Password Tips · Suggested Password Strategy Create strong, memorable passphrases for your key passwords. 1. Password manager program’s master password. 2. Computer login password.

Password Tips March 13, 2019

OMUG

!1

What’s Wrong With Our Passwords

• Too simple.

• Used in more than one place.

• Too many and too hard to remember.

• Sometimes expire and need to be changed.

• Poor or non-existent password management.

!2

How Do You Store Your Passwords?

I use one, two, or three and rotate between them.

I memorize them!

Post it notes.

Scattered pieces of paper.

Notebooks.

Taped to the bottom of your keyboard.

Text or spreadsheet file on your computer.

Password Manager program

!3

How Passwords are Hacked

• Theft via hacking, poor server management practices, social engineering mistakes.

• Dictionary attack - used to guess passwords using databases containing words, numbers, symbols.

• Brute force attack - used to systematically guess passwords using all possible combinations.

• Rainbow Table - used to reverse the process used to encrypt the data.

• Keyboard loggers / nosy people.

!4

Facts

• Brute force attacks depend on the number of possible combinations (e.g. password length).

• The password “my awesome car is on fire” is exponentially more difficult to crack than the password “@y23k3!34” for a computer.

• A powerful computer or botnet can analyze over 2 billion password combinations per second.

• Free and inexpensive password cracking tools exist.

• Databases with pre-cracked lists of passwords are sold in the dark web.

!5

What Happens When a Password is Hacked or Stolen?

• The hacker will use a variety of techniques to break the encryption.

• Then they will attempt to access every major bank, credit card company, payment system, retail store, email system to see other places the password was used.

• They will use public records to get addresses and other information contained in security questions.

Reusing passwords is one of the most dangerous practices you can do.

!6

What Makes a Good Password?

• Old advice — combine upper and lower case, symbols, numbers, and have at least 8 characters.

• Current advice — use long passphrases. Longer, random, complex passphrases are better.

Key passwords need to be memorable. If you can’t remember a password, it is useless!

!7

Familiar Tricks Don’t Work

Substitutions

M1$$1$$1p1

Keyboard patterns

qwertyasdf

Repetitive padding

Montana12&*-&*-&*-&*

Hackers read the same password tips that we do.

!8

Suggested Password Strategy

Create strong, memorable passphrases for your key passwords.

1. Password manager program’s master password.

2. Computer login password.

3. Mobile device passcode.

4. Apple ID password.

5. WiFi password.

Practice and memorize them.

Use a password manager program for everything else.

!9

Password Creation Tips

Avoid secrets or things that are personally meaningful.

Don’t use family names, birthdays, pet names.

Use a Password Generator.

randompassphrasegenerator.com

xkpasswd.net/s/

1password.com/password-generator/

!10

Test Your Password

lowe.github.io/tryzxcvbn/

rumkin.com/tools/password/passchk.php (entropy)

password-checker.online-domain-tools.com

howsecureismypassword.net

my1login.com/resources/password-strength-test/

!11

Examples

Password Length Time to Crack

Mississippi 11 < 1 sec

Msssspp (no vowels) 8 17 min

M1$$1$$1p1 (substitution) 11 3 hours

Msssspp-1 (no vowel-#) 10 4 hours

Miss-iss-ippi (add dashes) 13 15 days

my-home-in-Mississippi 22 Centuries

lowe.github.io/tryzxcvbn/ @ 10K/sec!12

Password Entropy

Entropy — a measure of password complexity. Measured in number of bits.

< 28 Very Weak: might keep out family members

28 - 35 Weak: should keep out most people, good for desktop login

36 - 59 Reasonable: OK for networks and companies

60 - 127 Strong: good for financial information

128+ Very Strong: often overkill

source: rumkin.com/tools/password/passchk.php

Password Entropy Examples

Password Length Entropy Time to Crack

idiot 5 20 < 1 sec

An idiot 8 23 3 minutes

An id iot 9 38 1 day

I am an idiot 13 45 6 months

I am such an idiot 18 60 Centuries

I’ll bet you are an idiot too 29 84 Many centuries

lowe.github.io/tryzxcvbn/ @ 10K/sec!14

Password Manager Programs

• Store all your passwords in an encrypted vault.

• Generate complex passwords and passphrases.

• Sync passwords with all your devices.

• Use to enter passwords into forms.

• Only need to remember a single master password.

1Password www.agilebits.com

LastPass www.lastpass.com

Dashlane www.dashlane.com

Roboform www.roboform.com

!15

Don't forget your master password!

takecontrolbooks.com/passwords

Books

takecontrolbooks.com/1password

!16

Questions?!17