Your master password in a password wallet is the one that is used to encrypt the digital vault that stores your passwords. It may be your PGP passphrase, if you are old school enough to be using that software. Whatever your reason, a strong password is important. My master password is not actually a word. I use pass phrases. Let me explain: Suppose that I pick a mashup of the opening to the Gettysburg address and a nursery rhyme:
Four score and seven years ago, our fathers brought forth on this continent a new nation, Mary had a little lamb, its fleece was white as snow
The master password is made by mashing it into numbers, letters, and symbols. Words that are numbers become numbers, that are symbols become symbols, the remaining words, I just use the first letter, like this:
4 s & 7 y a, o f b f o t c a n n, M h a l l, i f w w a s
Now take out the spaces, and your new master password is: “4s&7ya,ofbfotcann,Mhallifwwas” It’s easy to remember, nearly impossible to guess, and at 29 characters is very difficult to brute force. This password is also guaranteed not to be on a list of common passwords that many black hats use to guess passwords. A long, difficult to crack master password buys you time to make the data it is protecting obsolete. That’s what I did. All of my master passwords are AT LEAST 25 characters long.
The black hats are large in number, and stealing personal data is the new currency. Make yourself as difficult a target as possible.
8 Comments
Zarba · April 18, 2023 at 7:54 am
Do you have a recommended wallet product? I now some of the online wallet products have been compromised
Divemedic · April 18, 2023 at 9:22 am
I no longer recommend LastPass. There is a post coming on that. It will be posted on Thursday.
Grumpy51 · April 18, 2023 at 8:52 am
IT security contact told me it’s not about the “difficulty” of password but rather the length (number of characters) with at least 12 being necessary. Something as simple as Password1111 works since a hacker has to run the various multiples …… YMMV
Divemedic · April 18, 2023 at 9:29 am
Your IT friend is right in that longer passwords are better, but wrong in his assessment of password content being irrelevant. I did a post on password cracking tools a few months ago. There are commercially available cracking tools that are far more sophisticated than simply guessing every combination. Some attack the hash, some attack rainbow tables, and others use a database of common passphrases and other variations.
For example, THC Hydra uses a dictionary attack, as well as brute force. These types of software go for common passphrases and words because the simple reality is that people are stupid and lazy, and tend to pick common words and phrases as passwords.
Another tool, Hashcat, bills itself as being the fastest password cracker, and one of the tools it uses is a dictionary attack.
The longer and more random your passphrase is, the harder it is to crack. Using a long password that avoids common dictionary words is the way to go. The less random your password is, the more susceptible it is to being cracked.
Your example of password1111 was guessed in less than 134 seconds using a common password cracker.
I’m guessing that what your IT friend was trying to tell you is that random, machine generated passwords are better. There’s a pervasive belief that requiring numbers and special characters increases password strength. But the effects of these requirements differ for human-created passwords and properly generated passwords.
An 12-character, human-made password with mixed-case letters, numbers, and symbols might look like this: Letmein!1234.
An 12-character password generated by a password generator using only mixed-case letters might look like this: lwlXgHeaWiqL.
The generated password, even though it doesn’t have any numbers or special characters, is going to be significantly harder to guess than the human-created one because it is totally random. Human generated passwords are not random.
A human tasked with creating, say, a 12-character password with numbers and mixed-case letters is more likely to create a password like Iloveyou!,12 than they are to create Wa7RoWTC18id. Both meet the technical requirements, but humans do not pick uniformly from the set of about 420 quadrillion passwords that meet those requirements. That is some of those 420 quadrillion passwords are more likely to be picked than others. A good password generator does pick uniformly, meaning that each of those 420 quadrillion 12-character passwords is as likely to be picked as any other. Attackers very much tune which guesses they try first based on their extensive knowledge of human password choice.
https://areaocho.com/password-cracking-tools/
Matthew W · April 18, 2023 at 9:25 am
I would have thought that “f*ckjoebiden” would be higher on the list of common passwords….
D · April 18, 2023 at 10:32 am
One great way of coming up with a complex password is to come up with a “phrase”.
For example, “I love my daughter Susie. She is amazing, talented, and kind.”
Will I ever forget that exact phrase? No.
Now take the first character of every word:
IlmdS.Siatak
Maybe add the year she was born.
IlmdS.Siatak2019
There’s 16 seemingly random characters that will be difficult to guess, but easy for me to remember.
Depending on your memory, you could come up with longer phrases.
My dog Bert loves to play fetch at the park. In 2017 I got him from the shelter in Vancouver.
MdBltpfatp.I2017IghftsiV.
Use something like that as your master password.
If you have to remember a different phrase like that for every damned website you use (remember, don’t re-use passwords), it’ll get difficult.
Divemedic · April 18, 2023 at 11:14 am
Thats exactly what I said to do, and it works for a master password but becomes difficult when you have hundreds of passwords.
D · April 18, 2023 at 1:25 pm
Reading comprehension.
That’s what I don’t get for skimming. 😉
It’s been a long week.
Comments are closed.