How To Create Easy and Secure Passwords
In a past post we discussed how to keep our Steem account out of the hands of hackers. In that post the subject of passwords came up since we had to use one for LastPass. While I wrote that post I recalled doing a podcast on the topic of passwords that never made its way to the Steemit community.
Since creating passwords that are both hard to guess and easy to remember is so important these days, I wanted to create this blog post for Steemit. As the price of STEEM rises we all become more prone to our account getting hacked. Following the post linked above with the information provided below, we all can be as secure as possible.
Passphrases vs. Passwords
The first step to making sure our passwords are their best is to leave the 'password' mentality behind. We need to create 'passphrases' instead. A passphrase is like a password but longer, using several words together. The longer the passphrase is, the better off we will be. But there is a point of diminishing returns in the length versus security trade-off.
In Edward Snowden's original email to the journalist he said:
Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.
That is a lot of guesses per second! Granted, that journalist most likely had a much larger target than we do on their back, but this is still a great threshold to measure how effective our passphrases are. If we only use a password that is five characters long, even if it is full of symbols, it will be guessed in minutes not days.
We should always assume there is an attacker with enough incentive to run a trillion guesses per second against our accounts. By doing so we raise the unlikeliness of a attack against us succeeding.
Your Password Trick Isn't Clever
The majority of people will choose a password from the culture around them. This is often a line from their favor book, song, or movie. Once the quote is selected they then mess around with in by adding capitalization, numbers, and symbols that are easy for them to remember. Let's take a look at the following password from a classic Shakespearian work.
AllTh3Worlds/ASt4ge
Even though we have more of a passphrase than a password here, there is a high provability that we were not the first to use this passphrase. By using a line from a work of art we place our accounts at more risk than we should. For all we know there is a computer program out there that takes popular phrases and mixes around variations to find a match.
The reason passwords and phrases like the one above are a poor choice is something called entropy. At a basic level and in relation to passwords, entropy is how random a passphrase is in its final state. Unfortunately, we humans love patterns and are extremely terrible at creating randomness.
What if we don's use a line from culture but instead just pick random words? Even when we do this it is still far from being truly random. This is due to how ingrained our native language has become and all languages are predictable. Our brains love using idioms and rules of grammar, both of which kill entropy.
Secure Passphrase with Dice
Yes, dice. It is the best way to allow for the randomness of nature to create a ton of entropy. First we need to grab a Diceware Word List off the internet. The one linked in from the Electronic Frontier Foundation and is on optimized version of previous word lists.
These word lists contain 7,776 words or 37 PDF pages of words for your passphrase-making pleasure. Next to each word is a five-digit number each between one and six. Now we need our dice. Real dice are always better than using a program because we can not be one hundred percent certain the program is truly random.
Roll the dice until you have five numbers ranging between one and six. Write down the five numbers as they appear on a piece of paper. The five-digit number that is on the paper corresponds to a word on the list linked above. Congratulations, you have you first random word! Once you are done you will end up with a passphrase that looks like the following.
acorn overstate ferris outlet mosaic laurel
We can then add capitalization, numbers, and symbols as we wish. However, the entropy comes from how many words we generate using the dice and word list. The longer the passphrase the more entropy we gain and the harder our passphrase will be to guess.
How Strong are Dice-Generated Passphrases?
As mentioned, the strength of any password or phrase is determined by how many words we roll. If we only choose one word from the list, an attacker will have a one in 7,776 chance for guessing our word. The attacker may guess it on the first attempt or the 7,776th attempt with the average number of guesses being 3,888.
So what if we roll our dice for two words? It does not simply double but there are now 77,762 possible combinations increasing the total possible phrases to 60,466,176! On average it will take 30 million tries to guess a two-word passphrase. Bump it up to five words and we get 14 quintilian tries! (That is with the attacker knowing that we used a word list and which one.)
But how long will it take to guess these at one trillion guesses per second as Edward Snowden says we should assume? This is also exponential. If we were to use five words it would take an average of 165 days to crack. At six words it jumps to 3,505 years and seven words puts us at 27,256 millenia!
When to Use the Dice Method?
I always recommend people use a service like LastPass for their online passwords. It will generate a random password for you and no two will be the same. This is very important to keep your accounts safe. There is no need to use a diceware passphrase on each site you sign up for since that would require us to memorize too many six- or seven-word strings.
The reason for this is because after we submit our password to a site it has to connect to a server and send back the results. It is not possible for an attacker to send a trillion requests to a web-sever without clogging its network. We are more likely to have our passwords stolen by a fake version of our favorite site. In that event, no level of entropy will help.
However, we must use a diceware passphrase for our LastPass master password and nowhere else! Every time we use the same passphrase on a different site we increase the chance of it getting stolen. This, in turn, kills the entropy we created with our dice.
Remember
- Never use the same password on more than one site.
- Use a service like LastPass to create unique passwords for websites.
- Create other passwords using dice and the word list.
- Use at least six words in the diceware passphrase.
- Add capitalization, symbols, and numbers as you wish.
Thanks for reading!
Let me know in the comments if you have any questions or found a typo!
This post has been resteemed from MSP3K courtesy of @jrswab from the Minnow Support Project ( @minnowsupport ).
Bots Information:
Join the P.A.L. Discord | Check out MSPSteem | Listen to MSP-Waves
Now this is an area that I could certainly improve on. Valuable info.
One of my fears though is that, one day, I get hit on my head/ fall on my head and no longer remember my passphrases or where I stored them. I guess that is another step, where to store them (besides memorizing them)
Thanks for sharing!
You could always write them down and store them in a safe, or write them down with some sort of cypher. Of course then you'd need to remember where your keys are, a combination, or a different password.
For internet accounts use lastpass and if you want to have a back up of a passphrase you make I'd say write it down and store it in a safe.
This is genius. I've been thinking about doing a "password reset" of all of my stuff lately, but was having a problem coming up with a better methodology than the one I used in the past (which of course I will not reveal here).
~ Kevin
It is always good to change up our passwords every once in a while. I change the main password to my LastPass account at least once a year sometimes once every six months.
Great post. There are so many people that simply user their own name as their password, or other very simple passwords. I do not use a passphrase generator, but have a different method that is quite similar. Thanks again!
Great post, Since most webservices still store your password on their server. It is wise to change passwords every 3 months and never ever use the same password or phrase twice. You mentioned that. Other risk of fake websites you mentioned. Harder is to prevent a men in the middle attack in a cafe. Some black hats could spend a couple days in a bizzy cafe or above it for example stealing credentials with an ARP-spoofing attack which they sell in a big list of the darkweb after a few targets in a month time. I did a post on passwords a while back with the pwgen method. Good to see people keeping up the awareness.
Yes! That is one reason I rarely use WiFi in public places but even if I don't use one I will still make new passwords ever so often. For the average person, using something like LastPass is very helpful in preventing fishing attacks but that still can't stop MITM.
Thanks for the insightful comment.
Thanks...I shall take a good look at my choice of passwords...
Yes, we all need to stay mindful <3
Brilliant post, now i can set up my password and keep my steem account safe, thanks @jrswab
That was the plan! Thanks for the comment.
Fantastic post, jr!
That is a great method! I knew many ways of creating secure passwords, but the dice method was new to me, thank you for that!
Despite that, I really don't think that Last Pass is a good tool for your passwords since it stores them online without the option of only storing the data offline.
Unfortunately many programs have that problem. I still use 1Password, because I have an old version that syncy my devices over my (private) WLAN with no cloud involved at all. In my oppinion that is the best way of handling password.
Does anyone know an alternative avalilable for Mac/PC/Andoird/iOS?
Here is what LastPass says:
You can read more information here.
That's what they claim. And maybe that's what they really intended to do, but a single bug can help a potential hacker to read my data.
The problem is, that those hackers are more likely to attack one cloud with the data, than thousands of single peoples devices.
Yes that is very true. The goal here is to get the average person to have better password management. While using a service like lastpass is not ideal it in leaps and bounds better than what most people are doing.
very good and helpful article , i definitely think the way forward is mfa though more sites need to incorporate it.