How to Choose a Password

Some time ago I wrote a paper on Choosing a Password covering the frequency of changing, length, psychology, and entropy of passwords. I also learned a lot about password cracking while I was doing some testing. First I'll sum things up then I'll go into the reasons for the suggestions.



_________________________________________________________________________________

How to Choose a Password

Read this part and you won't have to read any further, keep reading if you want to know the reasons behind my suggestions.

1. Break your passwords into 2 categories Secure and Hacked.
1. Secure
1. Use these passwords for the important stuff, bank accounts, email, Facebook, and other things where lying about your personal information will hinder the service.
2. These passwords are maximum length and look like a random mess.
3. Think of a phrase, quote, or song lyric that you remember easily. 
4. Example, "There he is wrapped in a ball, Doesn't seem to move at all, Perhaps he's dead, I'll just make sure, Pick this book up off the floor."
5. Use a simple system to warp the phrase, quote, or song lyric into a random mess (don't use my example).
6. Take 2nd character  in each word, backwards, capitalize the last, and change "p" to "3" and "L" to "!"
1. lhfpohiuauleeeltooeoanrseh
2. !hf3ohiuau!eee!tooeoanrseH
1. The above is a good strong password
7. Write them down and store in your wallet because they are difficult to remember.
1.  For higher security you can write down a hint, not the actual password. For the example above I would write, "Facebook favorite song lyric."
2. Hacked
1. Reuse one or two passwords for accounts where the false information about you does not hinder the service, like Groveshark, CNN, and Code Academy.
2. Pick a simple password to remember and reuse it. preferably a length of 10 or 12 characters using caps, special, and numerical characters.
3. The key here is to lie about your personal information, because you expect the account to get hacked.
2. Always lie for the security questions.
1. Many times you won't be able to write your own question so you will get one like, "What is your mothers maiden name?" or "What was your first pets name?"
1. Put a stupid answer down and make note of it somewhere. For the, "What was your first pets name?" you could put "somestupidnamemymomthoughtof"
2. Try not to reuse the same answer, even for the same question, so write them down because you will not see them ever again until you need it.
3. Use two factor authentication when possible.
4. How often to change a password can hinder your choice of a password so consider using a good strong password and stick with it.

_________________________________________________________________________________

Why use this method

A few things I learned while I was writing the paper are password cracking tools learn, make educated guesses, and the password is only as good as the hash is to store it.

Yes password cracking tools learn and take notes so the more you use them the faster they are. For example John the Ripper has a hidden file where it keeps notes on the hashes it cracked. I noticed the file would contain pieces of hash and corresponding clear text for later use.

I also noticed that passwords were cracked faster with repeating characters. For example, I gave a list of hashes similar to the following passwords:

mypassword

mypassword1

mypassword11

mypassword111

and so on. 

I noticed after 15 minutes or so the first password would be cracked, then the remaining passwords would be cracked almost immediately, suggesting it altered its strategy according to what was found so far.

We have to take note that I was cracking New Technology LAN Manager (NTLM) hashes and NTLM is well known to be broken, therefore a password is only as good as the hash is to store it, so we should use a random mess for important passwords.

With all this in mind, I considered three popular password strategies, leet, haystacks, and what I suggest a random mess.

Leet is a bad idea because dictionaries and rainbow tables have been made to crack all the possibilities. The leet strategy has been around too long, and with storage space continuing to get cheaper we are near the point where full word phrases (example; tobeornottobethatisthequestion) will no longer be sufficient.

Haystack are a bad idea because password cracking tools adjust their strategy to what was previously found.

What is left is to choose a good random mess, but a random mess is hard for humans to remember so I suggest this post to give you a way to remember a good random mess without having to trust other software to do it for you.

_________________________________________________________________________________

Why Break passwords into 2 categories

Breaking the passwords into two categories is to reduce the amount you need to remember. The average person has over 25 accounts that require a password, I have over 50. One category is for the complicated passwords to use on sensitive accounts. The other category is just one or two easy to remember passwords that will be reused. The point is to protect the valuable accounts with a good password. The weak passwords are for accounts that are expected to be hacked and since we lie about our information the hacked account will not hurt us.

Making the length of the hacked or reused password 10 characters and including caps, numbers, and special characters is so it will pass the majority of filters when signing up for things. Remember to lie about your information for these passwords.


_________________________________________________________________________________

Why lie for security questions

Hackers can use your security questions to reset your password. Most website have a list of security questions to choose from and with a little social engineering many of them can be figured out. We avoid this by lying on each question and making note of them because it could be years before we ever need to know the answers.

_________________________________________________________________________________

Why use 2 Factor Authentication

There are three factors of authentication, something you have, something you know, and something you are. something you are would be a fingerprint or eye scan. Passwords are something you know, with 2 factor authentication you can bring in something you have, your cell phone.  Unfortunately cell phones can be spoofed and there are ways around 2 factor authentication regarding cell phones. 

So, why use a second factor of authentication if it is so difficult to do correctly? Hurdles, we are making more hoops and hurdles for the hacker to jump through for a successful attack. The key lesson here is nothing is 100% secure so the best we can do is to make as many road blocks as possible to push the hackers to easier pickings that are not us.

_________________________________________________________________________________

How often to change passwords

This is the most difficult because it is hard just what a criminal wants with your credentials. Bank account credentials can be monetized several ways, they can sell a bulk list of them, keep access to the account to slowly steal small amounts of money, or steal as much as possible quickly. The issue with a bank account is that you trust a major amount of people while they handle your transactions, so the best defense is to Check Your Accounts.

Bruce Schneier explains Changing Passwords well and points out if you are required to change a password too often you are more likely to choose a bad password. Overall I think changing passwords on a quarterly basis or more does more damage than good. A much better solution is to implement two factor authentication while using strong passwords.

____________________________________________________________________________

Thanks for reading my post. You can find me at any the links below. 

Facebook

Google +

LinkedIn

Github