Password Tips March 13, 2019
OMUG
!1
What’s Wrong With Our Passwords
• Too simple.
• Used in more than one place.
• Too many and too hard to remember.
• Sometimes expire and need to be changed.
• Poor or non-existent password management.
!2
How Do You Store Your Passwords?
I use one, two, or three and rotate between them.
I memorize them!
Post it notes.
Scattered pieces of paper.
Notebooks.
Taped to the bottom of your keyboard.
Text or spreadsheet file on your computer.
Password Manager program
!3
How Passwords are Hacked
• Theft via hacking, poor server management practices, social engineering mistakes.
• Dictionary attack - used to guess passwords using databases containing words, numbers, symbols.
• Brute force attack - used to systematically guess passwords using all possible combinations.
• Rainbow Table - used to reverse the process used to encrypt the data.
• Keyboard loggers / nosy people.
!4
Facts
• Brute force attacks depend on the number of possible combinations (e.g. password length).
• The password “my awesome car is on fire” is exponentially more difficult to crack than the password “@y23k3!34” for a computer.
• A powerful computer or botnet can analyze over 2 billion password combinations per second.
• Free and inexpensive password cracking tools exist.
• Databases with pre-cracked lists of passwords are sold in the dark web.
!5
What Happens When a Password is Hacked or Stolen?
• The hacker will use a variety of techniques to break the encryption.
• Then they will attempt to access every major bank, credit card company, payment system, retail store, email system to see other places the password was used.
• They will use public records to get addresses and other information contained in security questions.
Reusing passwords is one of the most dangerous practices you can do.
!6
What Makes a Good Password?
• Old advice — combine upper and lower case, symbols, numbers, and have at least 8 characters.
• Current advice — use long passphrases. Longer, random, complex passphrases are better.
Key passwords need to be memorable. If you can’t remember a password, it is useless!
!7
Familiar Tricks Don’t Work
Substitutions
M1$$1$$1p1
Keyboard patterns
qwertyasdf
Repetitive padding
Montana12&*-&*-&*-&*
Hackers read the same password tips that we do.
!8
Suggested Password Strategy
Create strong, memorable passphrases for your key passwords.
1. Password manager program’s master password.
2. Computer login password.
3. Mobile device passcode.
4. Apple ID password.
5. WiFi password.
Practice and memorize them.
Use a password manager program for everything else.
!9
Password Creation Tips
Avoid secrets or things that are personally meaningful.
Don’t use family names, birthdays, pet names.
Use a Password Generator.
randompassphrasegenerator.com
xkpasswd.net/s/
1password.com/password-generator/
!10
Test Your Password
lowe.github.io/tryzxcvbn/
rumkin.com/tools/password/passchk.php (entropy)
password-checker.online-domain-tools.com
howsecureismypassword.net
my1login.com/resources/password-strength-test/
!11
Examples
Password Length Time to Crack
Mississippi 11 < 1 sec
Msssspp (no vowels) 8 17 min
M1$$1$$1p1 (substitution) 11 3 hours
Msssspp-1 (no vowel-#) 10 4 hours
Miss-iss-ippi (add dashes) 13 15 days
my-home-in-Mississippi 22 Centuries
lowe.github.io/tryzxcvbn/ @ 10K/sec!12
Password Entropy
Entropy — a measure of password complexity. Measured in number of bits.
< 28 Very Weak: might keep out family members
28 - 35 Weak: should keep out most people, good for desktop login
36 - 59 Reasonable: OK for networks and companies
60 - 127 Strong: good for financial information
128+ Very Strong: often overkill
source: rumkin.com/tools/password/passchk.php
Password Entropy Examples
Password Length Entropy Time to Crack
idiot 5 20 < 1 sec
An idiot 8 23 3 minutes
An id iot 9 38 1 day
I am an idiot 13 45 6 months
I am such an idiot 18 60 Centuries
I’ll bet you are an idiot too 29 84 Many centuries
lowe.github.io/tryzxcvbn/ @ 10K/sec!14
Password Manager Programs
• Store all your passwords in an encrypted vault.
• Generate complex passwords and passphrases.
• Sync passwords with all your devices.
• Use to enter passwords into forms.
• Only need to remember a single master password.
1Password www.agilebits.com
LastPass www.lastpass.com
Dashlane www.dashlane.com
Roboform www.roboform.com
!15
Don't forget your master password!
takecontrolbooks.com/passwords
Books
takecontrolbooks.com/1password
!16
Questions?!17
Top Related