To continue my examination of passwords, we have already seen how to generate them. Now that we have spent all of that time coming up with a password that is hard for someone to guess, we need to be able to use it while keeping secure. How do we make them user friendly and accessible while at the same time ensuring that they are secure from prying eyes?
Once you have generated your password, you need to remember it. Anyone can remember a few secure passwords, but remembering a bunch of them becomes problematic, especially when they are secure and change every few months, as they should.
The use of password memory devices like license plate numbers, or children’s birthdates, or whatever other memory devices you may use has two different drawbacks- the number of passwords that you can remember like that will be limited, and will also be difficult to keep straight across a large number of accounts. I tried that method, and it fails when you begin getting a large number of them.
My password wallet has over 300 unique passwords stored in it. Some of them, like for bank and email accounts, are 20 characters long and change twice a year. Others, like for commenting on Disqus, are 12 characters long and may change every two or three years. That’s a lot of remembering. I simply can’t do it.
So how do we store our passwords? I used to use one common password for bank accounts, another for email accounts, yet another for blogs, etc. What this means is that you are running the risk of a data breach at one company exposing your passwords for others. Not ideal.
You can keep them off of all computers and just do what my mother in law does. She keeps a notebook with all of her passwords written down in it. Then what? Do you carry it around with you? What if you lose it? How do you constantly update it? Not convenient, not secure.
How about letting the browser on your computer store it? Then it isn’t portable across platforms. Many browsers store passwords in an unsecure format that is there for some hacker to steal. Not secure. That’s because desktop web browsers do a lousy job of safeguarding your information.
One big security hole for passwords is your spellchecker. Your spellchecker has a list of words that are spelled correctly, and compares that list to the words that you are typing. If there is not a match, it marks a ward as misspelled and may even suggest the correct spelling. Some systems will even automatically insert the word that is a likely match. Users add new words to the spellcheck dictionary by telling the system that the word is correctly spelled, then the software adds the new word to the dictionary.
What if that new word isn’t a word at all, but is instead the password to your bank account? Spellcheck dictionaries aren’t secure at all. The spellchecker simply marks the passwords as being correctly spelled by saving them to the dictionary. The two Internet browsers that are most notorious for this are the “enhanced spell check” feature found in Chrome’s settings or the browser extension “Spelling & Grammar Checker” for Microsoft Edge. Huge security problem there.
You can let Google store them for you, but that isn’t a great idea. Do I really need to explain why?
So we are left with password storage companies. If we want our passwords to work across multiple platforms- at home, on our cell phones, at work, and everywhere else where we use it, there are only a couple of ways to do that. We can transfer it from platform to platform manually, or we can allow the password wallet to be stored on another person’s system.
These systems have advantages- we can store a large number of complex passwords in a format that makes them readily available. The password list is more secure than writing them down, and since the password storage company stores the password file in an encrypted format with the decryption key being your master password, you now only have to remember the master password. For those of you who have a trick for memorizing a password, here is where you shine. You can use the license plate numbers of your last three cars, your kids’ birthdates, and other mnemonics to come up with a secure passphrase that is easy for you to remember, but hard for a black hat to guess, and use that to secure your password wallet.
The risk here was displayed by LastPass recently. A password companies files can be compromised, and the black hats are now in possession of your encrypted passwords. They can now brute force your master passphrase at their leisure and get your passwords.
This post is already long, so we can discuss this in a later post.
14 Comments
Matthew W · January 8, 2023 at 2:28 pm
I have a notebook next to my computer
Divemedic · January 8, 2023 at 8:43 pm
To those who use notebooks with your passwords written in them: Do you carry it with you everywhere? How do you handle password management when away from home?
KurtP · January 9, 2023 at 8:46 pm
The only time I’m on the computer doing what needs passwords is when I’m at home on the desktop. (except for email and I know those passwords)
I don’t need them anywhere else.
Neo Isn't The One · January 8, 2023 at 7:20 pm
A buddy let a machine go for a year cracking passwords back in dial up days.
We had tons of free accounts along with the hacked local EDU which was easy.
No one was at the controls as half of this side of town logged in on the same account.
Yes, there were plenty of 12345 and “password” used as the pass.
Michael · January 8, 2023 at 7:42 pm
I’m a bit of a luddite (no wi-fi in the house) and I too use a notebook to keep my passwords.
I’ve seen too many “Secure” chat rooms, and such turn out to be Feddie traps and I have a great deal of concern that the VPN’s are also running through the NSA supercomputer system.
What is your opinion of Norton’s Lifelock services?
Divemedic · January 8, 2023 at 8:44 pm
To those who use notebooks with your passwords written in them: Do you carry it with you everywhere? How do you handle password management when away from home?
Michael · January 9, 2023 at 8:22 am
Divemedic, in answer to your query, I DON’T DO the Internet away from my home aside from checking the weather or sites like this.
No banking, no electronic shopping so no passwords needed.
Please correct me if I need passwords to check my cell phone for this site.
Still very interested in your thoughts about Norton Lifelock and similar programs.
Divemedic · January 9, 2023 at 9:03 am
No, I don’t collect data here, other than what you provide and your IP address when you comment. There is no need to provide real information.
I only ask for a name so we have continuity. Makes it easier to have a conversation if I know what to call you, but I don’t care what name you use.
Similarly with email address, the only reason that’s asked for is so you can get notification when someone replies to you. If you don’t care about that, use a fake address.
Lifelock does useful stuff, but nothing that you can’t do yourself for less money. They are charging you money to do things for you that you can largely do for free. You are entitled to a free credit report from each of the bureaus each year. You can place a lock on your credit reports through each bureau.
Mike · January 8, 2023 at 7:59 pm
I use a local (non-cloud) password storage program on my phone, which is protected by a very long password I never use anywhere else and is not susceptible to typical attacks. That leaves me as the weak link (see XKCDs comic on super-secure passwords and how to crack them).
Steve S6 · January 8, 2023 at 8:35 pm
I use 1Password. Saw where Lastpass got hacked multiple times. I also, as you mentioned earlier, use Yubikey with it. Even if someone guessed my master password they couldn’t access the password list without the physical key.
Divemedic · January 9, 2023 at 7:47 am
The LastPass breach was caused by an employee whose credentials were compromised in a phishing attack. I don’t think that this can be used as a reason to avoid LastPass. A similar attack could easily happen to any password storage company.
Sesquipedalian Anecdotalist · January 9, 2023 at 7:03 am
Twenty character passwords aren’t long enough.
What does one character store?
Don’t assume the best, assume the worst.
Twenty-six characters (upper and lower folded into a single case), ten digits, and roughly sixteen symbols and other characters that are database text safe adds up to 52, or about 2^5.7.
And so your twenty character password at best provides 2^114 of cryptographic strength.
Sounds good so far?
Except that it isn’t if the backend stores your “password” in hashed form, specifically via MD5 which has a 128-bit (or 2^128) hashing space.
2^128 of hashing space with a password of 2^114 strength leaves 2^14 hashing collisions, which means that there are 2^14 passwords within the hashing space that have the same result.
But what still uses an “obsolete” hashing scheme like MD5?
Voice over IP authentication still uses MD5.
Weak passwords make drive-by MD5 password discovery of VoIP account passwords possible.
You’ll notice after the first few thousand dollars gets drained out of your account at your office PBX service provider.
Now let’s make this worse: certain types of quantum attacks can half the exponent of the hashing space, and so 2^128 becomes 2^64.
Once upon a time, 2^64 was computer infinity, but now it isn’t.
Shoot for at least 2^256, which means at least 45 characters, and preferably a lot more than that.
Use as much password length as each site and account lets you use beyond that.
Even if there’s a bozo implementation of passwords using MD5 on the backend, you’d get at least the full 2^128 out of it, and if it’s a challenge, you’d be guaranteed not to have a hash collision by a considerable amount even with certain types of quantum attacks.
If you’re storing your passwords in a password manager, it doesn’t matter how long they are, only that they’re accepted by the system that uses them.
These kinds of passwords you’re going to copy and paste every time.
Also, you can’t secure someone else’s database for them, but you can do your best to secure your account against a drive-by attack such as a hashing challenge that can be broken using massively parallel offline hardware.
What we run: we store the password container in a VeraCrypt volume and access it with a password manager which runs on all of our devices.
This password manager isn’t good enough to trust as a single point of failure, and so we use the VeraCrypt wrapper with EDS by Sovworks from the Google Play Store. EDS presents a virtual volume mounted on a local mount point that you can access through the password manager to access the passwords.
VeraCrypt wraps the password manager key file with another double 256-bit encryption layer to strengthen the level of security.
As for how small you can go, it looks like FAT32 VFAT works with 4 MB if you create the volume as a zeroed out file, attach the disk image virtually, and then create it with only one FAT and sixteen root directory entries.
Having some Linux skills really helps with doing this kind of stuff, BTW.
Dealing with air-gapped passwords works OK if you have a barcode scanner, just display the password using a barcode generator in PDF417 format on your screen and scan it with a barcode reader on your device.
So if the idea of having the password manager file on your phone bothers you, but you’re OK with it on your laptop, install a barcode generator on your laptop and a barcode reader on your phone, then copy and paste via PDF417 barcodes through the air gap.
Anyone still manually keying in passwords except for the password manager is still doing it wrong.
And no, we don’t use notebooks with passwords written in them (cf. above point).
Further OPSEC discussions tread closer into areas in which the best defence consists of you not knowing our OPSEC preparations. 🙂
Divemedic · January 9, 2023 at 7:52 am
1 I don’t see how you can ignore case of alpha characters. That reduces your base from 78 to 52.
2 Immaterial if the hash is only 128 bits. The failure point there is the other computer, and nothing you do will fix that.
3 Quantum computers? Seriously? Anyone with access to quantum computers doesn’t care about the contents of my bank account, and if they want my files, they can use other means to get them.
4 The system you are using sounds secure, but a bit unwieldy.
William · January 9, 2023 at 11:03 pm
I use KeePass as a compromise software solution. Password storage is local, (or optionally on the cloud storage of your choice) and easily backed up. Integration with other apps is not perfect, but I gladly tolerate this to avoid being part of a high-value data target (any of the online password wallet services.)
Comments are closed.