What problem are we trying to solve?
The traditional advice is to avoid easily guessed passwords, to use complex passwords (long and with upper case, lower case, numbers and symbols), to change your passwords often, to never write down your passwords, and to never share a password.
You should not use the same password on multiple sites. When you have one password that you use across multiple sites, then that password is as secure as the least secured site.
Suppose you use the same password on multiple sites. When one of the sites is compromised, you should change your password on the other sites. You may wish to see Have I been pwned? to learn if you have an account on a site that has been compromised. If so, make sure you have changed your password on this site and any others which used the same password.
Using complex and unique passwords can be difficult advice to follow. If you have dozens of accounts you will be strongly tempted to use a password on multiple sites. You will want to write passwords down. You will want to create a password scheme that makes your passwords predictable; this is as bad a practice as using the same password on multiple sites.
Regarding password complexity and changing passwords: If some is trying to crack a password, they will eventually guess it. Your goal is to make dictionary attacks (trying a list of common passwords) and brute force attacks ineffective. A long, complex password can take many years to guess, much longer than the hacker would devote to the task. The advice to periodically change your password recognizes that a password will eventually be guessed, but you reset that clock when you change your password.
The vendor’s password recovery system (the “forgot password” link) is the weakest point in your account defenses. If it only asks questions for which you have previously supplied answers (e.g., “in what city were you born?”) someone can obtain those answers and take your account. If the “forgot password” method sends a link to your email account, the link should be encrypted. You should have two factor authentication enabled on this email account.
It would be better to not forget your password by using a password manager.
A Password Manager (or Key Vault) is a secured store for account information, including passwords. Having a password manager enables you to create complex passwords for each application or web site.
Examples of compromised passwords:
- LinkedIn Taking Steps To Protect Our Members or 6.5 Million Alleged LinkedIn Password Hashes Dumped Online
- eHarmony Update on Compromised Passwords
- Last.fm Last.fm Password Security Update
- Formspring Urgent: Change Your Formspring Password
- Yahoo confirms theft of 450,000 users’ passwords
- Nvidia forums forums.nvidia.com
- Android forums
- Perhaps Billabong.com
- The Dropbox compromise was a side-effect of password reuse, contrary to some of the published interpretations of what happened.
If someone acquires your password through a compromised site, and you have used that password on another site (such as your email account), then they can use that password to access the otherwise uncompromised site. Even though the systems are unrelated, password reuse enables a breach of one account to become a breach of other accounts. You want to avoid reusing passwords.
How do you handle the challenge of separate passwords for each account?
Use randomized passwords. See Lessons Learned from Cracking 2 Million LinkedIn Passwords for a description of how simple it is to crack passwords based upon dictionary words, including dictionary words with modifications you can anticipate (such as using “P@ssw0rd” instead of “password”).
You should change your password regularly (“password rotation”). How frequently you change your password is a function of the password’s complexity and whether the password may have been disclosed or discovered. You might not realize that your password is known. Use as complex a password as the application allows (e.g., 20 characters with alphanumeric and special characters).
In the Yahoo compromise, an old list of account names and plain text (unencrypted) passwords was stolen. You can expect these passwords to be used in future dictionary attacks, making attacks on accounts which use these passwords, on Yahoo or anywhere, less secure.
You will want a tool to generate randomized complex passwords.
When you use multiple randomized passwords you need some way to keep track of all your passwords, and a good password randomizer. A Password Manager allows you to organize your passwords.
Using a Password Manager and using multiple devices leaves you with the challenge of where the password database resides.
Mobile devices do not normally allow you to use a password manager to copy and paste passwords. This encourages you to simplify your passwords and reuse passwords, both of which you should be trying to avoid.
From ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” [pdf] by Andrey Belenko and Dmitry Sklyarov of Elcomsoft Co. Ltd.
Abstract: In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection.
By focusing upon the security of data at rest the authors draw the conclusion that “Many password management apps offered on the market do not provide adequate level of security. We strongly encourage users not to rely on their protections but rather use iOS or BlackBerry security features.” This ignores the other benefits that password managers provide, benefits that the authors acknowledged earlier in their article.
You must protect the Password Manager database. Password protection is a deterrent, but is not sufficient. Physical access to the database can expose all of your accounts. Cloud storage can make the database widely available.
Back up your Password Manager database. A corrupt Password Manager database will require using the “I forgot my password” feature on all accounts.
Password Manager benefits include:
- Complex password generator
- Manage all passwords and login IDs in one location (although that location may be inadequately secured from physical access)
- Login to web sites without the need to re-enter credentials – users only have to remember one password or pass phrase
- Fill personal information into web forms accurately
- A secure browser for banking or financial websites
- Mitigation against keylogging malware
- Synchronize online credentials across multiple devices (PCs, mobile phones and tablets)
Password Manager products:
- KeePass Password Safe is a free, open source, light-weight and easy-to-use password manager for Windows, Linux, and Mac OS X, with ports to various mobile devices. You can store your passwords in a highly-encrypted database, which is locked with one master password or key file. Additional platforms are supported through products which can read the KeePass file (e.g., MiniKeePass for Apple iPhone or iPad).
- Password Safe is a free, open source, light-weight and easy-to-use password manager for Windows. It has support for Yubico’s YubiKey two-factor authentication product.
- Steganos Password Manager (not free) for Windows, Android, and iPhone is similar to KeePass.
- pwsafe is a unix commandline (CLI) program that manages encrypted password databases. pwsafe is compatible with databases created with Password Safe. Note that pwsafe does not include YubiKey support, it includes password database access.
- Password Gorilla is a cross-platform utility that is compatible with Password Safe 3.2 databases.
- KeePassX is a cross-platform utility very similar to KeePass.
- Five password managers that run in a Web browser: LastPass, RoboForm, My1login, PasswordBox and NeedMyPassword. See “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” [pdf] for implementation concerns.
- PassPack implements a cloud storage solution for your password database. An automated login feature simplifies the use of complex passwords. If the PassPack site is not available, what happens?
- Clipperz is another cloud storage design similar to PassPack. If the Clipperz site is not available, what happens?
- UsableLogin password management. Web browser plugin to manage login to your online accounts.
- Ilium eWallet
- Trend Micro announced DirectPass, a password management solution. Designed to organize and manage passwords, DirectPass provides consumers with a way to manage their online activities, while offering extra security measures to keep their credentials safe. A free version (up to five passwords) can be downloaded online.
Re: Web Site Authentication
When users create a new account with an initial password, make sure the new password enforces the same rules as the login screen and change password dialog. For example:
- A web site might permit an initial password of 20 characters. The login screen truncates the password to 16 characters. The hash of the 16 character version does not match the 20 character version. The person cannot login. A self-service “forgot my password” mechanism which returns the password to the user won’t help them. A self-service “forgot my password” mechanism which returns a one-time, limited life “change password” link works around this design failure. (Returning the user’s password is another sign of a design failure.)
- A web site might permit an initial password of 20 characters. The change word dialog box may enforce a 15 character limit on the old password. (“ORA-06502: PL/SQL: numeric or value error: character string buffer too small”.) In this situation, the user cannot change their password.
Web sites should avoid cryptographic hashes (such as SHA-1) for password storage. Cryptographic hashes are designed to be fast. Instead, use a password hash (such as Password-Based Key Derivation Function 2 (PBKDF2)) which is designed to be slow. Such an approach makes generating a hash table of complex passwords impractical.
You don’t want to write your own authentication routine. Watch for OAuth 2.0 (currently in development). Meanwhile, the Stanford Secure Remote Password (SRP) protocol has been developed, tested and implemented.
One way to minimize multiple passwords is to use Federation and a Web-based single sign-on (SSO). Web-based SSO presents a set of risks to be aware of. See “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services” [pdf].
“You cannot trust social media to keep your private data safe: Story of a Twitter vulnerability” IOActive researcher Cesar Cerrudo explains how signing into a third-party application with a Twitter account and denying the third-party application access to direct messages allowed the third-party application to receive direct messages anyway. Tip: Review which applications have access to Twitter.
See also: The quest to replace passwords by Frank Stajano. Password management approaches are compared based upon concerns (usability, deployability and security).
On a related note, be sure to change SSH keys on a regular basis. Passwords authenticate a person while SSH keys verify a machine. If you use SSH keys, rotate the SSH keys.