Wednesday, April 9, 2014

What Your Post-Heartbleed Passwords Should Be

In the next few days more people than ever will struggle to invent new passwords in a short time. How should you do it?
The good news: More and more browsers and operating systems can generate long, random passwords. They would be tough to remember but you don't have to remember them. The browser or OS stores them.
The bad news: You're trusting the security of that browser or OS. OpenSSL was also supposed to be impeccably secure. Then just this week it wasn't.
Aside from the possibly justified paranoia is a convenience issue. Most of us use multiple devices and occasionally log into important accounts from family or friends' devices. This makes it tough to depend on "Cloud" synchronization of stored passwords.
The best, most realistic of the commonly advised password tactics is to convert a memorable phrase or sentence to a password. Use the first letter of each word as your password. “May the force be with you” would become “Mtfbwy”.
Cool. I mean, OK, you wouldn’t want to use that one, but you get the basic idea. Choose a phrase meaningful to you and you alone. 
There are several drawbacks. This well-publicized idea is already popular. That presumably means that acronyms of all the common pop-culture catch phrases are entering the lists of popular passwords that hackers and cracking software try first. Normally acronyms are all letters and thus less secure than an any-character string of the same length.
Different phrases can begin with the same letters, producing the same acronym. Some letters are more likely to begin words than others, and hacking software could potentially exploit this.
Now here's my suggestion, and I use it myself. Turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy-to-remember phrase.
I used to use simple, stupid passwords. After one of my accounts was hacked, the site assigned me a temporary password. It was a random string of characters. I was going to change it until I realized that I didn’t need to do so. I could remember a random password.
The mind is good at seeing patterns in random data. This is how we remember phone numbers and Social Security numbers. It also works for random-character passwords like RPM8t4ka. I just now got that one from random.org, a site that generates all the randomness anyone could want for free. Though the random.org password is authentically random, the human eye and mind instantly spot patterns. In this case the first three letters happen to be all capital, and the last three are lower-case. The number 8 is twice 4.
You can easily translate a random password to a nonsense phrase. RPM8t4ka might become “revolutions per minute, 8 track for Kathy.” I don’t know what that means but I do know that it’s fairly easy to remember. The sole point of the phrase is as a mnemonic for the password RPM8t4ka.
A password, a passphrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good, even if everyone in the solar system were to adopt this scheme.
Want a different password for every site? One trick is append part of the site's name to the standard password. For Facebook, take the first two letters (Fa) and add them to the boilerplate password, getting RPM8t4kaFa. Just don't do that exactly and make up your own rule.
(This tip is adapted from my upcoming book, Rock Breaks Scissors. It's due out from Little, Brown this June 3rd.)

4 comments:

  1. Couple of things.

    First, random.org's current SSL security certificate was issued well before the Heartbleed disclosure, so their https server is not yet to be trusted.

    Second, and more importantly: if you're remembering your passwords with your own brain, you're doing it wrong. Use KeePass and/or KeePassX and/or KeePassDroid and/or MiniKeePass to remember *and* generate your passwords. Keep the resulting .kdb file on Dropbox with a backup on a micro-SD card inserted in an Elago Mobile Nano II reader attached to your car keys.

    ReplyDelete
    Replies
    1. ARE YOU A VICTIM OF FALSE HACKERS & BANK LOAN SCAM⁉️

      We have been having recent complains from individuals about how they lost money 💵 to SPAMMERS who call themselves HACKERS or BANK LOAN OFFERS. They are all over the internet sharing false testimonies. Please do not fall for their lies for this is just a way to LURE you to them.

      They say lies in the likes of such-:
      ▪️Bitcoin Auctioning ▪️Western Union Hack
      ▪️Blank Credit Card ▪️Clearing Criminal Records
      ▪️Loan Offers. ▪️Bank Account Loading
      ▪️Changing University Grades & so on.
      These are all lies and you shouldn’t fall for them.

      🏵GLOBAL PLUGGERS🏵 is here to help you Recover all your Money 💵 that you have been Ripped of.
      WHO ARE GLOBAL PLUGGERS⁉️
      We are a group of Computer💻 Experts who are memebers of the “HACKERONE” Forum. We have dedicated ourselves to help Victims of these SCAM(s) recover all the Money that has been taken falsely from them.

      If you have been a victim of thes Thieves, then you need to contact us as soon as possible so you can get your money back.
      Email-: globalpluggers@gmail.com
      No. +1 (808) 600 0773 ( Number also available on WhatsApp)

      Note:
      Please know that we do not charge you for Fund Recovery Service, Our Funds Recovery Service is to help and so it’s Free.

      We also provide Legit Hacking Services such as-:
      🔸Phone Hacking/Cloning
      🔸Email Hacking & Password Recovery
      🔸Social Media Hacking & Passowrd Recovery
      🔸Deleted Files Recovery 🔸Mobil Tracking
      🔸Virus detection & Elimination.

      Contact-:
      Email globalpluggers@gmail.com
      No. +1 (808) 600 0773 (number also available on WhatsApp)








      Delete
  2. I applied your tips and it worked perfectly. What about a password manager for windows?

    ReplyDelete