How passwords are compromised
Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the RockYou database.
Crackers will run their tools against the hashed passwords to unmask them. From this they will learn:
- What the most common passwords are.
- What strategies people use to try and harden their passwords (e.g. adding numbers to the end).
- How often unique passwords are used (0.0001% of the time).
Once the passwords in the hashed password database are unmasked, crackers have an accurate view of how people choose passwords and therefore have a better chance of cracking your password.
A common technique is a dictionary attack, which will try every entry in a customised word list ("dictionary"). This might be the Oxford English Dictionary or every word which came up in the first 10 pages of a google search for "memes". Advanced dictionary attacks will do all that shit you thought you were so clever for thinking of:
- Use multiple words.
- Add numbers to the end of words.
- Add symbols before/after/between words.
- Turn the words into l337 sp34k.
- Add the website's name onto the end of your password.
- Use common phrases like 1pledgeallegiancetotheflag or yippiekiyaymotherfucker.
- Much, much more, guessing billions of times per second.
Choosing a good password
There are two types of passwords:
- Regular passwords, which you keep in a password manager.
- Passphrases, longer strings that are used at the most important places, for example to protect your password manager database or unlock your encrypted disk.
The best passphrases are generated with Diceware which involves rolling 6 sided die to select random words which build a long cryptographically random passphrase. This produces passphrases you can memorise, but attackers can't guess (easily).
The rest of your passwords, most of which will be for websites, should be generated by and stored with a password manager.
1: Note that for this to be the case, the manager actually has to be offline (unlike, say, LastPass which is online).
These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should backup.
Good password managers:
Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them. Examples include LastPass and 1Password.
Bad Password Strategies
Don't do this:
- Less than 10 characters.
- Lowercase only.
- Dictionary words.
- Names, sports teams, pet names, chinese cartoon references.
- Using the same password in two (or more) different places.
- Using the same password with slight changes for each place it's used.
- Using a password you've ever shared with anyone ever.
I'm so clever I trolled myself shit:
- Hashing a word/phrase: This may get you a decent password length, but if you're going to use a tool, why not use a tool specific to making good passwords?
- Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.
If you're skeptical at all about how advanced password crackers are, UNHash is a talk from late 2014 explaining the current state of password cracking.