User login

Personal Password Management


Persona Password Management

We have had some good talk over on the LSNTAP mailing list lately centered around managing passwords and this recent NPR Article the recent update to the National Institute of Standards and Technology’s publication of Digital Identity Guidelines
The guidelines are handy in that they spell out a lot of the details, unfortunately it’s not terribly readable. Fortunately many of the most important and actionable ideas have been known for a while so there are some more accessible sources available, and I’ve further distilled them for you here.
To start with most of what you have learned about how to create passwords in the past has been wrong. Passwords that require special symbols, numbers, and capitalization tend to be hard for humans to remember and easy for computers to guess. A better method is to have a longer password that is made up of four words as shown in the XKCD comic above and in the videos below. Be sure to avoid passwords made up of words that commonly go together like fourscoreandtwenty and be sure to include at least one less common word like cakes, statements, or oilcloth. There are lots of lists that rank the usage of words check your choices against one of those lists
Another reversal from from old guidelines you should probably not change passwords as often as you do. Conventional wisdom is changing it fairly frequently to limit the amount of time an attacker would have access to your account if the password is compromised. These days when someone gets access to an important password they will often use it within hours if not minutes. If it’s a banking password they can drain the account, if it’s an email password they can change it to lock you out while they go through and ask for new passwords to everything they can find in your mail, and if it’s for an admin account they may create a new account with permissions and erase their tracks. In pretty much all these cases the damage will be done so quickly that changing your passwords will be unlikely to help. In addition there is a real cost to frequently changing passwords, it takes time and effort to remember then and people who have to change passwords often tend to choose worse passwords and when they do change them often only make superficial changes.
Next is make sure not to reuse your passwords. If you do than a data breach at one site can leave you vulnerable at several others.
Fortunately for everybody the past two point are somewhat moot when you use a password manager. In essence a password manager is a program that will generate and store all your passwords in a file encrypted with one master password. This has a bunch of benefits, the main one being you only need to remember one password. Because there is no need to memorize them all your other passwords can a long string of random characters that will defy both dictionary and brute force attacks. Since you only need to remember one password there is no incentive to reuse passwords and even if it is unnecessary this eliminates most of the problems associated with frequent changes.
In summary:
  • Get a password manager
  • Create a master password by stringing together 4 unrelated words. Make sure to use at least one of them is slightly obscure.
  • Congratulate yourself on a job well done
For those interested in learning more Computerphile has done some excellent videos where Dr Mike Pound demonstrates cracking passwords and explains in more detail some guidelines for creating better passwords. After those two videos Tom Scott gives a brief overview on what goes into safely storing passwords and why, if at all possible, you shouldn’t.