3 Password reuse, password managers and strong passwords
4 ======================================================
5 Why is Password Reuse a Problem?
6 --------------------------------
7 .. image:: password_reuse_1.png
10 Consider the following hypothetical users that reuse a strong password in
11 most places and the following common scenario:
13 +------------------+--------------------------+
15 +==================+==========================+
16 | mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
17 +------------------+--------------------------+
18 | mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
19 +------------------+--------------------------+
20 | mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
21 +------------------+--------------------------+
23 #. User registers an account with a careless service, eg Facebook, Yahoo,
24 Google, Equifax etc. etc.
25 #. The service is hacked and the password database is leaked
26 #. The hacker logs in to the email accounts
27 #. The hacker resets passwords on all important accounts tied to that email
31 About password strength
32 -----------------------
34 How is strength measured?
35 =========================
36 'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
42 * 0889234877724602 -> 53 bits
43 * ZeZJieatdH -> 60 bits
45 Why are weak passwords problematic?
46 ===================================
47 Weak passwords are trivial to crack in many situations. A password with 53 bits
48 may be cracked by a criminal organisation in less than an hour.
51 What about strong passwords?
52 ============================
53 They are difficult to remember, a problem especially when you use a different
54 strong password for every service. You are also tempted to write them down, or
57 It's surprisingly difficult for humans to generate good passwords!
59 A strong password, as of 2019, has at least 80 bits of entropy.
61 Password Managers to the Rescue!
62 --------------------------------
63 Password managers allow you to create a unique and strong password for every
68 * Remembers passwords for you
69 * Generates passwords for you
70 * Automagically fills in passwords on websites for you, this is important!
71 * Makes passwords available on all your configured devices
72 * Can store additional related data, usernames, answers to security questions,
73 pins for debit/credit cards
75 Any of the mainstream password manager is equivalent in the above respects.
77 Can you trust password managers?
78 --------------------------------
81 How do they keep passwords secure?
82 ----------------------------------
83 1. User supplies a password
84 2. A slow function derives an encryption key
85 3. The encryption key is used to encrypt/decrypt your passwords
87 Security of the encryption depends on the strengh of your
90 +---------+------------------------+
91 | Entropy | Time to crack, |
92 | | assuming 1 second per |
93 | | attempt per typical |
95 +=========+========================+
97 +---------+------------------------+
99 +---------+------------------------+
100 | 70b | ~ 50,000 yers |
101 +---------+------------------------+
103 Generating a Strong Password
104 ----------------------------
105 Passphrases are better than passwords:
107 * Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
108 * correct horse battery stable -> 44 bits of entropy, easy to remember
110 Use passphrases everywhere you have to remember.
112 Generate passphrases with Diceware
113 ==================================
114 1. Roll 5, 6 sided, *physical* dice
115 2. Read the numbers left to right
116 3. Find the word with that number on a list 6^5 (7776) words
117 4. Repeat until desired length is reached. For a password manager, use at
119 5. Write down your passphrase on paper and keep it somewhere secure
120 6. If you are 100% confident that you will not forget the passphrase, destroy
125 * A password manager will refuse to fill out a password on a spoofed website,
126 for instance faceb00k.com vs facebook.com
127 * Using different passwords on every service protects all other services even
128 if phishing is successful on one of them
129 * Good password managers will navigate to the login page for you, reducing the
130 risk of spoofed websites
135 In no particular order:
137 * Only log in on webpages that you navigated to by typing in the url yourself,
138 by searching on google, duckduckgo or some other reputable search engine or
139 from a bookmark. If after clicking a link in an email you are directed to a
140 log in page, it's probably a phishing attempt
141 * Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
142 green address bar, or a green lock icon or similar in your browser
143 * Use two factor or two step authentication everywhere if possible
144 * Turn of automatic image rendering. Better still, disable HTML rendering and
146 * Be suspicious of *all* emails. Risky things: HTML email, images, unknown
147 sender, poor spelling/grammer, 'Your email client can't display this email,
148 click here to view in your browser' or similar attempts to coerce you to click