Monthly Archives: April 2014

The Good, the Bad and the Ugly of password practices

Internet has taken a preponderant place in our lives and most of us regularly purchase goods on Internet or use Internet banking. The access to the services we use is protected by a password and humans are not good at managing passwords:

  • Most of us will reuse the same password on many services (combine this with the fact that people also use the same email address to log in into said services and you get an explosive mix when security is breached on one service).
  • Most of us will use weak passwords, basically as weak as the service will allow. Not only our passwords are weak they’re also extremely predictable.

To address those issues you need to use strong unique passwords. By strong I mean that your passwords should be:

  • long (let’s say at least 25 characters)
  • a mix of lower / upper case letters, digits and symbols
  • randomly generated (by a random generator not by you typing random keys on your keyboard)

By unique I mean that you should never reuse a password. You should set a different password on each service. As we tend to use many services and tend to log in from multiple devices (home and work computers, smartphones, tablets..) it makes it impossible to remember all those strong passwords.

Google has recommended the use of sentence and substitution, something even stronger has been advocated by xkcd. But this doesn’t work. I use over a hundred different services, how could I remember a hundred different sentences? Common substitutions (the one you will use) are also well documented and will be attempted by the attackers to guess your password. Other experts have advised to get rid of passwords altogether, but this opinion is unconventional to say the least.

Want it or not we’re stuck with passwords for the  predictable future. Luckily there is a solution: it’s called a password manager. With a password manager you’ll only need to remember one password (the master password), all the other ones will be entered automatically for you in the login forms. I use 1Password, but there are other products on the market: LastPassKeePass, RoboForm… Most of those products are not free but I’m sure you’ll prefer to drop a few dozens dollars every few years instead of seeing your online (and sometimes offline) life ruined.

Now that I’ve addressed password best practices on the users’ side it’s time to mention the other side. The services that you use should do everything they can in order to protect your password. There is a lot to say in this area but I decided to address the features that are easily observable:

  • passwords requirements: services shouldn’t restrict the length of our passwords (at least not smaller than a few dozens characters) or the characters’ set that we can use (this would reduce the entropy)
  • proper use of HTTPS
  • reset password feature

Due to the Heartbleed vulnerability I decided to change some of my passwords recently. To my surprise many well known services impose some strong restrictions on the passwords users can set. Shall we get started? The offenders are ordered from worst ones to the most benign ones. Continue reading The Good, the Bad and the Ugly of password practices