Passwords for online banking. Passwords for games services. Passwords for social networking accounts. Online, you need a password for everything — but how can you make sure your passwords are actually secure?
The short (and somewhat depressing) answer is that you can’t make a password that’s utterly secure, or at least not one hundred per cent secure. Ars Technica has a great piece up at the moment talking about password hacking that goes into some detail into the methods that password crackers use to produce billions of password results per second with off-the-shelf hardware. It’s somewhat scary stuff, especially if you’re using, say, DRAGON as your password.
A quick tip here: Don’t use DRAGON as your password. Don’t use any dictionary words, even from foreign languages, and, as the Ars article points out, even the XKCD combinator trick isn’t immune either.
So what can you actually do? You can make it as hard as possible for a security breach to affect you, that’s what.
Use services such as two-factor authentication (which I wrote about for The Drum here), but otherwise the best solution I can advise (which isn’t 100% bulletproof for all time, because absolutely nothing is) is to use password management applications such as 1Password or Keepass to secure all your passwords.
Use their inbuilt generators to make extremely long passwords, and then secure them behind a password that only you know and that you only ever use for that password management software.
Nowhere else, not written down, not also used for your Facebook account, and so on and so forth. It’s then relatively trivial to cut and paste those passwords from their source applications (or use their inbuilt launching facilities where appropriate), meaning you can have long passwords (which are mathematically tougher to crack) without the hassle of remembering long passwords.
Then — and this is where you’ll do more good to protect yourself if you become aware of a security incident — change them around every once in a while. You’re not remembering them anyway (that’s the job of the software package), so recalculating a new long password is just a tap of a button and a change in the service away, which is quite trivial.
How Do I? covers the basics, because we’ve all got to start somewhere.
Image: M Thierry
They’re providing a list of hashed passwords. Whatever happened to salting?
http://en.wikipedia.org/wiki/Salt_(cryptography)
http://crypto.stackexchange.com/questions/1776/simple-beginner-level-explanation-of-salt
If passwords are really being stored as unsalted hashes, all that’s required to crack one is to find ANY string that hashes to the same value — it doesn’t need to be the actual original password. Hash functions aren’t mathematically speaking reversible, but there are in practice large and growing reverse-MD5 lookup tables and other ways of finding MD5 hash collisions.
Salting is an old and very elegant solution to exactly this problem. How and why has it become a lost art?
The problem is that many sites have a maximum number of digits to the size of the password you choose. Remembering long passwords isn’t that hard – you just have to create a system yourself rather than rely on someone else’s – but it all falls down if a site says “your password must be between 6 and 8 digits”.