSL strip, you would still be vulnerable. However, that takes time and skill, so you can rest assured that it's far more secure than nothing.

4. Use up-to-date software that hackers can't exploit easily.

Make sure you're using the latest version of every program. Some programs will have remote exploits that hackers can use to steal an unencrypted version of your password. This happens most commonly on instant messengers and browsers (people who don't save their passwords are not vulnerable).

5. Don't use public wireless without tunneling, or using a VPN (Virtual Private Network).

Sending your encrypted traffic back home, and using your home network as a tunnel is always a great idea. A VPN for a Windows computer works great, and the VPN server and client are built-in to Windows 7. It will encrypt all your traffic, and make your home computer request pages on the internet, making your traffic secure, and un-sniffable.

6. Don't use password recovery questions.

The password recovery in emails is an easy way for attackers to get in—that is, if the information is accurate. I recommend using fake information for security questions, if you must use them.

7. Don't use the same email for everything.

I use a different email for everything. This ensures that, by chance, if one account becomes comprimised, the rest of my accounts are safe. This also protects against spam for accounts that are used for strictly business, family, or gaming websites.

8. Use long passwords.

I can't stress this enough. You need to use passwords longer than 12 characters, with full ASCII. Computers can now use their GPUs (Graphics Processor Units) to crack encrypted passwords. GPUs are FAR faster at cracking passwords than conventional computer processors, because they are bettter suited for complex math functions. CPUs are more general purpose. I cracked the hash of "p3nCi15"  (a395c93efb5c2eb0cfa57189a2320bd4) in less than 30 seconds with one nVidia GPU. Some people have up to 16 GPUs that can crack passwords simultaneously (and they are a lot faster than the one I used). Your passwords are in trouble if any website you used ever gets hacked and the database information leaks, because your hash will be in there. Using "1337-5p34k" (elite-speak) is not secure unless the passwords are long.

Why "1337-5p34k" Passwords Fail

Lots of people make passwords that are just short strings of letters replaced with "Elite Speak" characters. That is, replacing certain letters like "s" with "5" and so-on. These are weak becase they are short, and contained in many dictionaries. For example, this dictionary from Packet Storm.

Great Techniques for Managing Passwords

Having huge passwords can be hard to remember. My passwords are impossible for normal humans without photographic memory to remember (50-200 character full ASCII passwords, even my bank PIN is the maximum of 12 digits).

I use a TrueCrypt container to store my password in a text file. This container is heavily encrypted with AES-Serpent-Twofish algorithms, with my only memorized 35 character password as the key to open it. There is no way known to break this encryption, so do not forget the password. I'll show you how to set it up.

  1. Download TrueCrypt.
  2. Go to the Download folder and double-click the installer.
  3. Click through the standard Next > Next > Done wizard, nothing needs to be changed unless you don't want desktop icons.
  4. Watch this video on how I set up a container:

5. When that's all set up, click Browse and find the container you just made and Mount it.

6. Type in the password you made and the volume will mount. Make a .txt file with all of your passwords inside of the volume, and then you never have to remember passwords!

I suggest making several copies of your encrypted password container. Put it on thumb drives, removable HDDs, and maybe toss it inside a fire-proof safe. You can never be too careful.

Photo by Wes Novack

8 Comments

Very thorough dude! Will definitely start doing this. but even memorising a 35 character password can be quite rough on people.

I went to a quake tournament a long time ago, and during a break a guy wanted to show me all his worldly ultima online possessions. He typed a two paragraph password to get into his computer, I was very impressed, he typed it with such ease. My password for my computer at that time was the name of my pet donut lol.

Rather than that, I have a script that generates passwords fresh each time using a string seed. Aka a password for every password, with variable length and a second hardcoded seed to lower the chances that anyone in a remote location can get your password using the same program. Here is the script: http://pastebin.com/i2N3E0Yt

Yes, that works, but this is for simplicity and is quite secure. True Crypt is impossibly secure and not breakable unless the passwords are stored in memory. That method requires a lot more work. Though it is still very secure.

I think it's simple, I just posted the code for the world to use and I have a little shell script to run it plopped in my dock.. I go to site, click application at the bottom of the screen, enter details, receive 30+ character full ascii random password to copy into login. The whole thing takes less time than typing the password manually lol

Nice article, it is ridiculous how often I see friends or family members using passwords that can be cracked in no time at all. With all the online shopping and banking that people do these days it's a wonder more people aren't using stronger passwords. While you touch on many of the techniques for choosing a strong password, it is also important to choose a password you can actually remember, because what good is a 25 random- character password, if you have to write it down somewhere. I think you and your readers might find this article useful for this: http://www.landofjacks.com/forum/viewtopic.php?f=5&t=12

I specifically stated in the article not to write any passwords down anywhere. I also suggest longer than 25 characters. My 35 character True Crypt password is pretty easy for me to remember. Really, anything over 12 for a TrueCrypt password is safe, as bruteforcing a 4 character TrueCrypt password on a single core CPU takes over a week.

Share Your Thoughts