Sunday, August 14, 2011

Password Security

The below XKCD comic has led me (and others) to consider Password Security the past week.  The webcartoonist defends his math here, though it should be noted, very few are arguing the underlying message.

First, since this is a Genealogy-focused blog, let me tie Password Security to Genealogy. It's rather simple. As a Genealogist you probably have an account for at least one of the following:
If you are into social networking you may have an account at
  • Facebook
  • Google
  • Twitter 
If you buy stuff online you may have an account at
  • Amazon
  • Apple
And of course, if you pay bills online
  • Your Bank
  • Paypal
Not everyone realizes this, but it is recommended that your password be different on every website.  That way, if a website is hacked and your password there is discovered, it's not easy for the hackers to sign in to your other accounts.

This is why some suggest The Only Secure Password is the One You Can't Remember.

Using software such as LastPass, KeePass, or 1Password, you can let the software remember all but one of your passwords.  Each time you log into an account, the sofware will ask you for the master password, and then enter that particular website's password for you.

This seems to be a great solution, if you have one computer.  All your passwords are stored encrypted on that one machine.

But I have:
  • A computer at home
  • One at work
  • A BlackBerry
  • An iPod.  
  • I occasionally house-sit for members of my family, and I may log into one of my accounts from their computers.  
  • When I'm at the library I may log on to one of their computers, because while I could use one of my mobile devices, I like the larger screen.
  • I have been known to check my email on my friend's computers, though those days may be behind me now with the mobile devices.
Some suggest a workaround for some of the above is Dropbox, LiveMesh, SpiderOak, SugarSync, or Wuala. (The link compares the software for each.) Each of these allow you to sync files across multiple computers.  However, the most popular of these, Dropbox, recently had a security issue.  The most secure of these five programs are SpiderOak and Wuala, because they allow you to encrypt your data locally before sending it to their website. "Your data encryption key is only saved on your computer."  Unfortunately, for me, neither SpiderOak nor Wuala works on a BlackBerry.

And, of course, none of these help you with computers that aren't synched -- those at the home of a family member, a friend, or at the library.

Is it safe to write down all your passwords on a piece of paper?

I'm not an expert, but I think it depends upon who you think you are hiding the information from, and how it is written down.

If I had a piece of paper that looked like this:

A/R - Password1
FN - Password2
GB - Password3
GS - Passord4
F - Password5
T - Password6
G - Password7
AZ - Password8
A - Password9
B - Password10
P - Password11

I could record the passwords for all of the sites I listed above.  I wouldn't put my name on it. I wouldn't include my usernames. If the piece of paper was left behind on the seat of a taxi, or at the library, and someone picked it up, what good would it do them?  Even if a fellow genealogist picked it up, and figured out the code, without knowing whose it was it wouldn't be useful.

If your spouse, or kid picked it up -- yes, they could figure it out. So if you have an issue of trust with someone in your household, this might not be a solution.

One possible compromise.

Use one of the Password Management systems for any website you are willing to limit your use to one computer (or more if you are willing to trust the synching software.)  For the handful of websites you feel you need to be able to access on other computers, you can write those down on a piece of paper.

For example, I know the only websites that I access from my Blackberry are my email, and social networking accounts.  So I could set up a LastPass, KeePass, or 1Password account using Wuala or SpiderSync for everything else, and still feel pretty secure.

So,whether you are creating one master password to control all your other passwords, or you are creating multiple passwords you will write down on a piece of paper, we are back to asking which passwords are the most secure.  Not from your spouse or kid who might be able to guess that your password is G3n34l0gy!  But from a computer hacker who knows nothing about you.  Because unless you are somebody important, no one is going to be trying to hack your accounts specifically.  You're only at risk if your password is one of the 'low hanging fruit' passwords the hackers find before they're satisfied.

Randall Munroe, webcartoonist for XKCD, isn't the first to suggest that Multi-Word Phrases are More Secure than Incomprehensible Gibberish.

Once the hacker has to resort to "brute strength" - that is, trying every possible combination of letters, numbers, and symbols - the length of the password matters more than anything else.  Even if the characters are a series of periods, dashes, or spaces.

How Big is Your Haystack helps you compute the strength of a password.

A password such as:
D0g.......... (10 periods), according to this calculator, would take at least 100 centuries to crack using brute strength.  (However, since How Big is Your Haystack mentions the D0g.......... password, it's advisable to use something else.  You want your password to be unique.)

It is important to remember that some longer passwords might be tried before brute strength.  If multiple word passwords become common, you can expect hackers to feed movie and book quotes into their databases. So the following passwords likely will not be secure:
  • Help me, Obi-Wan Kenobi. You're my only hope.
  • To be, or not to be, that is the question.
  • Hello. My name is Inigo Montoya. You killed my father. Prepare to die. 
  • As you sow, so shall you reap.


JL said...

Why so complicated? KeePass has a portable version that can be put on a flash-drive.

I do it this way. I keep Portable KeePass in My Dropbox and it gets backed up to my external hard-drive that I take with me everywhere. Just in case that's not enough, (and it is) it's also in the Dropbox to be accessed from any other computer/device. My Master Password is in my mind and nowhere else.

I think your fear of hackers adding movie and book quotes to their brute force lists is way over the top. "Nobody" would build a Master Password without adding Upper case, lower case and numbers in unexpected places.

As you sow, so shall you reap, for instance, could become 5sYouSowSosh5allyoure5p and that's already way too complicated. Geez, you only have to remember one password and 12-14 characters is plenty for the next
207,450,281+ years.

It would take a rare soul indeed to be interested in taking the time to try to crack your database without knowing if there was anything contained therein worth going after. Whoopee! a login for GenealogyBank!

John said...

First, Dropbox has already had security issues, so I don't think I am being paranoid to avoid them. I like the idea of my data being encrypted on my machine before being saved on a website.

Second, flashdrives being the size they are can be easily misplaced. I don't want to have to feel like I have to chain a flashdrive to my wrist because it contains all the passwords to all my accounts.

Third, if I were a hacker, and multiple word passwords were becoming common, you bet I would add movie and book titles to those lists. If I didn't, I wouldn't be a good hacker.

Multiple word passwords can contain upper and lower case with symbols. Also known as spaces. Easy to remmeber, hard to hack.

JL said...

Dropbox security is irrelevant to your passwords if they're in KeePass. No-one can open KeePass without the Master Password.

Are pieces of paper, or anything, harder to lose than a flash-drive? Most men have pockets in their clothes. Obviously, I'm not suggesting this be the only copy of your password database.

Multi-word passwords can be anything - IlovemydogSpot, for instance. Hacking them is simply impossible due to the time involved. Using a book or movie title, losing your password database and having it picked up by a 'good' hacker - the odds are astronomical.

John said...'re storing the Keepass file that contains that master password in Dropbox so that you can use it on multiple computers...right?

Anyway...there are alternatives to Dropbox - such as Wuala - that allow for encrypting the data locally before storing it online, so the decryption key isn't available to the successful hacker.

Your last paragraph about multiple word passwords being impossible to crack is exactly what I'm saying. They're much easier to remember than the gibberish combinations of letters and numbers IT experts have been telling us to use for years.

JL said...

I guess you don't understand KeePass. All your passwords (and I have 360 of them) are in a database that can only be entered by the Master Password. That one password is not/should not be written down anywhere anyone else can find it except maybe your spouse, legal rep, etc. Keep it in your head and, probably, (in case you're suddenly incapacitated) also on a scrap of paper hidden where no-one devious could find it, i.e. your sock drawer. The only other person who has access to mine is my Power of Attorney and I trust him implicitly.

John said...

I guess I am confused because in my mind the only way KeePass or any of the other password management systems can work across more than one computer is if the Master Password (and all other passwords) are stored in identical databases on all the computers.

That's where I assume Dropbox comes in, so that all the passwords, including the master one, are stored identically.

But it also means all the passwords, including the master one, are stored on Dropbox's website.

John said...

I went to the KeePass page. You're right, it does operate a bit differently. Apparently nothing gets stored on the computers themselves, but on some portable media (USB stick, CD/DVD, portable hard drive.) In this case, Dropbox is unnecessary. But that portable medium becomes pretty important not to misplace.

You can also use key files instead of a master password, which probably would be even more secure.

JL said...

The part you're missing is that you don't 'store' the Master Password on a computer. You store the database itself which contains all your passwords EXCEPT the Master Password which allows you entrance to the rest. THAT one you keep in your head.

The password database itself can be on a computer, multiple computers, flash-drives, external drives, etc. Basically, anywhere and I would suggest more than one place. Mine is on my computer, in My Dropbox, on external drives and a flash-drive. Keeping them in sync is quite painless because I use Syncback for backups which takes me all of 5 seconds several times a day.

A mixed case Master Password 12-14 characters in length is utterly sufficient. I would suggest anything of more than one word such as a movie or book title, (sure, why not) a snippet from a poem or such like with some variation of caps and numbers that you can remember. If you can remember that one password, that's the key into all the rest. I would suggest you write that one down somewhere at home in case of a senior moment. I have 30 people a day (and have had for years) coming into my website asking how to crack KeePass. Unless the Master Password is pathetic, they're sh** out of luck.

The passwords inside the KeePass database can be made or re-made to be secure on their own; 'hiYGU13*&YjdHK' type of password. The magic there is that you don't have to remember those; the database does it for you.

John said...

That master password must be stored somewhere.

Or else the program has no way to verify that you are entering the correct master password.

You store it in your head, but if it isn't stored in the computer, or on the portable media, the program has no way to verify it.

JL said...

John, you're pretty much losing me here.

When you first set up KeePass, you define the Master Password. It must be in the KeePass database somewhere from that point on in order for KeePass to recognize it when you type it in. But you cannot get into the database, and neither can anyone else, without it.

JL said...

What I'm saying is that the Master Password is not stored anywhere outside of KeePass. It goes into some mysterious compartment of KeePass when you first choose it, (invisible to the naked eye) where it either matches or doesn't match when you type it in again. If the only places you keep it are in your head and in your sock drawer, no-one can get it and no-one can get in.