hello friends! new(ish)!

Passwords: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
 
Line 59: Line 59:
* Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.
* Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.


If you're skeptical at all about how advanced password crackers are, [https://www.youtube.com/watch?v=DTbCjpsdhfM UNHash] is a talk from late 2019 explaining the current state of password cracking.
If you're skeptical at all about how advanced password crackers are, [https://www.youtube.com/watch?v=DTbCjpsdhfM UNHash] is a talk from late 2014 explaining the current state of password cracking.


[[Category:HowTo]]
[[Category:HowTo]]
[[Category:Recommendations]]
[[Category:Recommendations]]
[[Category:Security]]
[[Category:Security]]

Latest revision as of 00:47, 8 December 2024

How passwords are compromised

Passwords are mostly compromised offline by breaking a password's hash. Every few months some huge website with millions of users will get owned and it's database of hashed passwords will be made public. The biggest database so far is the RockYou database.

Crackers will run their tools against the hashed passwords to unmask them. From this they will learn:

  • What the most common passwords are.
  • What strategies people use to try and harden their passwords (e.g. adding numbers to the end).
  • How often unique passwords are used (0.0001% of the time).

Once the passwords in the hashed password database are unmasked, crackers have an accurate view of how people choose passwords and therefore have a better chance of cracking your password.

A common technique is a dictionary attack, which will try every entry in a customized word list ("dictionary"). This might be the Oxford English Dictionary or every word which came up in the first 10 pages of a google search for "memes". Advanced dictionary attacks will do all that shit you thought you were so clever for thinking of:

  • Use multiple words.
  • Add numbers to the end of words.
  • Add symbols before/after/between words.
  • Turn the words into l337 sp34k (Very well known by this point).
  • Add the website's name onto the end of your password.
  • Use common phrases like 1pledgeallegiancetotheflag or yippiekiyaymotherfucker.
  • Much, much more, guessing billions of times per second.

Choosing a good password

A graphical example of the Diceware method, courtesy of xkcd

There are two types of passwords:

  • Regular passwords, which you keep in a password manager.
  • Passphrases, longer strings that are used at the most important places, for example to protect your password manager database or unlock your encrypted disk.

The best passphrases are generated with Diceware which involves rolling 6 sided die to select random words which build a long cryptographically random passphrase. This produces passphrases you can memorise, but attackers can't guess (easily).

The rest of your passwords, most of which will be for websites, should be generated and stored by your password manager.

Password managers

These are programs which will generate long, random passwords using the full character set. Passwords which can only be broken by brute force, which can take longer than all the time since the big bang. You can easily have different passwords for every site you visit and set password expiry dates to remind you to change your passwords every so often (yearly? 6 monthly?). Passwords are kept within an offline encrypted database which you should back up regularly.

Good password managers:

Some password managers store your passwords in the cloud, making them a colossal target for hackers and placing your trust in the the skills of the cheapest admin the cloud can afford. Don't use them. Examples include LastPass and 1Password.

Bad Password Strategies

Don't do this:

  • Less than 10 characters.
  • Lowercase only.
  • Dictionary words.
  • Names, sports teams, pet names, chinese cartoon references.
  • "B-But my password had both letters and numbers!"

Or this:

  • Using the same password in two (or more) different places.
  • Using the same password with slight changes for each place it's used.
  • Using a password you've ever shared with anyone ever.

I'm so clever I trolled myself shit:

  • Hashing a word/phrase: This may get you a decent password length, but if you're going to use a tool, why not use a tool specific to making good passwords?
  • Some other strategy you thought of five minutes ago: The people who write password managers have already thought of it and determined why it is less secure than what they already use.

If you're skeptical at all about how advanced password crackers are, UNHash is a talk from late 2014 explaining the current state of password cracking.