Greetings Dear Reader,
We have published guidance material previously on passwords and passphrases, some are blogs and some are lengthier depending on your liking (link & link). Even still it is always good practice to reinforce sensible password techniques. For this blog, I plan on sharing an analogous self-ritual, and one that relies on a third party application and share examples. Such an application falls under the “password manager” category of software. Many exist across the various platforms, and I highlight a few here well known that come to mind from a larger list (alternate):
There are other options for password managers such as IronKey's which is a secure thumb drive. Please note, I am not looking into the quality of these password managers or how safe they are, nor am I endorsing them. That is perhaps a topic for another time. Let us now turn our focus to the my analogous password/passphrase methodology.
Using one of these managers, these are the things which I pay attention to:
This may seem like a lot to "remember"; however, if employed through a trusted password manager one can simply enter the Master Password and access one's list of accounts easily. A few security gurus I know and trust use these types of rituals, and have for years with success.
However, the buck does not end with this ritual. One must be careful to run quality security software to catch keyloggers and malicious applications that steal data and take desktop screenshots. Being infected may usurp these password practices. So again and again, be careful!
Now on to some graphics. Using KeePass 1.0 as an example and pulling from their available screen shots:
The following is an example of how KeePass implements the "Strong Master Password" item. It has a feature that shows how "strong" your master password is (be sure to have secure backups of your Key File just in case your master is lost or crashes).
Here is an example of creating a new username and password account pair. It has the same graphic feature to depict how "strong" your password is. Within one may store items such as the Secret Question/Secret Answer pair.
This next screen we observe shows the various options to create a random password. One may set the length of the password, and enable certain character sets for the creation of the password. If a site permits Special Characters for example, the suggestion is to check it and use it for the generation piece. Such a randomized generated password makes it harder for brute force dictionary attacks to guess.
Other password managers cited above or linked to have similar features and functionality. They just may go about securing your information similarly or differently. Again, a potential topic for another time.
In the end, I like this technique because it promotes uniqueness in passwords, randomness, and the ability to store the information securely.
So what does a 20 character limit strong random password look like? Here are some examples I generated just to share (the applications generate these too):
Reminder, these may also be used uniquely as usernames as well depending on where you'd like to deploy such a strategy. So don't use such as username then as your password, create a unique password. Example:
I hope that this technique was understandable and easily digestable. It is just one format that may be followed and I am sure others exist that may or may not suit your requirements. If you have advice and are willing to share, feel free to email me or post a comment to the blog. Afterall, we're all here to learn from each other.
For more light reading Securing our eCity has published a list of password pitfalls, a good read to print out and share as well. These practices may be applied to virtually any type of account, some notably Facebook and LinkedIn social networking sites.
Paul Laudanski, Director of CTAC
Author ESET Research, ESET