READ THIS

How Passwords are Compromised

Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the RockYou database.

Crackers will run their tools against the hashed passwords to unmask them. From this they will learn:

• What the most common passwords are.
• What strategies people use to try and harden their passwords (e.g. adding numbers to the end).
• How often unique passwords are used (0.0001% of the time).

Once the passwords in the hashed password database are unmasked, crackers have an accurate view of how people choose passwords and therefore have a better chance of cracking your password.

A common technique is a dictionary attack, which will try every entry in a customised word list ("dictionary"). This might be the Oxford English Dictionary or every word which came up in the first 10 pages of a google search for "memes". Advanced dictionary attacks will do all that shit you thought you were so clever for thinking of:

• Use multiple words.
• Add numbers to the end of words.
• Add symbols before/after/between words.
• Turn the words into l337 sp34k.
• Add the website's name onto the end of your password.
• Use common phrases like 1pledgeallegiancetotheflag or yippiekiyaymotherfucker.
• Much, much more, guessing billions of times per second.

Choosing a Good Password

Let's not fuck around. There are two types of passwords:

• Regular passwords, which you keep in a Password Manager.
• Offline passwords, which you need to remember to access your password database. (e.g. boot password, password database password).

Offline passwords are weaker than regular passwords because you have to be able to remember them. Since they are offline¹, they are less likely to be attacked, so it's a fair tradeoff. The best offline passwords are generated with The Diceware Passphrase Maker which involves rolling 6 sided die to select random words which build a phrase.

The rest of your passwords, most of which will be for websites, should be generated by and stored with a Password Manager.

¹: Note that for this to be the case, the manager actually has to be offline (unlike, say, LastPass which is online).

Password Managers

These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should backup.

Good password managers:

• KeePassX
• KeePass

Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them.

Shit password managers:

• LastPass
• 1Password

Bad Password Strategies

(Hopefully) Obvious shit:

• Less than 10 characters.
• Lowercase only.
• Dictionary words.
• Names, sports teams, pet names, chinese cartoon references.

Less obvious shit:

• Using the same password in two (or more) different places.
• Using the same password with slight changes for each place it's used.
• Using a password you've ever shared with anyone ever.

I'm so clever I trolled myself shit:

• Hashing a word/phrase: This may get you a decent password length, but if you're going to use a tool, why not use a tool specific to making good passwords?
• Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.

If you're skeptical at all about how advanced password crackers are, UNHash is a talk from late 2014 explaining the current state of password cracking.