Ever since the Snowden leaks, people seem more conscious than ever about their privacy and how vulnerable they are to spying by ISPs or cybercriminals. When data is leaked online, like with the iCloud leaks, the media is quick to label the perpetrators as hackers. The truth is that iCloud was never hacked. It was a phishing scheme and could have been prevented had victims set up a strong password.
Ryan Collins, 26, from Pennsylvania, was arrested for illegally accessing the email accounts of over 100 individuals, mostly celebrities. He used fake emails and a few tools to trick individuals into handing over their passwords or answers to their “secret questions,” which generally aren’t all that secret.
Thing is, there’s one simple thing standing between an attacker and your data: your password. We’ve discussed what you need to know about cloud security before, but the truth is that behemoth corporations like Apple or Google are usually far more secure than the media would have you think. The weakest link is almost always the user.
Today, we’re going to show you how to set up a strong password and we’ll also discuss best practices for password security. We’ll also be presenting you with two handy password generator tools that will help you determine whether you’re current password is strong enough and, if not, another which will create one for you. First, however, we’re going to look at a few tools that will make your life easier when it comes to passwords.
Every website has different password requirements, often requiring a mix of alphanumeric characters in upper or lower case and at least one symbol. We all have dozens of logins for the various websites we use, and memorizing every password we need is almost impossible, unless you have an eidetic memory.
That’s why you need a password manager. Popular choices for password managers are:
All three are easy to use and work on multiple platforms. The way a password manager works is simple: the software creates a database to store your passwords, which you will encrypt with a lengthy, secure passphrase. A keyfile may be used as well, which is essentially a file of seemingly random gibberish that is used to encrypt or decrypt data.
The downside to secure passwords is that you need to remember them, which is especially tough if you have more than a handful you use regularly. This is why a password manager is highly recommended — you only have to remember one password to open it, with the rest of them stored safely inside the database.
The master password you use to open your password manager should be your strongest password. We’ll go into details below, but remember: your master password is what stands between attackers and the rest of your data. Keep it secret, keep it safe.
Why Use a Keyfile?
Secure authentication is often broken into three categories:
- Something only you know
- Something only you have
- Something only you are
The first one is your master password, in regards to a password manager. You memorized your password and no one else knows it.
The second one is your keyfile. This isn’t something you should share or store in the cloud — it should stay local, on your physical devices. Without your keyfile, a password is not enough to access your encrypted password database.
Two-factor authentication with apps such as Google Authenticator or a device like the Yubikey are also part of this second category. LastPass is the only provider out of the three mentioned here that provides native, easy-to-use two-factor authentication with both software and hardware tools. Note that using a keyfile in addition to a password is often enough.
The third category is essentially biometrics — your fingerprint or your retina, for example. It’s an interesting field but far beyond the scope of this article and not very useful for our purposes considering the state the technology is in right now.
Choosing a Password Manager
1Password and LastPass both create a keyfile, used to encrypt and decrypt your password database. KeePassX provides the option to create a keyfile but does not do so automatically. LastPass is cloud software, requiring no installation, so you can use it across all your devices. They provide mobile apps and browser extensions for all the popular platforms.
If you’re worried about storing your passwords in the cloud, the good news is that LastPass stores the decryption key on your device, rather than their own servers. Your master password is never sent to them, making them a zero-knowledge security service (if this aspect is particularly important to you, we have a list of the best zero-knowledge cloud services for you).
The encryption/decryption process occurs locally, on your device, so the contents of your “vault” are known only to you. You can read more about the technology LastPass uses on their website. 1Password can be accessed on the web or installed locally on your devices. As with LastPass, your credentials never travel over the Internet, and 1Password does not have access to your master password or secret key.
KeePassX is a free, open-source port of the original KeePass software. It’s a cross-platform app designed for “people with extremely high demands on secure personal data management.” As a long-time Linux user and privacy freak, I started using it before services like 1Password and LastPass became popular. It’s less user-friendly than those other tools, but offers greater control over your data.
With KeePassX, you can store your password database with any of our best cloud storage services or a self-hosted solution, allowing you to access your passwords from anywhere. This database is stored in an encrypted format and protected by a passphrase when you create it and, optionally, by a keyfile. I use a keyfile stored on a USB drive, and keep two copies of that keyfile backed up and stored off-site.
What Makes a Strong Password?
With that out of the way, let’s talk a little about actual passwords and how to create one that is both strong and not easily guessed. When signing up for a website, you’ll usually see password requirements like:
- A mix of upper and lowercase letters
- At least one number
- At least one symbol
- Specific length, i.e. 8-15 characters
This has done more harm than good. Security researchers agree that people are terrible at choosing truly random passwords and cracking techniques have evolved over time. Password guidelines don’t encourage randomness; they encourage predictability. Brute-forcing was the most common password cracking technique, which used a large dictionary to randomly try different combinations of letters, words, numbers or symbols.
Researchers now train software with the millions of leaked password databases available online. Rather than going through a dictionary list, password crackers run through the most commonly found passwords first, trying various iterations of the passwords found in those leaked databases.
Let’s say you were signing up for Redbox, for example, and had to choose a password with the requirements I listed above. You also want to be able to memorize this password, so many users would choose something like this:
These all seem like secure passwords at first glance. Kaspersky’s online password checker says the last one, R3db0xm0v13$ would take 11 years to crack.
This might be true of brute-forcing and basic wordlists, but let’s say an attacker is targeting Redbox accounts specifically — unlikely, but suitable for this example.
Instead of using a basic dictionary, an attacker could feed in a list with an emphasis on movies and entertainment. Common variants of the word “redbox,” even with numbers and symbols added or in place of letters, would be the first thing to try.
Again, the human element is the weakest link. It’s hard for humans to come up with truly random words. Edward Snowden, the NSA whistleblower, stated it best in his interview with John Oliver: “shift your thinking from passwords to passphrases.” Of course, this only works when the password requirements don’t restrict the size of the password or you can generate a phrase using Schneider’s method, which we’ll discuss later in this article.
Creating a strong, secure password can be tricky. There is a great deal of conflicting advice, even amongst experts. An oft-cited example of secure password advice comes from the popular web comic XKCD:
The creator, Randall Munroe, is a physicist and former NASA employee, so it’s safe to say he understands the mathematics behind password entropy. Yet Bruce Schneier, a security expert, disagrees with his advice. Schneier believes Munroe’s method is no longer safe advice, stating “password crackers are on to this trick.”
The essence of creating secure passwords boils down to two things: randomness and length.
The minimum password length for many sites and services is eight characters. According to Richard Boyd, a senior researcher at Georgia Tech Research Institute, this is no longer sufficient. If using only the letters of the alphabet, such a password is cracked in mere minutes. He recommends a minimum of 12 characters.
Security researchers talk about entropy when it comes to passwords. Sparing you the boring mathematical details, the gist is that the strength of your password lies in the length and randomness of the characters.
Even adding a few bits of entropy greatly increases the computing power required to guess a password, making an attack too costly or impractical. Size matters, but only when it’s truly random. The password “qwerty1234” is longer than “qwerty1” but trivial to break, nonetheless — both “qwerty” and “1234” are easily guessable, non-random choices.
The trick is ensuring your password is truly random, and as we said earlier, humans are not good at this. Below we have several ways in which you can generate a secure password, but before we do so, let’s first test out how good your current one is. Below you can find a password strength checking tool Cloudwards.net has put together, especially for this purpose.
Test my password strength
Password data will not be stored on a server and is only processed in the browser
It would take a computer about to crack your password.
- Includes uppercase
- Includes lowercase
- Includes numbers
- Includes special characters
- More than 12 characters
How to Generate Passwords
Chances are that entering your current passwords in the tool above was a faintly scary experience for you. This section is all about making your passwords a lot safer. There are several ways to do this, let’s start with the most old-school way we can think of: dice.
Diceware is a method for picking passwords using dice and a special Diceware word list. The Electronic Frontier Foundation also released a list last year with several improvements on the Diceware list, such as eliminating short, three character words.
To use the Diceware method, all you need is a couple of dice, a way to record the results of your rolls and one of the word lists mentioned above. You’ll have to decide how long you want your passphrase to be. Diceware advises a minimum of six words, and provides further clarification on their site. Each word on the provided lists have five digits to the left of them. You roll the dice until you have enough numbers to match the word length you’ve desired.
Example: A seven word passphrase would require 45 dice rolls, five for each word.
Of course, there are computer programs that offer to simplify this process, but generating truly random numbers on a computer can be tricky. Diceware advises against using a program for this, so keep that in mind.
- Roll the dice and write down the results, five numbers to a row.
- Once you have enough numbers to match your desired password length, match each set of five numbers to the word list and write each word down in order.
- Memorize this new passphrase and either destroy the paper or keep it somewhere very safe.
That’s it — simple and old-school, albeit time consuming. This is an excellent option if you require serious security or you’re performing sensitive work. If you use an air-gapped (not networked) computer, an operating system such as TAILS or need to generate offline encryption keys, you can’t go wrong with the Diceware method.
The Diceware method is essentially what was illustrated in the XKCD comic and it generates secure passwords, but Schneier has an excellent alternative method. Schneier first described it back in 2008, in an article on his blog. It’s straightforward and easy to use, allowing you to generate a seemingly random password from a sentence.
“So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m.” That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.”
This is an excellent method to use if you have to create a password with a size limit, say 10 or 12 characters. That’s too short for a passphrase, but stripping a phrase down into a password is manageable.
Ideally, it’s something personal that only you know. Depending on your threat model, adversaries targeting you specifically would use all the information known about you, like birthplace or your dog’s name. While Schneier’s method works and can produce secure passwords, I’m not a fan. The mathematics behind Diceware and password entropy are strong and I suggest using it before Schneier’s method.
Generate Passwords Securely and Automatically
Putting together a good password is, as you can see, not the easiest task in the world, which is why we here at Cloudwards.net put together a secure password generator. This handy little tool will not only allow you to experiment with different password lengths, but also with what kind of characters you can throw in there. Feel free to play around with it for a while and see what’s possible.
Password Generator Tool
Generate a strong password using our tool below
Secure passwords are only good if you keep a few other things in mind. Typically, sites offer a password recovery option. Security questions are a weak point here, as the Internet makes it easy to find out information on anyone.
A security question such as “what city were you born in?” is a chink in your armor. A Google search will probably turn up this information; the same goes for most of the typical security questions you can select.
You can avoid this weak point by using what you’ve learned today: use a passphrase. Don’t give a real answer, and if you do, make it a part of your passphrase. If you’re worried about losing the answer, store it in KeePassX or a password manager — they usually have specific fields to store this information. Write it down in a notebook reserved for this purpose, if you must, and store it somewhere safe. It might seem like a hassle, but security questions and recovery emails are an easy way in for many attackers.
Mat Honan learned this the hard way when attackers tricked Apple into resetting his Me.com email account, which was also the recovery email address for his Gmail account. In short, they wiped all his devices remotely and took over his email and Twitter accounts.
Which leads us to the next point: recovery emails. It’s probably best to create a new email account specifically for the purpose of having password recovery requests sent there. You should follow these precautions:
- Do not use it for anything else
- Pick a random username
- Use a strong password, and use strong answers for the security questions
- Keep the details of this account stored in your password vault or offline
Since your recovery email won’t be used anywhere else, it will remain virtually unknown to attackers. Selecting a random username makes it impossible for an attacker to guess. This practice will prevent attackers from easily guessing your security question answers or tricking a provider into sending an email recovery to a compromised account.
Be wary of phishing attempts and never respond to suspicious links. Never divulge your passwords or answers over emails or to suspicious individuals — brazen scammers often call users pretending to be Microsoft or Apple, attempting to trick users into handing over their credentials.
Using secure passwords and following the above advice will help keep you from ending up in the next big leak, or worse, losing your precious data like Mat — you do have a backup plan in place, don’t you? If not, we’ve got you covered when it comes to backup strategy and the best online backup services.
Passwords are often the weakest link between attackers and your private data. Systems and servers can be designed with near-bulletproof security, yet a user’s weak password can grant an attacker an easy way in. The millions of leaked accounts in publicly available databases are evidence of this.
Securely generating a password or passphrase isn’t difficult. Password requirements can encourage lazy behavior and bad choices, but after reading this you have a better idea of what makes a password strong:
- Truly random generation of words or characters
- The longer and more random, the better
Use a proven technique to generate your passwords and don’t rely on old habits that result in easily guessable, weak passwords. Even if a site you visit is breached and the database made public, a strong password takes too long to make cracking it feasible. Attackers reach for the low-hanging fruit, more often than not, so choose a strong password and don’t be that fruit.
Thank you for reading. We hope you liked this article and we always enjoy your feedback — please feel free to comment below and like or share this article on social media.