No chocolates for my passwords please!

Greetings Dear Reader,

We have published guidance material previously on passwords and passphrases, some are blogs and some are lengthier depending on your liking (link & link).  Even still it is always good practice to reinforce sensible password techniques.  For this blog, I plan on sharing an analogous self-ritual, and one that relies on a third party application and share examples.  Such an application falls under the “password manager” category of software.  Many exist across the various platforms, and I highlight a few here well known that come to mind from a larger list (alternate):

There are other options for password managers such as IronKey's which is a secure thumb drive.  Please note, I am not looking into the quality of these password managers or how safe they are, nor am I endorsing them.  That is perhaps a topic for another time.  Let us now turn our focus to the my analogous password/passphrase methodology.

Using one of these managers, these are the things which I pay attention to:

  1. Strong Master Password
    1. Create a strong password for the 'master', the one that opens up the password manager.  This is probably one of the strongest if not *the* strongest since my passwords are stored in it.
  2. Randomize Passwords
    1. Use the manager to create random passwords set at the upper limit for the location you are creating it for.  So, if a site says the maximum length for a password is 20 characters, then I set it to 20.
    2. Also consider what account your password is protecting.  Gaming?  Online Banking?  The beauty of a password manager is, one may create strong maximum length passwords for all accounts, and simply use the manager to reclaim your password when logging in.
  3. 1:1
    1. Create one password for one account.  Dot not resuse elsewhere.
  4. Usernames
    1. Consider randomizing your username depending on what you are protection.  For instance, online banking.  And follow the same maximum length suggestion noted earlier.
  5. SQ/SA
    1. When creating a secret question secret answer pair, apply the same technique as above.  Create a random secret answer making it harder for would-be attackers to break.

This may seem like a lot to "remember"; however, if employed through a trusted password manager one can simply enter the Master Password and access one's list of accounts easily.  A few security gurus I know and trust use these types of rituals, and have for years with success.

However, the buck does not end with this ritual.  One must be careful to run quality security software to catch keyloggers and malicious applications that steal data and take desktop screenshots.  Being infected may usurp these password practices.  So again and again, be careful!

Now on to some graphics.  Using KeePass 1.0 as an example and pulling from their available screen shots:

The following is an example of how KeePass implements the "Strong Master Password" item.  It has a feature that shows how "strong" your master password is (be sure to have secure backups of your Key File just in case your master is lost or crashes).

KeePass Get Key

Here is an example of creating a new username and password account pair.  It has the same graphic feature to depict how "strong" your password is.  Within one may store items such as the Secret Question/Secret Answer pair.

KeePass AddEntry

This next screen we observe shows the various options to create a random password.  One may set the length of the password, and enable certain character sets for the creation of the password.  If a site permits Special Characters for example, the suggestion is to check it and use it for the generation piece.  Such a randomized generated password makes it harder for brute force dictionary attacks to guess.

KeePass Password Generator

Other password managers cited above or linked to have similar features and functionality.  They just may go about securing your information similarly or differently.  Again, a potential topic for another time. 

In the end, I like this technique because it promotes uniqueness in passwords, randomness, and the ability to store the information securely.

So what does a 20 character limit strong random password look like?  Here are some examples I generated just to share (the applications generate these too):

  • -=E7%S=#e,x(qx_z2!Qw
  • a@s%I4$3z7@K!F3s:K&|
  • @HM4/2_#:x+9Q [551W8
  • YC57_UIu4_IPt4$({_-9

Reminder, these may also be used uniquely as usernames as well depending on where you'd like to deploy such a strategy.  So don't use such as username then as your password, create a unique password.  Example:

Username: 48N18RQ1o9XM1Xi84KLs
Password: 8O9N6[yBNSkG%/8r!:[g

I hope that this technique was understandable and easily digestable.  It is just one format that may be followed and I am sure others exist that may or may not suit your requirements.  If you have advice and are willing to share, feel free to email me or post a comment to the blog.  Afterall, we're all here to learn from each other.

For more light reading Securing our eCity has published a list of password pitfalls, a good read to print out and share as well.  These practices may be applied to virtually any type of account, some notably Facebook and LinkedIn social networking sites. 

Read about Privacy Guides I wrote on Facebook and LinkedIn.

Cheers!

Paul Laudanski, Director of CTAC

Author ESET Research, ESET

  • Ian Cervantez

    I like to use iLium eWallet as a password safe, due to the multiple versions available for Windows, Mac, Android, iPhone/iPad/iPod Touch, Windows Mobile, BlackBerry…

  • Birta Levente

    KeePass have multiple versions too … 

  • Dave Montgomery

    I’d like to say that I agree with everything above with a slight addition.
    Once you’ve generated or changed your passwords, make sure you take a backup (encrypted offsite or to a hardware encrypted USB flash drive) of your “password” file. It’s be a shame to update one or more passwords, not take a backup then have a failure of some kind.

  • Ivan Nausley

    I’ve been using LastPass for a while now, and like it.  I noticed you didn’t mention them, what are your thoughts?

  • Paul Laudanski

    Good query… I have not used them.  Can you comment how the recent news on the master password affected you?  And can you comment on their service?

  • aaron

    I have to say if you make your password too complicated it leads to a reliance on password storage tools.
    I can make a complex password out of words, number, special characters and no spaces  that I can memorize and can not be hacked.
    example 1biguglydogeating@yourHouse456
    my password is easy to remeber and wont be hacked by dictionary attacks.
    I can still save it in a safe in case I lose my memory, but what to do if I lose my memory and can't remeber the safe password?  Back to writing it on a sticky notes and putting it under our keyboard or on the computer screen.
    use longer passwords not more complicated passwords.
    reply back to me if you want

  • Paul Laudanski

    Good points Aaron.  A typical concern I see is what happens if a person passes away untimely, and that person's family cannot access bank accounts, etc?  Having a database with a single password can help plan for such events for family and loved ones who are left behind.

  • aaron

    but what if the master password dies with the person as well?  I have worked in IT security for ages adn I have came into mulitple companies where master passwords were lost or not shared or forgotten due to the complex nature of the password.  If its something that can be memorized to open the safe them you dont have to record it on paper but can share it with other team needed groups or individuals.
    just my 2 cents

  • Paul Laudanski

    Better succession planning and excution at the company.  Easier said than done right?  That may involve more than one administrator.

  • Amy

    I say…put your complex password in your will.  Then your lawyer will hand the sealed envelope to your family.

  • Debbie

    I have been using different pets names {the ones since childhood} and then different people that I know dates of birth. What do you think of these types of passwords?

  • Keith Sullivan

    I am surprised the author and commentors have not brought upy Norton 360…It has a great protection record and I always make different passwords and my master password is long and detailed and can't be simply dictionaried.
    I have used norton products for years and They have never done me wrong….
    Also I have all the passwords backed up on a flashdrive and keep it locked away

    • David Harley

      You can’t really be surprised that the author didn’t recommend one of ESET’s direct competitors? ;-) There are, of course, several products (not just general internet security products) that include password management, and Paul did mention some of them, as Randy has also done in the past. Personally, I tend to avoid recommending specific products unless I know them very well. In principle, your master password sounds ok, though a passphrase is even better, if the product you use allows it (strangely, not all do). And that’s a very good point: it’s essential to keep passwords backed up somewhere secure. I use a post-it on my monitor (just kidding!)

  • cj

    I'm sorry, but it's kinda hard for me to really take this seriously when you can't spell or type the words correctly.  There is spellcheck ya know.

  • Dave

    KeePassX is very useful on the mac too, as long as you use a memorable-yet-secure password for the key file, and back up the keyfile somewhere in case your machine dies.  As an alternative for the password generators out there, I've created , which can generate up to a 64-char password in the browser and uses alpha-numeric, whitespace, and symbols to create something which should be very useful. Would love to hear what you think.

    • David Harley

      Thanks for the suggestion. I’m afraid I don’t know enough about KeePassX to comment.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.