This is part 3 of Strong Passwords of the Security for a New Year series.
Security for a New Year Part I: Strong Passwords – Part 1
Security for a New Year Part I: Strong Passwords – Part 2
In part 1 of strong passwords I covered the use of entropy and character space to create strong passwords and how the length of the password is the best defense against a brute force attack. In part 2 of strong passwords I covered methods for creating a high entropy password that is resilient to almost any dictionary attack. In both parts I mentioned that the second problem that comes with passwords is remembering them.
The memory problem leads to typically two very bad password practices. The first of which is writing the passwords down in a convenient place. While there are many arguments for both sides of this, but for security purposes (thus the reasoning for passwords in the first place), you should never write passwords down, at least not in any place that is easily accessible. The primary places where people keep their passwords are in one of the following locations:
- On a post it note on the computer desk or monitor
- On a piece of paper on the desk
- On a piece of paper under the keyboard
- In a notebook on their computer desk
The pattern that emerges from this is the consistent location. You should only have a password written down if it is safely away from the computer when you are not there. If you must write your password down, you should keep it on your person at all times, and only take it out when absolutely necessary. An ideal location to keep it would be your wallet or purse. In addition, this piece of paper should ONLY contain the passwords themselves. It should not contain your usernames or the websites they are for.
Before I go further into managing a list of strong passwords, there is one more important item I must discuss about password documentation. While the purpose of passwords is to keep others out of our accounts, there is one thing we have to keep in mind, and though morbid to think about, that is our own mortality. There are some accounts, such as bank accounts and possibly even our social media accounts, that we should keep our passwords documented for. In the event of our untimely demise, we would need our family and loved ones to be able to access those accounts. It is for this reason that we should maintain a document listing these accounts, their usernames, and passwords. Since this document violates everything else I have discussed about passwords thus far, it is critical that this document be kept in an extremely safe place. There are only two places that I would recommend: the first and best choice would be a safety deposit box, alternatively would be a safe in your home. Again, though this single document opens access to our entire online identity, it is still a very important step in maintaining strong passwords. While we must do everything in our power to secure our accounts and identity, we must also ensure that we do not leave our loved ones with any more burdens or hurdles to go through after our passing.
The second bad habit that comes from having a strong password, and perhaps even worse than having your password on a sticky note attached to your monitor, is password reuse.
Before I go into further detail on this, I have received some criticism from friends for not including an XKCD comic in my password blog posts, so without further ado:
(For those of you not aware of the XKCD web comics, I highly recommend them. The artist covers many technical issues as well as a myriad of other topics. You can view them all for free at XKCD’s website.)
While the comic is entertaining it covers the majority of the issue with password reuse. And while there are many legitimate sites out there, I can assure you there are twice as many illegitimate sites out there probably using this exact tactic. Furthermore, even if the sites are legitimate, there is always a chance they could be hacked. If their site is hacked and their database containing user information is downloaded (which it typically is in a website attack) then the only defense for your password is the security measures the site owners had in place on their server. Unfortunately, as attacks such as the one on Sony has shown us (Troy Hunt “A brief Sony password analysis”), there are a lot of big companies out there with very poor practices for storing customer data. The thing that astonished me from this article was this:
Sony stored over 1,000,000 passwords of its customers in plaintext
In the web security world this is probably the first and foremost cardinal sin with customer data. There are many steps that can be taken to secure customer data, but at the very least, passwords should be one way hashed with a random salt. In the future I will write an article on server side security, but it will not be part of the Security for a New Year series as it is beyond the scope of the articles. For more information on the Sony hack this article from Computer World may be helpful.
Before I digress further, let us recap over the password reuse issue. If you use the same password across multiple sites and one of those sites is hacked and they had poor server side security practices, then all of your accounts have essentially been compromised as well. However, this brings about another issue with password memory. While one strong password can be memorized after a short amount of time, a dozen strong passwords proves to be far more difficult. This typically leads back to the first memory issue of writing passwords down in convenient locations, and thus the cycle seems endless. For online accounts there would seem a very simple solution, most modern web browsers offer to remember your passwords for you. While this seems like a viable solution, it is actually no better than writing your passwords down and leaving them on your computer desk. Typically, these passwords are simply hidden (appear as ‘*****’) in your browser but not actually encrypted or hashed. This means that all someone needs to do to view your passwords is to open your browser options and show the passwords.
So aside from writing the passwords down, what other options are there? This is where password vaults or password safes come into play. These programs typically have a master password to open the safe, and then it allows you access to all of the rest of your passwords. These programs usually offer a strong encryption algorithm to protect the rest of your passwords, and this leaves you with only one really strong password to remember. Furthermore, most of these programs offer options for generating long high-entropy passwords so you do not have to come up with them on your own. While there are many options out there, my personal favorite is KeePassX. You can download it for free from KeePassX’s website. There are several factors that make it my favorite among the password safes, but one of the greatest advantages is the cross platform support. This means if you use a Mac, a Windows PC, and a Linux PC the software is compatible with all three. There is also an app for Android phones. The safe that it creates can easily be stored in a cloud based service such as Dropbox or Google Drive or it can be saved to your computer or a flash drive. Next I will cover the basics for setting up KeePassX once you have downloaded it and extracted the archive.
(If you are unfamiliar with archives they are a way of “zipping” files together into a single file. A very nice open source program for using archives is 7zip. You can download it for free from 7zip’s website.)
Open the KeePassX.exe
Click on File and choose New Database
Enter in a STRONG password and then click OK. Repeat the password in the next box and then click OK again. You will now see the normal view.
The first thing we need to do is strengthen the cryptographic security of the database. Click on file and then choose Database Settings
Click on the clock icon to get a random count from the CPU and significantly increase the number of rounds then click OK. This greatly increases the security of the password database, and is a step that should not be skipped.
The second thing we need to do, and this is most important, is to save the database so we do not lose the passwords we create. Click on File and then choose Save Database.
This will prompt you with a standard save box. You can then choose a place to save your database. The best option would be to not store the file on your PC at all but rather save it to a flash drive. Also be sure to make a copy of the database to a disc or second flash drive and store it in a safe and keep the backup up-to-date as much as possible. If you must store the file on your computer it becomes all the more important that you have an extremely strong password protecting the database.
Now that the database is saved we can continue to add passwords to our database. Click on a group and then click the Add New Entry icon.
After you click the icon, the Add New Entry window will open.
Enter in the title of the password, such as the account it is for. Then continue to enter in your username, URL, and any comments about the password. You can also set an expiration date for the password if you choose.
Next, lets use the built in password generator to generate a new password for this entry. Click on the Gen button.
Select all of the character groups you wish to use. It is important to ensure that all of the groups you choose are supported by the site you are creating the password for. Next select the length of the password you want to use. It is also important to ensure that you do not exceed the password length supported by the site you are creating the password for. Additionally I always recommend checking the ‘Enable entropy collection’ option. This provides you with a box in which you simply move your mouse around in to generate randomness. Then click Generate.
After this box if full click the OK button.
You will then go back to the generator window. You can view the password it generated by clicking the eye icon. As you can see, this is ridiculous password. Simply click OK and it will take you back to the add new entry window.
You will notice that it has also already duplicated the password into the Repeat field. Click OK again to go back to the main window and add this entry.
As you can see it also masks the username and password by default so that others who might be looking over your shoulder will never see your actual password when you enter it. Be sure to click the save icon to make sure you do not lose the entry. To use the password simply right click on the entry and choose Copy Password to Clipboard.
You now can now paste it into the password field on the website you created it for. Keep in mind you need to make sure you change the password first. Additionally from the time you copy the password it only stays on the clipboard for 20 seconds by default. This is to ensure no one can come up and paste your password into a text editor if you happen to leave your computer unattended. Additionally, by not typing in your password this also defeats most key logger programs.
This is a basic guide to using KeePassX. There are many more options for customization. While there is not an official documentation page for KeePassX, there is one for the project it has branched off from. While not all of the options from KeePass are available in KeePassX most of the documentation for KeePass 1.x should apply. For the KeePass documentation click here.
While there may be more options for KeePass than KeePassX, KeePass is not cross platform, and therefore is not as useful to me.
This concludes the third and final part of strong passwords. We have covered a lot of information in this sub series of Security for a New Year. Look for more articles of the series in the coming weeks. I hope this series has helped you gain a greater understanding of how passwords work, and how important they are in securing your online identity. You now have the methods and tools for creating high entropy and high character space passwords. In the process we have also covered several bits of useful open source software such as KeePassX and 7zip. As always, I look forward to any feedback.