So here's a basic primer on password security. Bear in mind that I am not a security expert or cryptographer. All I've done is kept my eyes and ears open when they have something to say. With that said, here we go.
Your Brain On Passwords
A password is a set of characters you input to act as a "key" for your digital security. Naturally, this key has to exist somewhere, and the safest way is for it to exist in your head (this also grants it a certain higher level of legal safety, because most countries, the US included, have laws that let the police seize assets using your fingerprints or your other biometrics, but they cannot legally force a password out of your mind).
The problem with this is that the human brain is notoriously bad at doing what computers are good at. Through millions of years of evolution, the brain has gotten good at creating, recognizing, and storing patterns, since noticing patterns is what enables a creature to either escape its predator or capture its prey. The small issue with that is that patterns are precisely what you DO NOT WANT for secure passwords.
Let's take a simple thought experiment: roll a dice in your head and note down the number that appears. Keep doing this several times, basically producing a stream of dice-roll outputs. I can pretty much guarantee you that if I pass this stream to a basic ML predictor, it'll start generating forward guesses that predict your next number correctly with a probability significantly greater than 1/6 (a la Kakashi's Sharingan against Zabuza, if anime is a thing you follow). In other words, humans are really, really bad at coming up with random patterns, and what they THINK is securely random and unpredictable is rarely ever so.
Humans are also singularly terrible at storing these random patterns in the mush between the extremeties of their skull. That also makes sense -- things which are patternless hold no meaning for the animal brain. The upshot of this is that any good password that you do happen to generate will eventually choose to leave the confines of your grey matter through your ears, and the account you created five years ago and don't have the recovery email for will be lost to the ether forevermore.
The trouble with this whole thing is that other, smarter, more malicious humans are aware of this and know how to take advantage of it. The fact that your brain cannot easily generate patternless data implies that your passwords will be predictable, and the fact that your brains cannot remember patternless data implies that your passwords will be repeated. And all it takes an attacker is to gain access to one location which gives them your password, and almost immediately they have the keys to your whole kingdom.
Another problem with humans is that they fall for advertising easily. Practically every service you use will proclaim its high degrees of security, but more often than not your data isn't secure. We've had so many data leaks it's not even funny (see Troy Hunt's excellent blog and pwnage database). All this goes to show is that if you think using the same password is fine because "the sites I use have the highest levels of security", you have another thing coming.
Knowing all this, what do password crackers do?
Cracking The Code
Modern password cracking is actually a pretty amazing science, exploiting all the flaws of the goo in your head in order to produce the best possible results. Contrary to popular belief, password crackers don't simply rely on pure bruteforcing ("hehe my password is secure because it's lolololololololololol1
which is 22 characters and has a number!") or pure English dictionary attacks ("it's secure because I replaced all the 'i's with 1!"). Instead, they rely on a combination of prior known common password lists, standard lexicon dictionaries, manipulation rulesets and more.
The basis of how it works is this -- people generate password patterns using certain rules. Often, any words will be followed by other words that make sense grammatically, or reference something popular and easy-to-remember (hellotheregeneralkenobi
). People also perform replacements and "security enhancements" in predictable ways, either using l33tspe4k for replacing characters ("p455w0rd" is not much safer than "password", all things considered), or by adding numbers to fulfil site password requirements in common patterns (always at the end of the password, usually something like "123" or their birth year digits like "98" or something similar). Sometimes, if you're trying to be clever, you'll try subverting the norm and use reverse psychology ("Ha-HA! I'll put the numbers at the beginning instead of the end! No one will guess THAT!"). Unfortunately for you, computers do not give two hoots about reverse psychology.
Password crackers simply take a downloaded list of usernames and hashed passwords (which get leaked from top sites on almost a daily basis), and try guesses on it. They generate these guesses using lists of previously known and leaked passwords, arranged in order of how often they appear. They also use rulesets that instruct the computer on how to manipulate the passwords in the list in known ways (try replacing the letter "l" with the numeral "1") and the computer blazes through these, generating all common variations in fractions of milliseconds. The worst part is, once they do get your password, they basically go ahead and try it on all the sites known to mankind, because chances are that a person with the kind of weak password practices that let them get their hands on it in the first place, is the same kind of person who reuses these passwords everywhere.
Don't believe me? You shouldn't -- I've given you no reason to believe that this is how it's done. But the illustrious Dr. Mike Pound has. Go watch this video right now. It will inject into your primitive animal brain the correct dose of healthy paranoia that you need to maintain in today's digital world. (Actually, go watch all of Dr. Mike Pound's videos on Computerphile, they are absolutely brilliant. Why are you still here?)
Choosing A Password
So how do you go about choosing your passwords? We've already established that there need to be some basic ground rules:
- Your passwords must be long. The current recommendation is 12 characters, though if you're future-proofing you might as well go for something better, like 20 or more.
- Your passwords must be random. Not just hehe-I'm-so-random-XD human levels of random, but truly mathematically random.
- Your passwords must not be repeated. Ever. Anywhere. Never EVER use the same password in two places, or even variations on it for different sites. We've already established how that's broken.
So, as a smoothbrained human, how do you create your strong passwords, one for each and every site, and remember them all? Simple answer -- you don't.
Computers are good at cracking passwords, because they can blaze through and try all the patterns you could imagine. Interestingly enough, computers are also good at generating passwords by simply not relying on patterns. Here's a little example Bash script that I have, that pipes the output of /dev/urandom
's alphanumeric characters and cuts it off at 16 characters (by default, configurable with a parameter):
$ type genpass
genpass is a function
genpass ()
{
if [ $# -eq 0 ]; then
tr -dc A-Za-z0-9 < /dev/urandom | head -c 16;
else
tr -dc A-Za-z0-9 < /dev/urandom | head -c $1;
fi
}
Is this cryptographically secure, as verified by a professional cryptographer? Hell no, and I don't really care. But it's a good illustration of how the output of a computer far exceeds anything the folds of your cerebrum can ever come up with:
$ genpass 20
oMif6TNDuTL7yICvv1VN
Purely on alphanumeric characters, I've generated a 20-character string that's way outside anything you could reasonably generate in your head quickly. With simple changes to the script, I can expand the character set way beyond the original 62 characters, to include symbols and other character sets.
This password would serve well as some sort of application key, but not for a human account password. The problem is that the generated password needs to be stored somewhere since there's no way of generating the same password a second time. And we've already established that the best place to store passwords is in your head. Good luck remembering this one, let alone 50 others for each godforsaken forum and terrible online game site you visit.
The trick is that you remember one strong password, and make sure this one's really good and strong. You then use this password to access a password manager, which does the job of generating your other, secure passwords for you, and also handles the messy details of storing them. Neat!
Personally I use a custom plain HTML/JS password generator which creates passwords on the fly using strong hashing on a few input fields, which I then paste into whichever site I use. But if you're looking for a traditional, well-known password manager, I've heard good things about Bitwarden. There are lots of them out there though, and practically any of them are guaranteed to be stronger than your brain at password generation and storage. On mine, for instance, using a Master Password of ThisIsAStrongAndSecureMasterPassword
with a piece of site-specific metadata -- say, amazon.com
for amazon.com -- generates V_'b#0ISI]kJX{W&CG7;R[iw1h@JlmoH6i%rTU[y
as a 40-character password in approximately a zillionth of a second.
Sidenote: Diceware
On rare occasions, you're stuck in a position where you cannot reasonably use a password manager to generate and insert your strong passwords. One good example of it is the personal password of your machine, where it's the first thing you need to enter in order to log in, such that you can actually get access to your password manager in the first place. This password does need to be in your brain and typed out by hand, but that doesn't mean it's okay to have low security for it. So, wat do?
Enter Diceware. What it is, is basically a scheme for generating human-readable English passphrases (think "correct horse battery staple", and then resolve to never, EVER use that particular phrase as a password in your life), while still remaining mathematically secure. The trick to the process is that for true randomness you don't need to have braces and semicolons and copyright signs in your passwords. What you need is a large-enough input space, and for the generation of randomness to be taken away from you to something that's better at doing it than your brain mush.
The Diceware list (or the alternative Beale list, which I use), is a list of 7776 words, indexed with a string of five digits, starting at 11111
and going all the way to 66666
. Therefore, five rolls of a dice will generate one word. You'll need to generate at least five or six words to have proper security, and all you need to do is to separate them by a space. It's easy to compute how many five-word combinations are possible from Diceware.
inputSpace s = 7776
numberOfWords n = 5
Total Combinations = s^n = 7776^5 = 28,430,288,029,929,701,376
Ooh boy that's a doozy of a number. That's over 28.4 quintillion possibilities, all equally likely if you actually use a real random process to generate the words. If you wanna extend the security of the system in the future, just add one more word. It's pretty easy and literally increases the total combinations by another seven thousand seven hundred and seventy six times.
I'd still recommend not using this scheme for all your passwords though, because the generation process is a bit cumbersome and will make it likely that you commit the ultimate sin of reusing a password. Also, remembering which site has which password is gonna be a problem. It's a very good candidate process for selecting a strong master password for your generator itself, though.
Top comments (9)
I currently use Diceware, with emphasis on length. In particular, in case pasting is locked / prevented, which is practically same as password manager is blocked.
One thing to be take care of, though. Clipboards are usually not auto-cleared.
Great point on clipboards not being automatically cleared! Honestly that's currently an issue that I have with my current password generation tool, which I fix by immediately copying some gibberish into my clipboard after I'm done pasting my password. It's a bit of mental discipline to maintain, but I do find it more universal in general than solutions which autoinsert your password into
<input type="password">
fields.Certainly, any password manager that drops the generated password into your clipboard must be accompanied by the practice of overwriting your clipboard with other data right after the password is inserted. Due to this I also choose to do without the convenience of having a multi-item clipboard (Windows has it in-built these days) 😞
Some Linux DEs come with clipboard history :D btw some password keepers (like Enpass) delete the whole clipboard in a few seconds
Isn't it the dashboard of Bitwarden ? It looks similar to bitwarden. I would be checking Diceware as well
Yes it is. Chrome extension, actually.
This is great advice, but the sad thing is I gave basically the same advice 30 years ago, and nobody listened then either. klein.com/dvk/publications/passwd.pdf
I don't think we're anywhere near a worldwide shift in password practices -- in fact, a lot of security experts seem to think that the whole concept of passwords itself is an exercise in futility, and attempts are being made to move to passwordless mechanisms. But I choose to think of it this way: a bunch of people have read this article, and possibly other articles like this one. Some of them'll share it with others, and the network of informed folks will expand. I wrote the article primarily for a couple of friends who wanted to understand why using a password manager is the only practical choice. Now they know (and one of them was the guy who suggested Bitwarden to me), and they'll likely tell their friends. It might not be a massive impact against poor password security, but it's definitely a net positive 😊.
Your paper looks really interesting, by the way. I'll take some time out later today to go through it. Thanks for sharing 😁
It is an exercise in futility which we must continue to fight, no matter how sad the state of the world :-) "password" is still probably one of the more popular passwords, along with "qwerty". At least now we have 2FA, which helps a lot!
Enpass please generate a random strong password for me and store it on my master password file...