Passwords: How to Do Them Right

Introduction: Passwords: How to Do Them Right

About: Huge geek who loves trying new things. This generally gets me into some weird projects. Figured it was time to start sharing them!

Earlier this year, my wife lost access to some of her accounts. Her password was taken from a breached site, then that was used to get into other accounts. It wasn't until sites started notifying her of failed login attempts that she realized anything was going on.

I've also talked to a number of people who say they use the same password for every site. These two things have been enough to spur me to write this Instructable.

Password security is a very small part of online security as a whole. Almost every account requires some sort of login to allow access to whatever it is protecting. That single string is often all that stands between an attacker and your personal information, money, personal pictures, or those travel points you've been collecting for years.

This instructable aims to cover some best-practices for creating passwords. If you are someone who has the same password for every website, who's passwords are a pattern on the keyboard, or you have the word "password" in your password, this instructable is for you.

Disclaimer

I am not a security expert. This information has been learned and researched over time and is only a recommendation and summary of a very complex subject. This tutorial was written at the beginning of 2018 and may be outdated by the time you read it.

TL;DR

If you don't care about all of my reasoning and explanation behind passwords and just want an easy way to make secure passwords, skip to the last step.

Step 1: Make It Long

Length is one very important component to password security. With the speed of computers growing ever faster, passwords can be tried at amazing speeds. This is called "brute-force" password cracking. It is tying every possible combination of characters until you find the one that matches.

In theory, this makes any password crackable, given enough time. Luckily, the longer the password is, the longer it would take this attack type. Every character you add to the length makes the difficulty much much harder. If it's long enough, it could take decades to find it this way, which makes it not worth it for an attacker.

Example

Let's say you have a password that is only capital letters. This isn't a good idea, but this is for illustration purposes only. Every time you add another character to the password, it multiples the number of possible passwords by 26. If you had a 1 character password, it would have 26 possible passwords, 2 characters would have 676 possible passwords, etc. This begins to snowball quickly.

  1. 26

  2. 676

  3. 17576

  4. 456976

  5. 11881376

  6. 308915776

  7. 8031810176

  8. 208827064576

  9. 5429503678976

  10. 141167095653376

  11. 3670344486987780

  12. 95428956661682200

  13. 2481152873203740000

  14. 64509974703297200000

  15. 1677259342285730000000

As you can see, each letter you add makes this attack much harder, and practically impossible with enough characters. Remember, this is only with capital letters. Once they become more complex, this effect becomes magnified.

Step 2: Make It Complex

Complexity is another big factor in password security. If a website ever gets breached, it is likely that usernames and passwords will be pulled out. As a basic level of security, hopefully the website has the passwords hashed (similar to encryption) before storing. This means that they are garbled before they go into the database, and there is no way to reverse this garbling.

This all sounds good. It doesn't matter what your password is because it's garbled, right? That's not the case if your password isn't complex. There are standard hashing algorithms used (SHA1, MD5, SHA512, etc) and they will always hash the same thing the same way. For example, if you are using SHA1 and your password was "password", it would be stored in the database as "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", always.

Creating hashes takes time and computer oomph, and calculating all possible hashes for all possible passwords is practically impossible. What people have done is make "dictionaries" of common passwords. Things like "password" or "qwerty" will of course be in there, as well as less common ones. There will be millions of passwords in these dictionaries and it will take only seconds to go through every entry and compare the known hash to the hash of your password. This is called a "dictionary attack". If yours is one of the ones that has already been calculated, the garbling won't protect your password, and it can be used on other sites.

Also, changing letters to numbers doesn't add complexity. It may seem more complex changing E to 3 or I to 1, but that is such a common practice that it adds no more security. Cracking programs have an option that will automatically try those variations.

Step 3: Make It Unique

Remembering passwords is hard. With our lives becoming increasingly online, it's not uncommon for each person to have 50+ online accounts, each with their own login. This can be very hard to keep track of.

The most common way people handle this is by picking one "good" password and using it on a bunch of different websites. This is a terrible idea. All it takes is for one security breach, or one phishing website to get your username and password to start the ball rolling. Attackers could try that username and password on hundreds of websites within seconds. This would automatically get them into every website with the same username as the compromised one.

I know having a different password for each site seems like a daunting task, but we'll cover how to handle this later.

Step 4: Nothing Personal

Your information is not as private as you think. A quick search online could easily find your birth date or address. If another account has been breached, even more information can be easily obtained. If there is an attacker that is trying to get into your accounts, these would be obvious passwords to attempt. It also leaves entry open to family members, friends, or even acquaintances.

Step 5: Treat All Passwords With the Same Care

When dealing with websites, you should treat the security of all of them with the same level of care. For example, if you have a login to your favourite cat website, you should take the same precautions as your bank login. It may not seem like much to lose access to all those adorable whiskers, but that could just be a stepping-stone for an attacker. Breaching that "unimportant" website could give an attacker more information about you, such as a different username you have used, a different email you used to login, or actual information that could be used to unlock other websites.

Also, if it is an unimportant website, there is a better chance that they won't be following proper security practices, which means if your password is long and complex, but not unique, and the passwords aren't hashed properly when stored, that password can be easily used on other websites. Again, just because the site is "unimportant", doesn't mean your security is.

Step 6: Keep It Hidden

Good - Offline Storage

Offline storage can be a good option if you are a forgetful person. Having a USB stick that you keep locked away with your passwords on it protects against most attacks, with the exception of family and friends. Just in case you lose this stick somehow, make sure the password file or the entire drive is encrypted and that the stick is backed up somewhere very secure.

This method has a lot of security, but at the cost of convenience.

The reason that it should be offline is explained in more detail below. Keep-in-mind that a lot of devices are automatically backed-up to the cloud now, even if you didn't mean to. Also, if you ever plug this stick into a device that has a virus or is compromised, the data could easily be copied off.

Better - Remember Everything

Remember all of your passwords. If you are incredibly gifted, this might be an option. There is no way for someone to find them, and you always have them with you. Some down-sides are that most of us aren't amazing at remembering complex things, and tend to talk a little too much after a drink or two. Especially with dozens of passwords to remember, this likely isn't even an option for the lay-person.

Best - No Storage

Best-case scenario is for you to not store them at all. Either somehow remember all of your unique, long, complex passwords, or have a way to recreate them on-the-fly. If you know the ingredients needed to recreate them, then there is no way an attacker could "find" them because they don't exist until needed. This may sound complicated, but it really isn't. More on this later.

The Importance of Offline

Websites are managed by people. For most websites, it's probably safe to assume these people generally have good intentions, but even the best people can make mistakes. Last year alone, there were a number of huge website security breaches of large, generally secure companies such as Linked-In, Yahoo, Equifax, Apple, and Uber, just to name a few. These are large companies with security departments and they were breached.

Cloud storage sounds fancy, and it offers convenience, but what a "cloud" is in reality is someone else's computer that you are using to store your files. Like I said above, people can make mistakes. If that happens, your passwords could be available to the world. Cloud sites are a giant target for attackers because of the amount of data they hold. Break the cloud site, get access to all of the information that potentially millions of people have stored.

I'm sure that some of this is paranoia, but with a huge chunk of your life hidden behind these passwords, protect them as such.

Step 7: My Recommendation

This has been a very long preamble to explain the main pillars of password security. If you follow those 6 guidelines, you should have minimal security problems online, and if anything does happen, it should stop at the source, not spread to the rest of your online life.

There are many different ways you can solve these challenges. Some are better than others and provide different benefits. My favourite solution is SuperGenPass (SGP). I'm not affiliated in any way, I'm just a fan.

Simple to Use

SGP has an app for your phone, and a button that you can add to your browser. When you go to a website and it asks you for your login, click on the button. A little window will pop up. Enter your master password. SGP will generate a password for this site and enter it into the password box for you!

Long

You can choose the length of the password that is created. This will generate passwords up to 24 characters, which is quite secure, but you can choose shorter if some websites limits the length of your password.

Complex

Uppercase, lowercase, and numbers are used, which is fairly secure. They don't follow any recognizable pattern with no words or phrases. Nothing of your URL or master password is in this string.

Unique

Every website will have a completely unique password. The passwords for example1.com and example2.com are completely different, even though there is only one character different in the initial "ingredients". As you can see in the example below, there is no connection between the "ingredients" and the resulting password and they are VERY different from one another.

masterpassword:example1.com -> zVNqyKdf7F
masterpassword:example2.com -> eYPtU3mfVw

Storage

It stores and transmits no data. It can be run completely offline if you are concerned and there is no way for someone to find or steal them.

Step 8: SGP: Setup

Setting up SGP is super simple. First, you will probably want to add it to your bookmarks bar. To do this, go to:

https://chriszarate.github.io/supergenpass/

There will be 2 buttons to choose from. To setup a computer your usually use, drag the left button into your bookmarks bar. This will give you a new button to use.

If you are using someone else's computer in the future, you can select the button on the right. This will let you use SGP without changing anything in their browser. It is also an option for a mobile browser.

Once it has been added to your bookmarks bar, click on the button. It will open a small window in the corner of your webpage. Clicking on the little gear will open up the settings.

Length

The number on the left is the length of password that it will generate. I recommend looking through the sites you use most and set it to the highest number that these sites will allow. Over 12 is recommended, but the longer the better, especially since you don't need to remember it.

Hash Type

There are two options for what type of hash is used, MD5 and SHA. Both will generate passwords with uppercase letters, lowercase letters, and numbers. Changing this is a simple way to change all of your passwords while keeping the same master password.

Secret Password

The secret password section is an added way to make sure that everything is secure. When the applet starts up, if you have a secret password, it will show a small image in the password box. This password should ALWAYS be the same when it starts. If it starts up and this image isn't what it usually is, there is a chance that someone is trying to get your master password.

Master Password

This isn't necessary during the setup, but it is very important. Make sure to pick a strong password. This is a single password that you always enter on every site. Make sure it is something you can remember, but is complex, long, and non-personal.

Saving

Once you choose all of your settings, click the save icon and the gear icon again to close up the settings

Step 9: Use SGP

To use SGP, browse to a website like you normally would. When you need to enter your password, click on the SGP button that you added to your bookmark bar. If you used a secret password when setting up SGP, make sure that the image that shows up in the password box matches what it was when you set it up.

Type in your Master Password and hit Enter. This will calculate your unique password for this website and fill it in for you! As you are typing your Master Password, the icon will be updating. If the image doesn't match the icon you usually have, either you typed your Master Password wrong, or someone is trying to get your password.

Depending on how the site is written, SGP may not be able to enter the password for you, or the site might not realise that it has been entered. If that is the case, you can click the copy icon beside the generated password box and paste it manually.

Once your password is in, click Login and you're there!

Step 10: Final Thoughts

SGP may not work for everyone, and that is OK. It isn't the perfect solution because there is no such thing. If you have another service or method that you like using for passwords, keep in mind the 6 steps for a secure password. If your current method falls short in a couple of these areas, it might be time to look for another solution. Yes, it might take half a day to change all of your accounts, but that would likely be less of a headache than having your accounts breached.

A note about online storage: If the service stores your passwords online/in the "cloud", check their security practices to make sure they are good. The site will likely tell you what they are doing to protect your passwords if they are doing it properly. If you aren't sure, shoot them an email and ask. If they can't give you a good/concise/accurate answer, be cautious when using that service.

Share

    Recommendations

    • Fix It! Contest

      Fix It! Contest
    • Tiny Home Contest

      Tiny Home Contest
    • Metalworking Contest

      Metalworking Contest

    4 Discussions

    Something that comes to mind every time I read a recommendation to use a password program is... Isn't it possible to reverse engineer a program to see how it works? It's not trivial, but possible, isn't it? And aren't there a lot of bad guy hackers that would try that on the code for this and similar programs? If the bad guys have the code, can't they then replicate the output? Then the problem seems to be very similar to the original - the bad guys would just need to garner access to your one single master password?

    1 reply

    As far as reverse-engineering the program, not needed. The code is available online on GitHub. Just because it is, doesn't mean it's not secure. Some argue that open-source is more secure that closed-source because you have more eyes looking for problems in the implementation, so there is less likely to be a security hole.

    If someone was able to get your master password, secret password, and know the settings you were using in SGP, yes, they could get into all of your accounts, but there are very few ways that could happen. If someone were to get a password you are using from a website, there is no reasonable way for them to get your SGP settings, even if they knew you were using it. Since SGP doesn't store anything on your computer, no one can just copy that file off and get your information, and since SGP doesn't send any information over the network, most online attacks don't work either.

    With all that said, a keylogger or someone watching you type your master password over your shoulder would be a big security problem, so keep your eyes open. No security option is perfect, but as long as you know how it can fail, you can protect it.

    Some great advice. I have always been dubious about password solutions, but your recommendation looks different and will have to look into it. A bit of advice I always give (especially to those who do not want to have multiple passwords). Is to always have your main email address with a different password to everything else, and as secure as you can (use random punctuation if allowed). This is because if they can access your email it tends not to matter how good your password is. They can simply click on forgotten password and use the reset link in your email.

    1 reply

    Exactly. Email is the worst account to have breached for exactly that reason. It snowballs quickly and usually undermines the security of any other site, no matter how secure that password is. Glad you found it useful :)