Jump to content

How elite security ninjas choose and safeguard their passwords


nsane.forums

Recommended Posts

nsane.forums

There are many ways to manage your digital keys. Here's how five experts do it.

If you felt a twinge of angst after reading Ars' May feature that showed how password crackers ransack even long passwords such as "qeadzcwrsfxv1331", you weren't alone. The upshot was clear: If long passwords containing numbers, symbols, and upper- and lower-case letters are this easy to break, what are users to do?

Ars has largely answered that question already: use a password manager to randomly generate and store long, complex passcodes that are unique for each site you care about. Our how-to provides a thorough primer that should be required reading for anyone who uses the Internet. That said, password security is a highly nuanced undertaking with plenty of room for competing strategies and contradictory imperatives. Is it safe, for instance, to store your encrypted password file in the cloud or to allow your browser to remember frequently used log-in credentials? And what's the best way to manage passwords across a variety of computer operating systems and different smartphone platforms?

I recently checked in with five security experts to learn about their approach to choosing and storing crack-resistant passwords. They include renowned cryptographer Bruce Schneier, who is a "security futurologist" at BT and recently joined the Electronic Frontier Foundation's board of directors; Adriel T. Desautels, CEO of Netragard, a firm that gets paid to hack large companies and then tell them how it was done; Jeremiah Grossman, founder and CTO of WhiteHat Security; Jeffrey Goldberg, "defender against the dark arts" at AgileBits, a company that develops the popular 1Password password manager; and Jeremi Gosney, a password security expert at Stricture Consulting.

Four of these experts said they use some type of password manager to ensure they have a long, complex, and unique password for most accounts they care about. Among these four, however, there was plenty of variation. Grossman, for instance, stores passwords in a plain text file that's stored on an encrypted virtual disk image, and then physically kept on an encrypted USB key.

"I feel I'm more easily capable of securing something physical than something purely digital," Grossman explained. "When I need to use one, plug it in, copy-paste. Pop out the device. Done."

Unlike LastPass, KeePass, and most other dedicated managers, Grossman's home-made solution offers no way to automatically generate random passwords that meet specific site criteria, such as maximum length or passcodes that don't contain special characters. Grossman says he prefers to generate his own passwords, usually by banging on the keyboard.

"It's a bit more cumbersome than most would want to deal with, but it works nicely for me," he said. "Random length of letters, number, symbol, cap, etc. Doesn't really matter as long as it's 'very strong' because my password storage strategy doesn't require me to remember the vast majority of them."

Goldberg, Schneier, and Gosney also said they use password managers to generate and store many of their most important passwords, but all three chose different products. Not surprisingly, Goldberg employs 1Password, which he said synchronizes passwords across all major platforms he uses. "The only exception are my FreeBSD systems, but I don't typically do Web browsing from them, and copy/pasting into an SSH window does the job for me," he said. Schneier, meanwhile, uses the PasswordSafe application he helped develop, while Gosney has recently begun using LastPass.

The only one of the security experts who eschews a password manager is Desautels, who said he prefers to remember his passwords or, when possible, use "proximity tokens" with one-time passwords to log in to his computer.

"Most services that offer password management are built on technology that is vulnerable at some level," he explained. "I don't trust the technology as it is, and certainly won't trust it with sensitive credentials if I have the choice. I use different passwords for each account. I try to make my passwords as long as possible while keeping them easy for me to remember." His longest password is 63 characters long.

Schneier said he sometimes also forgoes the benefits of a password manager in favor of passcodes that are easier to remember. He told Ars he still stands by a scheme he first laid out in 2008. It involves picking a long, memorable sentence and turning it into a password. "This little piggy went to market," for instance, might become "tlpWENT2m". In June, in a blog post responding to my password cracking feature, he offered other examples of passwords that are both memorable and hard to crack: "When I was seven, my sister threw my stuffed rabbit in the toilet" becomes "WIw7,mstmsritt..." and "Long time ago in a galaxy not far away at all" becomes "Ltime@go-inag~faaa!". Schneier said he still stands by the advice, although he cautions people to pick their own long sentences. No doubt, the phrases and corresponding passwords he chose in his posts have already been folded into crackers' word lists, so readers shouldn't consider them strong. Schneier said he also stands by advice he published eight years ago to write passwords down on a piece of paper and store it in a wallet or other safe location.

A roll of the dice

Another way to pick passwords that are both strong and memorable is to use a method known as diceware to string together a list of randomly chosen words. An example might be "amend linen chef leery ali" preferably with spaces unless the specific password policy prevents it.

"To get strength, there must be something random in the process," Goldberg said. "I roll dice (or do the electronic equivalent) to pick four or five words from a word list. It is important that the words really be selected through some external random process (like a random number generator or rolling dice). Then I misspell at least one of those words."

Still, Goldberg said he prefers to use long, randomly generated passwords whenever possible.

"For things that I don't have to remember, I go with about 23 characters unless the site has a smaller maximum," he said. "I picked 23 because finding a truly randomly chosen password of that length takes about as many guesses as finding a 128-bit encryption key. Anything stronger is just a (harmless) waste."

Gosney, meanwhile, employs a different strategy for passwords he must remember, as long as they don't protect accounts he considers highly critical. It involves using several different common basewords with various transformations applied to make each one sufficiently unique.

Another challenge to secure password management is synchronizing passcodes across multiple devices, especially when they run on vastly different platforms. As stated earlier, Goldberg tackles the challenge by using 1Password, which works on the Windows, Mac OS X, iOS, and Android operating systems. LastPass offers even more flexibility, running on Windows, OSX, Linux, iOS, Android, Windows Phone, and Blackberry.

For those who don't want to use a password manager, another option for handling passwords on different devices is to use the advanced sync settings in the Google Chrome browser.

"I use Chrome, which encrypts saved passwords in its local database," Gosney said. "I also permit the browser to sync my passwords with my Google account. I have configured Chrome to encrypt all synced data using a separate sync password instead of my Google account password. The sync password is never sent to Google, so my data at Google is secure."

To be sure, such methods aren't for everyone. Several of the experts said they're not comfortable storing passwords, even if encrypted, in the cloud.

"When you put a lot of valuable stuff in a single location, that location becomes really interesting to criminals," Desautels said. What's more, "putting all of your passwords in one location means that someone with a subpoena (or not) can snag them."

There's also the issue of trusting Chrome or another browser to store a large cache of passwords.

"If someone steals my computer and/or forces me to hand over my root password, I don't want them to have all my other passwords as well, which would be stored locally," Grossman, who focuses on Web security, said. "Secondly, I've seen and developed too many browser hacks that can rip saved passwords out of the app very quickly just by visiting the wrong site, or clicking the wrong link." An example of such an attack from 2010 is here.

Carpe Diem

A few miscellaneous tips not already covered: Treat the answers to security questions as secondary passwords. That is, instead of naming the real high school you graduated from, pick a long phrase such as "arNEsISIon" instead. Just be sure to store the fake answers in your password manager or other safe location. Another suggestion is to use a dedicated e-mail address for all critical accounts, and don't use it for any other purpose. If strange or suspicious e-mails arrive in the inbox, that may be an indication of a serious breach somewhere. Last, consider keeping a backup copy of all passwords with a lawyer, spouse, or other trusted person. It's not a pleasant thought, but some day we're going to die. Passwords for bank accounts, retirement assets, and other important accounts should be a core part of any estate planning. Last, and most crucially, consider using two-factor authentication whenever possible.

For more than a decade, tech visionaries have predicted the death of the password as the primary means for proving our identity on the Internet. Until that day finally arrives, readers should remember that the pain of generating and securely storing crack-resistant passwords is much more the result of this highly imperfect means of authentication than the frailty of the billions of people who rely on it.

"The problem isn't the management and storage of usernames and passwords," said Desautels. "The problem IS that we're using usernames and passwords. Usernames and passwords are just a horrible and arcane method of authenticating someone."

view.gifView: Original Article

Link to comment
Share on other sites


  • Replies 1
  • Views 1.9k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...