Wednesday, 6 August 2014

How to make a strong password

tl;dr:

If you're reading this then you probably know about the Russian crime ring making out with a shitton of username and password data from many sources. If not just search for it.

Then I come across this clickbait-type article detailing seven steps toward making a strong password. Actually, there is only one true way to make a strong password, and thankfully it's the first step in that article.

Make it as long and annoying as you possibly can.

But make sure it's memorable without too much effort for you, but a royal pain for anyone else to guess or brute-force it.

I should continue by saying that if every service that use username and password authentication hashes and (preferably) salts their passwords before sending and ultimately storing them in user databases, this would be this post's end-of-file.

However, as we have witnessed in this massive crack attack, many services apparently have no idea how to do things, and as a result leave themselves as extremely easy targets. I wouldn't be surprised if some of the "victims" store all of their userdata in plaintext and/or don't use SSL, two of the most basic ingredients necessary for adequate data protection.

Hell, whenever I come across a service with any password policy, except (and the only exception) when it solely deals with a minimum length, that immediately rings alarm bells. In the aforementioned password tips article, one point included mixing all sorts of characters around. That reminds me of some moronic password policies requiring at least one of a set of special characters. Maybe it's supposed to help the most brain dead of people make somewhat harder to guess (but worse, somewhat harder to remember) passwords? It's still a sign that such user data is not being protected properly.

The very worst is when I need to use the occasional password reset feature and the password I set is emailed back in total plaintext.

Seriously though, in an ideal situation, SSL would be used during authentication and password data would be all hashed and salted, and no password policy in place except maybe the minimum length line. Let users be as smart or stupid about the passwords they create because the endpoint would be secure. Have cracker(s) guess the stupid ones and probably succeed. Then there would only be a very minimal breach because 1) only the stupid accounts got cracked and 2) nobody else's stuff could be accessed (except when explicitly shared, à la Google Drive). Can't blame the service provider now!

Oh, and the proper term really should be passphrase, because apparently password implies a one word secret.