We are still actively working on the spam issue.

Difference between revisions of "Passwords"

From InstallGentoo Wiki
Jump to: navigation, search
m
Line 1: Line 1:
'''READ [https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ THIS]'''
+
= How passwords are compromised =
 
 
= How Passwords are Compromised =
 
  
 
Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the [http://www.computerworld.com/article/2522045/security0/rockyou-hack-exposes-names--passwords-of-30m-accounts.html RockYou] database.
 
Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the [http://www.computerworld.com/article/2522045/security0/rockyou-hack-exposes-names--passwords-of-30m-accounts.html RockYou] database.
Line 21: Line 19:
 
* Much, much more, guessing billions of times per second.
 
* Much, much more, guessing billions of times per second.
  
= Choosing a Good Password =
+
= Choosing a good password =
 +
There are two types of passwords:
 +
* Regular passwords, which you keep in a password manager.
 +
* Passphrases, longer strings that are used at the most important places, for example to protect your password manager database or unlock your encrypted disk.
  
Let's not fuck around. There are two types of passwords:
+
The best passphrases are generated with [http://world.std.com/~reinhold/diceware.html Diceware] which involves rolling 6 sided die to select random words which build a long cryptographically random passphrase. This produces passphrases [https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ you can memorise, but attackers can't guess] (easily).
* Regular passwords, which you keep in a Password Manager.
 
* Offline passwords, which you need to remember to access your password database. (e.g. boot password, password database password).
 
  
Offline passwords are weaker than regular passwords because you have to be able to remember them. Since they are offline<sup>1</sup>, they are less likely to be attacked, so it's a fair tradeoff. The best offline passwords are generated with [http://world.std.com/~reinhold/diceware.html The Diceware Passphrase Maker] which involves rolling 6 sided die to select random words which build a phrase.
+
The rest of your passwords, most of which will be for websites, should be generated by and stored with a password manager.  
 
 
The rest of your passwords, most of which will be for websites, should be generated by and stored with a Password Manager.  
 
  
 
<sup>1</sup>: Note that for this to be the case, the manager actually has to be offline (unlike, say, LastPass which is online).
 
<sup>1</sup>: Note that for this to be the case, the manager actually has to be offline (unlike, say, LastPass which is online).
  
== Password Managers ==
+
== Password managers ==
  
 
These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should backup.
 
These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should backup.
Line 40: Line 37:
 
* [https://www.keepassx.org/ KeePassX]
 
* [https://www.keepassx.org/ KeePassX]
 
* [http://keepass.info/ KeePass]
 
* [http://keepass.info/ KeePass]
 +
* [http://www.passwordstore.org/ <tt>pass</tt>]
 +
* [http://passwordsafe.sourceforge.net/ PasswdSafe]
  
Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them.
+
Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them. Examples include LastPass and 1Password.
 
 
Shit password managers:
 
* LastPass
 
* 1Password
 
  
 
= Bad Password Strategies =
 
= Bad Password Strategies =
  
(Hopefully) Obvious shit:
+
Don't do this:
 
* Less than 10 characters.
 
* Less than 10 characters.
 
* Lowercase only.
 
* Lowercase only.
Line 55: Line 50:
 
* Names, sports teams, pet names, chinese cartoon references.
 
* Names, sports teams, pet names, chinese cartoon references.
  
Less obvious shit:
+
Or this:
 
* Using the same password in two (or more) different places.
 
* Using the same password in two (or more) different places.
 
* Using the same password with slight changes for each place it's used.
 
* Using the same password with slight changes for each place it's used.

Revision as of 15:10, 21 December 2015

How passwords are compromised

Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the RockYou database.

Crackers will run their tools against the hashed passwords to unmask them. From this they will learn:

  • What the most common passwords are.
  • What strategies people use to try and harden their passwords (e.g. adding numbers to the end).
  • How often unique passwords are used (0.0001% of the time).

Once the passwords in the hashed password database are unmasked, crackers have an accurate view of how people choose passwords and therefore have a better chance of cracking your password.

A common technique is a dictionary attack, which will try every entry in a customised word list ("dictionary"). This might be the Oxford English Dictionary or every word which came up in the first 10 pages of a google search for "memes". Advanced dictionary attacks will do all that shit you thought you were so clever for thinking of:

  • Use multiple words.
  • Add numbers to the end of words.
  • Add symbols before/after/between words.
  • Turn the words into l337 sp34k.
  • Add the website's name onto the end of your password.
  • Use common phrases like 1pledgeallegiancetotheflag or yippiekiyaymotherfucker.
  • Much, much more, guessing billions of times per second.

Choosing a good password

There are two types of passwords:

  • Regular passwords, which you keep in a password manager.
  • Passphrases, longer strings that are used at the most important places, for example to protect your password manager database or unlock your encrypted disk.

The best passphrases are generated with Diceware which involves rolling 6 sided die to select random words which build a long cryptographically random passphrase. This produces passphrases you can memorise, but attackers can't guess (easily).

The rest of your passwords, most of which will be for websites, should be generated by and stored with a password manager.

1: Note that for this to be the case, the manager actually has to be offline (unlike, say, LastPass which is online).

Password managers

These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should backup.

Good password managers:

Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them. Examples include LastPass and 1Password.

Bad Password Strategies

Don't do this:

  • Less than 10 characters.
  • Lowercase only.
  • Dictionary words.
  • Names, sports teams, pet names, chinese cartoon references.

Or this:

  • Using the same password in two (or more) different places.
  • Using the same password with slight changes for each place it's used.
  • Using a password you've ever shared with anyone ever.

I'm so clever I trolled myself shit:

  • Hashing a word/phrase: This may get you a decent password length, but if you're going to use a tool, why not use a tool specific to making good passwords?
  • Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.

If you're skeptical at all about how advanced password crackers are, UNHash is a talk from late 2014 explaining the current state of password cracking.