Mastering Security, Part 1: How to Manage and Create Strong Passwords
I've seen numerous tutorials on how to create a "strong" password. This makes me laugh. These titles imply "one" password, which is wrong in and of itself. A person should have many passwords, all different, and all extremely long. People may ask how they're supposed to remember lengthy passwords and why their current password isn't good enough. Well, I'm going to show you.
In this Power Byte, I'm going to show you what goes into making a strong password. I will make a password, crack it in its hashed form, then show you how we can make the password stronger. After, we are going to review some safe practices and techniques to use for keeping passwords safe, plus creating a good password management plan.
Passwords and accounts are compromised in a number of ways:
- A website gets hacked with your password hash in the database, and it is relatively short, thus easily crackable.
- You wrote it down somewhere, and someone stole it.
- You have a password that can be guessed easily (birthday, anniversary, etc).
- Your password recovery information on your email is something anyone could find out (first pet's name, favorite place, where you were born, etc).
- You store your password in your browser.
- You tell people your password.
These are all bad practices. A person who knows anything about you, or even the most unskilled hacker could get into your accounts and cause some serious trouble.
1. Don't use the same password anywhere.
If you use the same password for everything, someone who gets your password to a silly flash-game site could get on your email. Once an attacker has your email, it's over. They can reset your passwords for anything. Bank accounts, PayPal, Facebook. All of it would be gone forever, with little or no chance of getting it back.
2. Don't surf the web on unencrypted wireless.
Anyone on the same network as you with a packet sniffer could get your login credentials for any websites you visit that don't use SSL/TLS (Secure Socket Layer/Transport Layer Security), which leads me to...
3. Don't surf the web without using SSL/TLS encryption on logins.
Make sure every site you log in to has "https://" in front of it on the URL. This means that the connection is encrypted and secure (for the most part). Your credentials cannot be sniffed with a packet sniffer, however, if someone performed a man-in-the-middle attack on you. With a tool like SSL strip, you would still be vulnerable. However, that takes time and skill, so you can rest assured that it's far more secure than nothing.
4. Use up-to-date software that hackers can't exploit easily.
Make sure you're using the latest version of every program. Some programs will have remote exploits that hackers can use to steal an unencrypted version of your password. This happens most commonly on instant messengers and browsers (people who don't save their passwords are not vulnerable).
5. Don't use public wireless without tunneling, or using a VPN (Virtual Private Network).
Sending your encrypted traffic back home, and using your home network as a tunnel is always a great idea. A VPN for a Windows computer works great, and the VPN server and client are built-in to Windows 7. It will encrypt all your traffic, and make your home computer request pages on the internet, making your traffic secure, and un-sniffable.
6. Don't use password recovery questions.
The password recovery in emails is an easy way for attackers to get in—that is, if the information is accurate. I recommend using fake information for security questions, if you must use them.
7. Don't use the same email for everything.
I use a different email for everything. This ensures that, by chance, if one account becomes comprimised, the rest of my accounts are safe. This also protects against spam for accounts that are used for strictly business, family, or gaming websites.
8. Use long passwords.
I can't stress this enough. You need to use passwords longer than 12 characters, with full ASCII. Computers can now use their GPUs (Graphics Processor Units) to crack encrypted passwords. GPUs are FAR faster at cracking passwords than conventional computer processors, because they are bettter suited for complex math functions. CPUs are more general purpose. I cracked the hash of "p3nCi15" (a395c93efb5c2eb0cfa57189a2320bd4) in less than 30 seconds with one nVidia GPU. Some people have up to 16 GPUs that can crack passwords simultaneously (and they are a lot faster than the one I used). Your passwords are in trouble if any website you used ever gets hacked and the database information leaks, because your hash will be in there. Using "1337-5p34k" (elite-speak) is not secure unless the passwords are long.
Lots of people make passwords that are just short strings of letters replaced with "Elite Speak" characters. That is, replacing certain letters like "s" with "5" and so-on. These are weak becase they are short, and contained in many dictionaries. For example, this dictionary from Packet Storm.
Having huge passwords can be hard to remember. My passwords are impossible for normal humans without photographic memory to remember (50-200 character full ASCII passwords, even my bank PIN is the maximum of 12 digits).
I use a TrueCrypt container to store my password in a text file. This container is heavily encrypted with AES-Serpent-Twofish algorithms, with my only memorized 35 character password as the key to open it. There is no way known to break this encryption, so do not forget the password. I'll show you how to set it up.
- Download TrueCrypt.
- Go to the Download folder and double-click the installer.
- Click through the standard Next > Next > Done wizard, nothing needs to be changed unless you don't want desktop icons.
- Watch this video on how I set up a container:
5. When that's all set up, click Browse and find the container you just made and Mount it.
6. Type in the password you made and the volume will mount. Make a .txt file with all of your passwords inside of the volume, and then you never have to remember passwords!
I suggest making several copies of your encrypted password container. Put it on thumb drives, removable HDDs, and maybe toss it inside a fire-proof safe. You can never be too careful.