If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED
Creating and keeping track of the passwords that secure our online life is one of the defining problems of the internet age. Each year hundreds of millions of user accounts are hacked, thanks to easily guessed or reused passwords, often revealed following mass data breaches.
The solution for limiting potential damage to your online life is strong and unique passwords. For these you really should be using a password manager – preferably not the one built into your web browser – to keep track of them and create secure new ones.
Password managers help to mitigate the worst of our bad habits when it comes to password creation, keeping us from reusing the same password over and over again, repeatedly using slight variations or using 1337 speak character substitutions instead of proper random character strings.
However, although your manager can generate secure, random 16-character passwords for every site you use, you still have to create a master password that you'll use to unlock your manager.
Security researcher and Have I Been Pwned? creator Troy Hunt says that, "when creating a password, start from the very outset with the expectation that it will be breached. Create it assuming the organisation you give it to will lose it. If you take that approach, you’ll find it will start to change sub-optimal password hygiene."
Human behaviour is the downfall of most insecure passwords. Secure passwords have a lot of things in common: they're long, unique, involve a mixture of characters and avoid clues and references to our personal lives.
Lorrie Faith Cranor of Carnegie Mellon University says: "People do a lot of very predictable things, such as putting their special characters only at the beginning and end rather than mixing them up in the middle, or using common phrases and patterns, such as iloveyou and keyboard patterns. Also, people often choose passwords that are too short. For a secure master password, I would like to see something at least 12 characters long."
The key measurement of password security is entropy. This, in computer science terms, is a measurement of how unpredictable a password is, based on how long it would take an attacker to work it out by making a guess at each character. By this standard, longer passwords are by definition more secure.
However, that doesn't take human predictability into account. "People are terrible at being random, especially when they are trying to be random," Jeff Goldberg, chief defender against the dark arts (yes, that's his actual job title) at AgileBits, the maker of 1Password, says. "But let me talk about what randomly means here. Suppose you need a password of mixed letters and digits that is 10 characters long for some system. When people pick these, passwords like '2BorNot2Be' are far more likely to be picked than things like 'HbZBSz44Q5'."
Stanko Tomic, senior engineer at RoboForm says: "As a best practice, we tell people to max out the character limit to whatever a site allows with a password that is both strong and – just as important – unique. Uniqueness is what protects someone from a breach on one site causing their data on other sites to be vulnerable via password reuse."
High entropy is of limited use if your password is easy to predict in other ways, and length alone isn’t enough to guarantee that your password is safe. Crackers have developed combinator attacks to try strings of words, pillaging literary sources ranging from the Bible and the works of Dickens to YouTube comments for the word lists used by their automated cracking tools.
Cranor warns that "if you let users choose their own pass phrases, they will probably be more memorable, but then we have concerns about them being too predictable."
For this reason, Goldberg recommends randomly-generated word strings: "1Password provides a mechanism for choosing a passphrase comprised of randomly selected words. So you might get something like 'tribute downbeat mutation' from our word list password generator. Making it three words long is the bare minimum, but I recommend four words for most usages. Again, these have to be chosen in a truly random fashion, either by rolling dice or using a random generator."
Steve Schult, senior director of product management at LastPass agrees: "The best way to put together your master password is to use a passphrase. Not something everyone would recognise, but a long string of words and characters that only make sense to you. Teal2brick!PumpedLunch$kiing. It has no meaning to anyone and if it’s the only password you have to remember, you can definitely commit it to memory."
LastPass Free: Secures your passwords behind a zero-knowledge system that encrypts your data locally and synchronises it between your devices online - available here
KeePass Password Safe: Gives you complete control of your password file and its open source code allows for anyone to scrutinise its security - available here
Password managers largely claim that they're password generators produce unique sequences of words. But if they're not careful, this isn't always the case.
"Not all 'random password generators' create truly random results," Malaika Nicholas of password manager firm Dashlane has written in a blog post. "If I use a generic random password generator to create 10,000 new passwords, the passwords I generated are the result of a phenomenon called pseudo-random, meaning the results appear random when they really aren’t."
However, while true randomness isn't something that computers can achieve without external input, the pseudo-random password generators used by tools such as LastPass and Dashlane are cryptographically secure, thanks to the use of external factors to generate entropy.
Although the algorithm used to create a randomly generated number is predictable, unlike, for example, the physical circumstances involved in a real-world dice roll, the seed number used to generate the random result is not.
Cryptographically secure pseudo-random number generators (CSPRNGs) collect entropy from unpredictable hardware sources, such as fan noise, mouse movement, network activity and keyboard press timing relative to earlier presses.
The entropy pool is gathered by your operating system (via /dev/random under Linux and macOS, and CryptGenRandom in Windows) and is used to produce a seed whenever on-the-fly encryption keys have to be generated, such as for HTTPS web sessions or the passwords created for you by your password manager.
One thing most password managers can't do is check to see if the passwords it saves for you have previously been used in any known breaches. The Pwned Passwords tool on Hunt's HaveIBeenPwnd, newly updated to include 501,636,842 entries, lets you check your password against those that have been stolen from hacked companies.
Following the launch of the Pwned Passwords service, 1Password has used Hunt's API to build a breached password checker into its own password vault as an experimental feature.
Further complicating password security are password-manager-resistant websites, which are designed to prevent automated attacks, but in the process encourage their customers to use less secure passwords than they would if they didn't have to type them in manually.
Some sites disable the pasting of passwords, either during account creation or login – the Don't Fuck With Paste Chrome plugin attempts to prevent sites from doing this with a good degree of success.
Another approach, common among banks and financial services providers, spreads the login process across multiple steps. Many password managers allow you to manually record two-step login information for future automated filling. However, automated filling is entirely foiled by systems that require you to enter some randomly selected characters from your password.
The banking industry has good reason for caution, AgileBits' Goldberg says: "There are a lot of people who store passwords insecurely in simple files on their own machines and copy and paste those into web forms. I can understand banks wanting to discourage that practice. But they should be encouraging good password management instead of discouraging password management in general."
And at LastPass, Steve Schult holds that "sites that are resistant to password managers and/or external two-factor authentication devices and multi-stage security questions ... must ensure that the alternative they offer is as strong as other tools on the market."
However, as most password managers come equipped with secure note-taking features, allowing users to securely store – if not fill in – passwords from resistant sites, they're still the best tool for the job and the best place to store your confidential data.
r5s5&CNV$8KnCCtw: This sixteen-character password produced by the LastPass browser plugin's password generator is secure and meets all the criteria demanded by even the most finicky websites
wordytjblowndireconch: We rolled dice and used the results to create a random-word passphrase using the Diceware system to introduce real-world randomness
DrefLEBOnaPhiR: The offline version of Dashlane's password generator generated this (kind of) pronouncable password for us
lying planning factor linking: Although best practice is to use the offline versions of password generation tools, the browser-based Use a passphrase generator runs client-side and can be downloaded to your PC for extra security
Updated Feburary 26, 2018: This article has been updated to include information on 1Password's new integration of the HaveIBeenPwnd breached password checker.
This article was originally published by WIRED UK
