Keep your passwords safe

We are surrounded by passwords. Some of them are obvious, some of them are in our daily use, and others are needed once a month. When you use the ATM you have to give your pin. When you login to your computer you might give your password. If you access e-Mails over a webmailer you will be asked for your password.

The easier you remember a password the easier it might be to guess. The more difficult a password is, the lower the security might be, because (a) you have to write it down (b) you will reset it more often because you don't remember it.

What's a good method in creating a good password?

First of all never use something that's written down in a dictionary. Using normal words makes it possible to use dictionaries against you. One of the most powerful passwords is to take the first letters of a long sentence (at least 10 characters) like “my way to the beer pub this night is very very long” makes mwttbptnivvl - this is weak. By adding alterations we get mW2ttbpt/NiVv(l - which is a strong one. This method is probably easier to remember than something total random.

And it is as powerful as using passwords generated by password generators.
The principles: The more characters you use the higher the entropy becomes. Use capitalizing, but capitalize more than one character. Also use special characters. Never ever use normal words.

I suggest to use a password checker to check passwords strength.

Form of stored password

One the other side you can create the hardest password ever but the software you are using uses plain text to store your password. The easiest way to check if the website you are using stores plain text passwords is to request a new one. If you get your old password in plain text by e-mail you should stop using this service.

A better way is to store so called “hashed” passwords. Hashing means that from your password a hash (checksum) will be built by using a algorithm like md5 or sha1 - sha1 is preferred. Once you put in your password the system builds the hash and compares it with the stored one. If it is the same you get access.

Additionally many systems use a salt. That means that additional characters known to the site administrators / developers are added to the hash. That makes it difficult for the attacker to build hash lists /
rainbow tables. You can even make it harder by recycle the hash with n-cycles.
With this method a hash gets hashed again for n-cycles where n is the amount of cycles.

Combining those methods on application side makes even weak passwords harder. It's about what site developers could do for their users.

Part II is about TLS / SSL, password safe, VPN - online soon

Dominik Jais's picture