Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Is There a Better Way to Create Secure Passwords? (cnet.com) 143

"Forget all the rules about uppercase and lowercase letters, numbers and symbols; your password just needs to be at least 12 characters, and it needs to pass a real-time strength test" developed by the passwords research group in Carnegie Mellon's CyLab Security and Privacy Institute (according to the Lab's web site).

CNET reports: After a user has created a password of at least 10 characters, the meter will start giving suggestions, such as breaking up common words with slashes or random letters, to make your password stronger...

One of the problems with many passwords is that they tick all the security checks but are still easy to guess because most of us follow the same patterns, the lab found. Numbers? You'll likely add a "1" at the end. Capital letters? You'll probably make it the first one in the password. And special characters? Frequently exclamation marks...

In an experiment, users created passwords on a system that simply required them to enter 10 characters. Then the system rated the passwords with the lab's password strength meter and gave tailored suggestions for stronger passwords. Test subjects were able to come up with secure passwords that they could recall up to five days later. It worked better than showing users preset lists of rules or simply banning known bad passwords (I'm looking at you "StarWars")...

Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, says the best way to create and remember secure passwords is to use a password manager. Those aren't widely adopted, and they come with some trade-offs. Nonetheless, they allow you to create a random, unique password for each account, and they remember your passwords for you.

This discussion has been archived. No new comments can be posted.

Is There a Better Way to Create Secure Passwords?

Comments Filter:
  • Yes (Score:5, Informative)

    by JD-1027 ( 726234 ) on Saturday November 14, 2020 @06:38PM (#60725244)
    correcthorsebatterystaple
    • “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick. Schneier [schneier.com]

      • “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick. Schneier [schneier.com]

        I don't think that's true. The point of the xkcd scheme is to generate a strong password that is *easy* *to* *remember*. Whether somebody is on to it doesn't matter. You can tell the hacker you're using the xkcd method, but the strength is still comparable to 8-10 random characters. But the point is, and people tend to forget this, is that the xkcd scheme yields passwords that are way easier to remember. In other words, the xkcd is good advice for the use case where the password must be easy to remember.

        • by BeerCat ( 685972 )

          The xkcd methodology may be good advice (or at least "good enough")

          The issue is that too many people have literally used correcthorsebatterystaple as their password choice, that it now features on lists of commonly used passwords.

          • Dropbox even changed their password verification at the time: https://nakedsecurity.sophos.c... [sophos.com] :)
            • by Bengie ( 1121981 )
              If I was making a password verification system, I would try to figure out a way to make sure their password doesn't exist in a set of all known leaked passwords ever.
          • The issue is that too many people have literally used correcthorsebatterystaple as their password choice.

            There are permutations:
            o -> 0
            e -> 3
            a -> @
            a -> 4
            t -> 7

            "c0rrecthors3b@t7eryst4ple"
            Know l337 speak helps.

        • Re:Yes (Score:4, Interesting)

          by gosso920 ( 6330142 ) on Saturday November 14, 2020 @11:34PM (#60725986)

          You could always use l33tsp3ak to create passwords, based on song lyrics.

          S3ttheC0n+r0lsf0rth3H3@rt0fth3Sun

      • by raymorris ( 2726007 ) on Saturday November 14, 2020 @10:17PM (#60725860) Journal

        Quick background so you know where I'm coming from:
        I developed possibly the most-used password security program for web sites and I've analyzed millions and millions of attempts at guessing passwords. I've analyzed well over a million passwords that DID get cracked, so I've seen what get cracked.

        Schneier says "password crackers on on to this scheme".
        It doesn't MATTER if bad guys know that some people choose four random words. They also know that password managers will generate 10 completely random characters. Attackers know about AES and scrypt too. That doesn't mean you shouldn't use AES and shouldn't use random characters.

        Here, in order to promote "the Schneier scheme", he is actually arguing for security by obscurity. He knows that we should ALWAYS assume that the opponent knows the scheme. Assuming the opponent doesn't know the scheme is security by obscurity (bad). The entire field of security is about coming up with schemes that work REGARDLESS of whether it's widely known or not.

        Schneier has made no argument that the XKCD scheme is ineffective. He's only said it's well known. Yeah AES and SHA384 are well known too. Widely known as being extremely secure.

        Assume a word list of 100,000 words. That's 16 bits of entropy per word. So four words, without any additional parts to the passphrase, is 64 bits of entropy. (You can easily add a few more bits with misspelling, dropping letters, and the like).

        That is to say, if I know that you've chosen four random words, there are 18 quintillion 446 quadrillion 744 trillion 73 billion 709 million 551 thousand 615 combinations I need to try.

        If I'm "onto your method", I suspect that the password you've chosen is one of the 18,446,744,073,709,551,615 word combinations. Okay, what am I going to with that? Try all 18 quintillion?

        In the article, Schneier suggests 9 random LETTERS.
        Each letter is just under 6 bits of entropy. Using mine letters, you get 51 bits of entropy. That is, Schneier's method is 8,000 times WEAKER, even assuming that the attacker knows you used the XKCD method.

        Selecting letters and numbers completely at random is 6 bits per character. Adding punctuation at the end is three bits. So 10 completely random letters and numbers, plus a punctuation mark, is 63 bits.

        Four random words is stronger than 10 random letters and numbers, plus a punctuation. And four words can be easily remember.

    • The number of common english words 7 letters or less is fairly small. If you are using from the diceware list, then your example has 3.6x10^15 permutations, or less than 52 bits of entropy. That's not great for a 25 character password that you're typing.

      Plus you shouldn't be reusing passwords. As memorable as your example is, you can't keep enough random 4, or better yet, 5 word passwords in your head to be relevant. There is just no intersection of making passwords memorable enough to keep them all in

      • by Ed_1024 ( 744566 )

        That is a reasonable methodology. I find it hard to understand why tech-savvy people try and create their own passwords with their minds, based on things they know, when it obviously reduces the entropy enormously compared with an entirely random process.

    • Re: (Score:3, Funny)

      by gosso920 ( 6330142 )
      That's funny. Your password just showed up as ****. Try it.
  • by 93 Escort Wagon ( 326346 ) on Saturday November 14, 2020 @06:39PM (#60725250)

    But why should I care whether or not I can remember most of the passwords I create? That's why I use Bitwarden. I only have to remember one - rather long - passphrase.

    If you're still stuck on "I must pick passwords I will remember in the future", then your password security pretty much sucks.

    • I agree, but prefer token devices, as in YubiKeys, etc. Forget the expletives-deleted passwords. Remember your key, plug it in, and nothing else is needed, except an alternate auth key that you keep in your sock drawer.

      • by AmiMoJo ( 196126 )

        I wish more phones supported this. The Pixel line have a Titan security key built in, works over Bluetooth. Then you have an additional layer of biometrics on top.

    • That's why I use Bitwarden.

      The one that gave full rights of your machine to their developers? Good luck with that.
      I have a friend who is fond of saying "Security is the opposite of convenience." I keep seeing that proven correct.

      • That's why I use Bitwarden.

        The one that gave full rights of your machine to their developers? Good luck with that.

        I have a friend who is fond of saying "Security is the opposite of convenience." I keep seeing that proven correct.

        Can you go into a bit more detail on this? Bitwarden is open source and can be self hosted, even run exclusively internally with no external access and a 'deny any any' rule on a firewall...so, how is Bitwarden giving full rights to developers?

      • by Bengie ( 1121981 )
        USB security key like yubikey are both easy and secure. The yubikey is arguably the most secure part of the entire authentication process, including HTTPS. It's pretty much impervious to remote attacks and can be very resilient to physical attacks assuming the service requires the pin. Personally, I almost only care about remote attacks.
  • by Rei ( 128717 ) on Saturday November 14, 2020 @06:39PM (#60725252) Homepage

    Acronym passwords allow for a nice balance between entropy, brevity, and ease of memorization.
    Apafanbbe,b,aeom.

    Add whatever substitution / insertion rule tweaks you want.

    • by Rei ( 128717 )

      Aws/irtyw.

    • Ticker symbols and best trade you remember are nice. TSLA420.69
    • The ironic thing, in ages past, this is what Norton suggested to people for creating secure passwords back in the 1990s. Some song lyrics, toss in a number or symbol, call it done. It seems quaint, but back when hashing passwords with two characters and a couple rounds of DES was more than adequate, this wasn't a bad system, especially if the password was dictionary checked before being allowed to be used.

  • try:

    tr -cd "[:alnum:]" /dev/urandom | fold -w 30 | head -20

    and use a password manager. I use GNU emacs on an encrypted text file for each site. For servers I use ssh/ssh-keygen

    • try:

      tr -cd "[:alnum:]" /dev/urandom | fold -w 30 | head -20

      and use a password manager. I use GNU emacs on an encrypted text file for each site. For servers I use ssh/ssh-keygen

      I think you got the syntax of tr wrong. Here is what worked for me:

      cat /dev/urandom | tr -cd "[:alnum:]" | fold -w 30 | head -20

      • by jmccue ( 834797 )
        Your are correct :) I had a less-than sign before /dev/urandom, but slashdot stripped it out and I did not notice on preview.
  • I use the following, but many variants work.

    tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16 | xargs

  • by John.Banister ( 1291556 ) * on Saturday November 14, 2020 @07:09PM (#60725368) Homepage
    I have to disagree with "Forget all the rules..." I make my passwords with KeePass, and it makes nice passwords. But, then I have to remake them three times, because the site didn't tell me what's allowed and what isn't. Finally, it get a nice 35 character password that the password form likes, try to use it to log in, and the login form is set for a max password length of 32 characters and won't tell me what's wrong with my login. Explicitly tell me all the rules every time so I can make a password your site likes on the first try.
    • > the login form is set for a max password length of 32 characters

      If they care about how long your password is, say under 2K, it's a good bet their site is going to be hacked soon anyway.

      Secure-ish websites shouldn't care and eventually send a hash of your password to the server. Good luck brute forcing that db, fellas.

    • by AmiMoJo ( 196126 )

      There really needs to be a web standard for passwords. Ideally 64 random characters, A-Z, a-z, 0-9.

      Failing that at least some method for the site to specify a regex that details what characters are acceptable and the maximum length.

      • by Bengie ( 1121981 )
        An entire ECC public key can fit in 33 characters. By not just use asymmetric encryption and only pass the public key, then you never have to share your secret key. This way you can have the exact same "password" for every service and it wouldn't have to be encrypted, hashed, salted, or changed in the event of a breach.
  • I have 92 password protected things (not all are sites) that need passwords. My memory is average at best. I'm happy if you can show me a way to memorize 92 passwords (and their associated URLs, usernames and other essential info). Until then, I use a password manager.

  • by frank_adrian314159 ( 469671 ) on Saturday November 14, 2020 @07:25PM (#60725412) Homepage

    Don't share passwords between sites. Don't save them in your browser. Generate them randomly making sure that whatever generation algorithm you use includes at least 15 characters, with at least a couple each chosen from capital characters, lowercase characters, digits, and special chars. Since you won't be able to remember them, use a password manager. This should keep you somewhat secure for the next couple years.

    • by green1 ( 322787 )

      "don't save them in your browser"
      "Use a password manager"

      You realize that those 2 points contradict right?

      • Depends. You can use a PW manager separate from a browser, like KeePass. It may take a little bit more time to alt-tab to the PW manager, copy and paste the result in, but it is a doable system.

        • by green1 ( 322787 )

          No, that doesn't answer the question.
          Saving to the browser IS a password manager. You can't say "don't use the browser" and "use a password manager" and be consistent.

          Now if you want to argue about WHICH password manager to use, sure, but you have to acknowledge that saving in the browser is one of the password manager choices, and one that is certainly no worse than many other options.

          You also need to acknowledge that any password manager that works even if you lose the device, or works across multiple dev

  • Are you crazy? (Score:5, Insightful)

    by battingly ( 5065477 ) on Saturday November 14, 2020 @07:28PM (#60725422)
    Just use the password generator from your password manager. You're not using a password manager? In that case you've got bigger problems than password strength.
    • That's nice, as long as you use your accounts only on a computer. If you use multiple computers and mobile devices, good luck finding a password manager that is secure, that doesn't rely on cloud-based password storage where it can leak T, and lets you use passwords on any device. The whole concept of passwords is messed up, password managers don't fix that!

      • That's nice, as long as you use your accounts only on a computer. If you use multiple computers and mobile devices, good luck finding a password manager that is secure, that doesn't rely on cloud-based password storage where it can leak T, and lets you use passwords on any device. The whole concept of passwords is messed up, password managers don't fix that!

        My password data never leaves my network and is synced to all my devices. I use 1password, but I'm sure there are others.

        • So you're willing to risk a data breach then, such as what happened to LastPass. Not ideal, for those who are concerned about password security.

    • Lots of websites won't take those passwords.

      Mega is one of them. And then it doesn't tell you why it won't accept your password. Which is why I've stopped using Mega. If I have to download crap from Mega, it's not worth having.

  • You got all answers correct, and it logged me in. Before I signed off, it asked me if I wanted to pick a new password other than MAGA2020!

  • Then throw in a couple vowels.

  • breaking up common words with slashes

    What a surprise -- my password is: https://slashdot.org/ [slashdot.org]. There's lots of slashes there.

    But really, my password is usually the first letters of an affirmation. It's been something reasonable, but lately it's: GooBYL is Get Out Of Bed You Loser. Append "@9!AM" and it's perfect! Except for the getting out of bed part, that is.

    If I use a password manager I stay awake at night trying to figure out a working phrase for what it generates. That doesn't help either. And who'd want to staple a battery to a h

  • What I hate is password systems that limit the length, or do not consider spaces to be valid characters. "We want you to make a secure password in 16 characters." When setting up online banking accounts this year, three out of four banks balked at my 32-character passwords. The one that didn't complain about the length complained that I used illegal characters. One even complained that the email address I gave them for the user ID was too long.

    When asked to write a password system around 8 years ago, they g

  • No reason at all for Facebook, Instagram, Slashdot etc. to require a password. The chance of someone else abusing my account for something is 0.01% and the effect of it would also be minimal.

    And no, you do not need to use one when you log in to something that might charge you. If I buy something, then you ask for the password, just as a store asks for my credit card every time I buy. They are not ALLOWED to keep one on file to 'save you time'.

    Why should websites do it if stores can't?

  • by Tablizer ( 95088 ) on Saturday November 14, 2020 @08:53PM (#60725650) Journal

    The system shouldn't allow hackers to try a password a billion times. It should be hardware-throttled and maybe in a safe-like device, with rotated backups.

    If we keep making passwords longer and more complicated to stay ahead of decryption technology, they'll be longer than War and Peace in the not too distant future. We'll lose the software race, so protect it with hardware instead.

    • by BeerCat ( 685972 )

      The system shouldn't allow hackers to try a password a billion times. It should be hardware-throttled and maybe in a safe-like device, with rotated backups.

      If we keep making passwords longer and more complicated to stay ahead of decryption technology, they'll be longer than War and Peace in the not too distant future. We'll lose the software race, so protect it with hardware instead.

      Your suggestion of rate limiting will deter online attacks. I've seen a suggestion that even a 15 minute lockout after 3 wrong attempts, and attackers trying it over a long weekend - so no one is around to spot the attempts on the security logs - is just over 1,000 attempts. As long as your password is not in the 1,000 or so common ones, then you might get away with it.

      The problem is when the attackers get hold of the password file, so have virtually unlimited time to do an offline attack. Then things get h

  • Or better - stop using passwords. Given that every password out there is resettable by anyone with access to my email, just send me a login link with a one-time-hash that sets a cookie and logs me in. Slack does this just fine, and I never need to go to some password generator site to make up a new password.
  • Passwords should be pass PHRASES these days. Don't use things you can't read and remember. The way to make a password long is just to use words. You can spell them wrong if you want more security. theBUNNYhopz2 is a great easy to remember password when you have two factor. A phrase password can be easily remembered on differenet platforms, like your phone and your TV vs one of those H9*ksdjs98sdjk)()DKD style passwords. theBUNNYfeetGOboom3425 is even more secure and still quite easy to remember. (obviousl
  • The biggest problem is people reusing passwords. Does anyone think "Test subjects were able to come up with secure passwords that they could recall up to five days later." for the hundreds (?) of websites they log into? Because, the article implies they might use the same password for multiple sites. That's doing it wrong. One site is violated, and you're screwed.

    Use a respected password manager, and a stong password to access that.
    • Password managers are nice, as long as you use your accounts only on a computer. If you use multiple computers and mobile devices, good luck finding a password manager that is secure, that doesn't rely on cloud-based password storage where it can leak, and lets you use passwords on any device. The whole concept of passwords is messed up, password managers don't fix that!

  • by 140Mandak262Jamuna ( 970587 ) on Saturday November 14, 2020 @09:58PM (#60725818) Journal
    Do the unexpected and stump the hackers.

    Do what I do. Enter the user name as password and the password as user name.

  • How about we:

    Set a GD internet wide standard for password length, complexity and characters available for use. It's annoying as F when a site only allows N - 1 ( Where N is a secure length of digits ) number of characters, or a very specific set ( and each site is different ) of symbols.

    It's one of my pet peeves when they decide: Oh, lets disable copy and paste and force the user to manually type ( twice ) something that looks like this:
    " $nv-A68@/f%MLcbgRyH6 " ( which will take more than one try to get i

  • >"One of the problems with many passwords is that they tick all the security checks but are still easy to guess"

    The problem really has nothing to do with the strength of passwords, unless the password is truly stupid, like "123456". No well-designed system is going to allow enough trials to ever guess it within a lifetime. 3 tries, medium lockout delay. X more tries, much longer delay, or throw a captcha. Fails again, lock out IP for a several hours. X tries from more than 1 source in X amount of ti

  • ... using images. AKA all you would have to do is "upload" the image, an image as a password would be too big for anyone to guess and it's easy to grasp because you'd only need the file as a key to unlock your account, aka instead of typing in a password, you upload an image instead. So unless the hacker had the same image you did they could never guess, since images have huge bit space, one RGB pixel is 2^24.

    So one 1024x768 image at 24 bit color would be 13,194,139,533,312... in length roughly... that is

  • Comment removed based on user account deletion
  • Generates a 15 character password with at least:

    1 upper case letter 1 lower case letter 1 number 1 special character

    apg -a 1 -n 1 -m 15 -M nCLS

    Totally ugly and impossible to remember (which is why you need a password manager). The "- m" spec defines password length.

    If you want to not have special characters, then use:

    apg -a 1 -n 1 -m 15 -M nCL

  • Once I crack it, i can own you.
    The test sees my password in clear so I can have an insight on your choices if not the actual passwords.

  • Have an MD5 prog or app available. Choose a simple password. Apply MD5. Copy-paste the 32 chars result into the password field.
  • Youre Gonna Need A Bigger Boat
    Alas Poor Yorick I Knew Him Well
    Ah Ah I Know What Youre Thinkin
    Heres Looking At You Kid
    It Aint Over Til Its Over
    Theres No Crying In Baseball
    Thats No Moon Its A Space Station
    AJ Foyt Mario Andretti Bobby Unser

  • Pick a secret phrase for a class of websites, e.g. PinkFluffyBunny. Then for e.g. facebook, use

    echo -n "PinkFluffyBunny:facebook" | sha256sum | cut -c1-64 | xxd -r -p | base64 | cut -c1-16

    to get 16 random digits. This GNU one-liner can be implemented as a web page (using cryptojs) in a few hundred lines of javascript. Then I maintain a database of inputs (e.g. 'facebook' for facebook, as a google sheet) and hints as to what the secret phrase is (usually the first three or four characters from PinkFluffyBunn

  • It's against the law.
    Betteridge's law of headlines with a question mark.

  • I categorize my passwords into three levels, but they all have protection against a dictionary attack.

    The least secure is stored on my PC in plain text. These are for logging into Web sites where my account merely contains my preferred settings or where performing non-financial tasks requires a login. Slashdot.org is one such Web site.

    More secure (second level) are Web sites where I occasionally make purchases. These are stored in an encrypted file on my PC. I memorized the decryption password, which is

  • by twocows ( 1216842 ) on Sunday November 15, 2020 @12:15PM (#60727342)
    Assuming you're not one of the very small number of people likely to be targeted at the individual level rather than just as part of a drive by attack, use a system with a lot of different points of complexity that you can recreate easily. Use things that vary by site but are easy to remember in tandem with a more secure base that's shared across several sites. E.g. slasd8hotGREENxz8bGaX$20201 for slashdot and wikp9iediaWHITExz8bGaX$20192 for wikipedia. Common but easy to remember permutations, splitting up words with numbers that vary based on elements of the password, stiff that varies by site, etc. If you can create a system that generates a consistent password for different websites, it's both easy to recreate and hard to break unless individually targeted. And if you're being individually targeted you really need the services of a professional anyway.
  • The problem isn't that passwords aren't strong enough. It's also not that users create passwords that are weak.

    The problem is that humans don't secure things that don't matter to them.

    How strong do you think I'm going to make my slashdot password? It's not important to me. If someone really wants to steal my slashdot account, I'll shed a tear and move on with my life.

    Aside from my online banking account -- which has immediate and enormous effects -- pretty much everything else can be repaired, undone, or

  • .. blatant plug for these password generation helper devices. https://www.tindie.com/stores/... [tindie.com]

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...