Good Passwords


Forward Note

The worst consequence of someone's password being compromised that I have ever personally witnessed (that I know of anyway) was someone's domain being stolen. They were ultimately able to recover it with the help of their registrar. The second worst was lots of spam being sent directly from their email.

I have never, for example, witnessed anyone's money or identity be stolen.

It can actually happen (although it doesn't matter how good your password is if this happens).

The advice here is mostly for peace of mind. It may also be useful for reducing corporate espionage.

Password Managers

Password managers are good because you only have to ever remember one password. All of your other passwords can then be maximum strength.

Password managers also take much of the sting out of most key loggers. Anyone analyzing the logged data will not be able to find much useful data if passwords are always copied and pasted.

LastPass is the online password manager I recommend. It is free for personal use and can be upgraded for business use. LastPass works well because password data is encrypted on the endpoint device and then sent to the server to be stored. Imagine that someone malicious who either works at LastPass or remotely cracks into the system decides to look at the password data stored there. To them the encrypted password data is a bunch of random ones and zeros. It would take hundreds of years with the help of a super computer to figure out the pattern used to encrypt the data. On the other hand, when you log in, LastPass sends your device the random-looking ones and zeros it has stored. Your device then uses your password to change them back into actual passwords. When you share passwords with other people the LastPass software on your device encrypts the data in a way which can only be decrypted by that person. This way actual password data never touches the LastPass server.

If you would rather use a local keychain that does not publish your encrypted password data to the internet Mac comes with a password manager called Keychain and for Windows and Linux I recommend KeePass.

Sending Passwords Via Email

Stop doing this. Everyone this is serious. Stop sending passwords in emails. Go sign up for a free LastPass account to share passwords.

If someone sends you a password via email take the following steps:

  1. Tell them to sign up for LastPass and share passwords that way in the future.
  2. Immediately sign in and change your password if possible or have them reset it and share it via LastPass.

Password Length

One technique for breaking into someone's account is to try every password until the correct password is found. The term for this is "brute force".

Hardly anyone uses purely random passwords. Rather than trying every single possible password it is much more effective to analyze lots of known passwords and try the most common ones first. This technique is called "rainbow tables". If your password is long the likelihood that someone else is using the same password is low. The longer it is the faster it becomes rare and the exponentially more difficult it is to brute force.

Pass phrases are a good technique for creating long, easy to remember passwords. The classic correct horse battery staple example illustrates this point. I recommend going one step further. Once you have invented four random words, draw a picture of them. Then immediately use your password over and over again. You will never forget it after that. Even if you do, you can refer to your picture. Anyone who stumbles across your picture will never know it is a password.

When you are signing up for a new account somewhere or are changing your password, if there is a limit on which characters are allowed or the length of the password to less than 50 characters this indicates that the software storing the password is insecure. Do yourseld and the world a favor by submitting a complaint.

Password Diversity

If the same username/email and password combination is used everywhere it increases the potential damage. Occasionally enormous lists of real usernames and passwords are posted to the internet by a black hat. These can be used to compromise other accounts with the same credentials.

In general use common sense: for accounts that don't matter at all it's fine to use the same password. For everything else that's not true; ideally use long passwords which were randomly generated by your password manager.

Your Passwords Are Only As Secure As Your Email Password

Pretend for a moment that your email has been compromised. Pretty much all of your other passwords can be changed using your email. Every site you have signed up for has sent you a confirmation email or some other correspondence. All the black hat needs to do is wait until the middle of the night when you are less likely to be watching your email and they have pretty much free reign to scan through your email and reset all the passwords they like.

Ok, but how much damage can ultimately be done by this? Maybe the black hat resets your bank password and transfers money. Where are they going to transfer it to where it can't be traced? This is so difficult and the penalties are so strict that it pretty much never happens.

Maybe instead of resetting your other account passwords they send out spam for profit. The next time you look at your email it will be obvious that something is wrong. You will notice lots of bounced emails in your inbox that you didn't send. All you have to do is reset your email password and everything is back to normal. Your email/domain will probably be blacklisted as spam for a while. Which is not a very big deal unless it's your work email. Even this is rare because there are so many other easier/more effective ways to send out spam.

I'll speak for myself when I say that it wouldn't matter very much if a black hat was able to read all of my email; it's the principal of the thing. If it's easy to have strong email passwords, why not have strong email passwords?