3 Password reuse, password managers and strong passwords
4 ======================================================
5 .. contents:: :depth: 1
7 Why is Password Reuse a Problem?
8 --------------------------------
9 .. image:: password_reuse_1.png
12 Consider the following hypothetical users that reuse a strong password in
13 most places and the following common scenario:
15 +------------------+--------------------------+
17 +==================+==========================+
18 | mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
19 +------------------+--------------------------+
20 | mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
21 +------------------+--------------------------+
22 | mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
23 +------------------+--------------------------+
25 #. User registers an account with a careless service, eg Facebook, Yahoo,
26 Google, Equifax etc. etc.
27 #. The service is hacked and the password and email is leaked
28 #. The hacker logs in to the email account
29 #. The hacker resets passwords on all important accounts tied to that email
33 About password strength
34 -----------------------
36 How is strength measured?
37 =========================
38 'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
44 * 0889234877724602 -> 53 bits
45 * ZeZJieatdH -> 60 bits
47 Why are weak passwords problematic?
48 ===================================
49 Weak passwords are trivial to crack in many situations. A password with 53 bits
50 may be cracked by a criminal organisation in less than an hour.
53 What about strong passwords?
54 ============================
55 They are difficult to remember, a problem especially when you use a different
56 strong password for every service. You are also tempted to write them down, or
59 It's surprisingly difficult for humans to generate good passwords!
61 A strong password, as of 2019, has at least 80 bits of entropy.
63 Password Managers to the Rescue!
64 --------------------------------
65 Password managers allow you to create a unique and strong password for every
70 * Remembers passwords for you
71 * Generates passwords for you
72 * Automagically fills in passwords on websites for you, this is important!
73 * Makes passwords available on all your configured devices
74 * Can store additional related data, usernames, answers to security questions,
75 pins for debit/credit cards
77 Any of the mainstream password manager is equivalent in the above respects.
79 Can you trust password managers?
80 --------------------------------
83 How do they keep passwords secure?
84 ----------------------------------
85 1. User supplies a password
86 2. A slow function derives an encryption key
87 3. The encryption key is used to encrypt/decrypt your passwords
89 Security of the encryption depends on the strengh of your
92 +---------+------------------------+
93 | Entropy | Time to crack, |
94 | | assuming 1 second per |
95 | | attempt per typical |
97 +=========+========================+
99 +---------+------------------------+
101 +---------+------------------------+
102 | 70b | ~ 50,000 yers |
103 +---------+------------------------+
105 Generating a Strong Password
106 ----------------------------
107 Passphrases are better than passwords:
109 * Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
110 * correct horse battery stable -> 44 bits of entropy, easy to remember
112 If you have to remember it, use a passphrase.
114 Generate passphrases with Diceware_
115 ===================================
116 1. Roll 5, 6 sided, *physical* dice
117 2. Read the numbers left to right
118 3. Find the word with that number on a list 6^5 (7776) words
119 4. Repeat until desired length is reached. For a password manager, use at
121 5. Write down your passphrase on paper and keep it somewhere secure
122 6. If you are 100% confident that you will not forget the passphrase, destroy
127 * A password manager will refuse to fill out a password on a spoofed website,
128 for instance faceb00k.com vs facebook.com
129 * Using different passwords on every service protects all other services even
130 if phishing is successful on one of them
131 * Good password managers will navigate to the login page for you, reducing the
132 risk of spoofed websites
137 In no particular order:
139 * Only log in on webpages that you navigated to by typing in the url yourself,
140 by searching on google, duckduckgo or some other reputable search engine or
141 from a bookmark. If after clicking a link in an email you are directed to a
142 log in page, it's probably a phishing attempt
143 * Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
144 green address bar, or a green lock icon or similar in your browser
145 * Use two factor or two step authentication everywhere if possible
146 * Turn of automatic image rendering. Better still, disable HTML rendering and
147 authoring entirely in your email client
148 * Be suspicious of *all* emails. Risky things: HTML email, images, unknown
149 sender, poor spelling/grammer, 'Your email client can't display this email,
150 click here to view in your browser' or similar attempts to coerce you to click
156 `EFF notes on Diceware`_ They generally have good advice for these kinds of
161 `Keepass`_, an offline password manager
163 `1Password`_, a pay to use password manager with some nice features
165 `LastPass`_, an online password manager with a gratis tier
167 .. _Diceware: http://world.std.com/~reinhold/diceware.html
168 .. _EFF notes on Diceware: https://www.eff.org/dice
169 .. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt
170 .. _Keepass: https://keepass.info/
171 .. _1Password: https://1password.com/
172 .. _LastPass: https://www.lastpass.com/