Friday 30 December 2011

Storing Passwords

The most effective way to manage your passwords for personal or professional use us to use a password manager.  This allows you to manage unique logins for all the different resources you access (bank vs email vs general forums vs ...) and only have to maintain one master password.  Pick a reputable password manager, like KeePass, and remember that backing up and restoring your password database is critical.

Keeping electronic copies is fine, but also consider keeping a hard-copy as well in a relatively secure location.  One suggestion is that you print off your passwords every time you change your master password (annually is pretty minimal) but write that master password down on the print out so you can recover it if you forget it!  Useful if you do cycle your master password frequently.

5 comments:

  1. As long as we're talking about storing passwords, let's give a tip of the hat to Randall Munroe for a succinct summary about the best way to _generate_ passwords (and why).

    http://www.xkcd.com/936/

    ReplyDelete
  2. I'm not entirely sold on Munroe's correct horse password. Its better than using your birth year as your bank pin, but most people are going to use a relatively small dictionary of words which reduces the effectiveness of this method.

    However, what is a lot better is to use randomly generated passwords. I find that using pronounceable passwords with APG (http://www.adel.nursat.kz/apg/) or its Windows port works the best. You get random syllables that are sort of readable but non-word. They are very easy to get used to. "apg" can be easily installed free on most GNU Linux, there's also a Windows version available from their site, and KeepassX (the GNU Linux and Mac OS X port of Keepass) has a built-in pronounceable password generator.

    But yes, if you find random passwords to "hard" to use, longer pass phrases like Munroe's Correct Horse Battery Staple are far stronger than most people's passwords which tend to be "password1" and similar:

    http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List

    The important thing is that you use a strong password for your master password and then different random passwords for different sites unlike 92% of the Sony users:

    http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

    I wonder if this many links is going to get my own comment marked as spam :P

    ReplyDelete
  3. One more link on the topic... If your passwords aren't already in the common password dictionaries (like the strafor one above), at least stand out from the 60% of users who use all lower-case letters or all numeric passwords and pick something with mixed case and numerics. Throw in a special character to get into the 96th percentile:

    http://www.net-security.org/secworld.php?id=8742

    ReplyDelete
  4. If "most people are going to use a relatively small dictionary of words", then most people aren't following along. The point here is that "complicated" passwords are useless, because machines do the guessing nowadays, and machines don't care if the password is "complicated" - they only care that it's common or short.

    We still have this weird idea that somebody's looking over our shoulder when we type our passwords in, and that's simply not where the danger lies anymore.

    ReplyDelete
    Replies
    1. Another comment, I think we were chatting about this, but here's another theory on addressing password strength; use some short distinct password that uses a broad range of characters (letters, mixed case, numbers, special characters) and then pad the short password with something.

      https://www.grc.com/haystack.htm

      Basically you want to hit all the "good" qualities of a strong password: easy to remember, from a broad character set, and really long.

      So D0g......... is trivial to remember and impossible to guess if you pick a short word and padding that is unique and secret.

      Delete

Popular Posts