Password Post on the Tekserve Blog

Here is a post I put up on the Tekserve Blog. A really good follow up question in the comments that I responded to as well.

I talk about passwords a lot, mainly due to the fact that the vast majority of users treat their passwords so poorly. And, well, I can’t exactly blame them. The average user has dozens—if not hundreds—of accounts that require them. This makes for a potential nightmare to manage all of them, especially if you follow the rules for good passwords:

  • Random
  • Complex
  • Long
  • Unique

Since most of us can’t memorize something like “XfsAZ9dc@U2Ptco8aXv3G]{GL>dcNo,” a lot of us give up and just use something easy—”123456″ for example. In fact, nearly 2 million Adobe users were found guilty of this password sin when their database leaked a few months back (if you were one of those people, drop everything and change your passwords now—we’ll still be here when you get back).

We of course have password managers—we highly recommend 1Password—but is there any way for us to have memorable passwords that are also strong?

The always excellent XKCD says “yes”:

password_strength

This comic has been around a little while, but it posits that a strong password may not need to look like the mess in my above paragraph. They use the example of correcthorsebatterystaple. Thats correct, horse, battery, staple. Four easy to remember words that pretty much never occur together. If a computer can guess 1000 passwords per second, it would take 550 years to randomly guess this password. That’s long enough that you probably won’t care by the time they succeed. I cannot argue with their math. It is certainly way better than “123456.” And it’s highly unlikely that anyone would ever guess this, especially when so many of your fellow users will be using “123456” (so much easier to target the weak!).

 

But I do have a few issues with this.

 

Scalability

My biggest problem with the random words method is that it does not scale well. For one or two websites, this works well—but what happens when you get to 50, something that is all to common in the modern world. Obviously you don’t want to use the same password everywhere. So there’s just no way you will remember your random words without simply reusing the same one over and over again. And that is the worst thing you can do.

This is because the greatest danger to your passwords these days comes in the form of leaked databases. Like the aforementioned Adobe breach, numerous companies have found their own servers hacked and their user database out of their control. If they did it right, this is still not a big deal, because the right way to store passwords is with strong, one-way encryption. This would render the stolen database useless. Unfortunately for all of us, these databases are stored in shockingly insecure ways, sometimes even unencrypted! That means that a bad guy who got your password from one site can just go use it on another.

Predictability

And this is my second issue with the comic’s suggestion. Even if your passwords were different from site to site, using this similar method to generate them could leave you vulnerable. It gives the attacker clues to discover your password in, say, a different leaked database (the responsible thing for a company to do is reset everyone’s passwords the moment they realize there has been a breach—this, unfortunately, is also much rarer than it should be).

Now in reality, it is highly unlikely that anyone would go to the lengths of breaking this kind of password unless you were a specific target for whatever reason. But, remember, passwords only get weaker with time, not stronger. Might as well start out in the right place now.

 

So, What Now? Use a Password Manager.

As strong as correcthorsebatterystaple is, XfsAZ9dc@U2Ptco8aXv3G]{GL>dcNo is still orders of magnitude stronger. And, since you really can’t commit enough of the random word passwords to memory anyway, the only truly scalable solution right now is to use a password manager.

Password managers serve two purposes. The first is to store, securely, all of the passwords that we use across the internet. The second is to generate all of those passwords so that we don’t have to come up with them ourselves. Human beings are bad at randomness. Our brains crave patterns and, even subconsciously, we fall into them.

What’s great is that the Mac already has this functionality built in. The application Keychain Access (located in the Applications/Utilities folder) will generate and store passwords. In fact, if you are using OS X 10.9 Mavericks, this functionality is built right into the Safari browser. And, if you have a device running iOS 7, you can sync these passwords (securely) via iCloud to your mobile devices.

Personally, I prefer the awesome 1Password. This app is much more feature-rich than the built-in keychain, and has the added benefit of being able to sync to Android and Windows—in addition to Mac OS X and iOS. Most of my passwords are along the lines of XfsAZ9dc@U2Ptco8aXv3G]{GL>dcNo. I couldn’t tell you what they were if you tried. (Except for a few.)

 

Conclusion: Back to XKCD

All this is where the true value of the XKCD comic comes in. While most of my passwords are blobs that even I could never guess in a billion years (literally), there are a few I need to know—that I need to be able to remember. And, for those, a simple string of random words works great. Just make sure your words are random, nonsensical, and never used in more than one place. Until we figure out a way to authenticate that is not password-dependent (and no one wants this more than me), using a password manager is your best bet.

Password Post on the Tekserve Blog was last updated January 4th, 2014 by Michael Truskowski