Choosing a Decent Password

The 2+2 forums are dealing with some bad guys who are trying to brute force people’s passwords. In other words, some guy somewhere is running a computer program that probably has a very long dictionary of commonly used passwords and systematically tries a ton of different passwords for a ton of different accounts on 2+2. These types of attacks are essentially preventable by website administrators (and hopefully 2+2 will get its act together soon), but they’re still quite common.

If your password is uncommon (e.g., “kfag4;6-lkjghaa” and not “mypass”), it’s likely nothing to worry about. If your password is in the list of the million most common passwords, someone may very well get access to your 2+2 account as a result. (You should go to 2+2 and change your password immediately.) Worse still, if you use the same password for your e-mail or for a poker site or your bank account, you might lose money as a result.

So, I just wanted to quickly share some easy ways to choose a decent password. I got the basic idea from an awesome xkcd comic. (BTW, xkcd is really cool, and you should check it obsessively on Mondays, Wednesdays and Fridays.) Remember that the goal of a good password is to be both memorable and extremely hard to guess.

  1. Just use a descriptive sentence. For example, I happen to have a candle on my coffee table right now. So, I could use the password “I like my red triangular candle on my coffee table.” To make sure that it’s a relatively uncommon sentence, Google it in quotes. If it doesn’t come up in Google, that’s probably a good sign. (My example didn’t come up on Google before. I suppose it will once Google indexes this page, though.) That’s extremely easy to remember, and it’s pretty damn likely to be unique if it doesn’t exist anywhere on Google. Using a sentence that has some capitalization, weird punctuation (e.g., a colon), and numbers in it might be a bit better, but in reality, it really doesn’t matter. The number of such sentences is huge, and adding numbers, capitalization, and punctuation in a way that’s easy to remember really doesn’t increase that number incredibly significantly.
  2. Typing long passwords can be annoying, though, especially if you’re prone to typos. So, you might instead use an acronym, since that will be much shorter. In this case, there’s significantly more merit to having some capitalization, numbers, and punctuation in there, so you should think of a sentence or phrase with a number or two in the middle and some punctuation and use that. For example, you might think of the phrase “My three most valuable things: House, car, laptop.” Then you can ues M3mvt:H,c,l. (This is the method that I use for my less secure passwords.) That’s a secure password and really easy to remember. If the commas annoy you, “M3mvt:Hcl” is probably sufficient. Again, Google your password in quotes to make sure that you did in fact pick something that’s uncommon.
  3. If you have a good memory or store your passwords with software like Keepass, then you should just choose a random password. Random.org provides a nice service for doing exactly this. Again, Google your password in quotes to make sure that you did in fact pick something that’s uncommon. (Though the odds of any results being returned for this method are quite low.)
It’s unfortunate that most advice about how to choose a good password actually encourages people to use much more complicated methods that result in less secure passwords that are harder to remember than simple methods like these. (For example “b4Tm4N” is not a good password. It’s much easier to guess than a full, descriptive English sentence, and it’s very annoying to try to remember.)

In addition to choosing a secure password, you should use a different password for everything that’s important. If your password is compromised on one site for whatever reason (and this happens ALL THE TIME), you don’t want someone to then be able to gain access to your bank accounts, your poker accounts, etc.

 

Anyway, that’s all I really wanted to say. Since this is my second post in a row on passwords, maybe I’ll make a series out of it.

10 Comments.

  1. +1 for Keepass I use it for everything and love it. It’s open source and it’ll generate random passwords for you as well.

    Finally, it has an OS X and android apps (not sure of iPhone), so combine it with storing your DB in dropbox and you have access to your password list across all your devices

  2. The system used in that xkcd comic is golden, the worst thing about complicated passwords is having no real way of remembering them. I think sites ARE getting more secure (admittedly after some terrible publicity for those that aren’t) but it never hurts to be careful. I would say to beware of password saving applications that store information online, ironically it isn’t necessarily that secure.

  3. It’s very difficult to execute a successful brute force attack against a website where people are paying attention.

    Never used vBulletin but a quick search shows that it does have some sort of password timeout so a brute force attack of a user’s password would take a substantially long time.

    Since 2+2 identified the problem at the end of March I assume they would have taken steps to prevent it. Blocking IP addresses, changing timeout limits for failed password attempts, implementing some sort of flood control.

    The language in the notice on 2+2 sounds more like the hacker somehow managed to get a list of usernames, emails and hashed passwords. Either by exploiting a vulnerability in vBulletin like a sql injection or was able to find an admin account with a weak password. Maybe even managed to hack into the server directly and access MySQL that way.

    Once they get that information they can run a brute force attack against the password file on their local machine. If vBulletin uses a 2 way hash on the passwords then the hacker only needs to decrypt one and can decrypt the rest easily. 1 way hash and the hacker will need to brute force each password but if they’re able to do that then they’ve compromised the system enough to have figured out the encryption keys used.

    Here’s my suggestion for what 2+2 should do:

    1: change the information used for your encryption algorithms. Keys, salts, etc possibly consider using a more advanced encryption algorithm.

    2: Change all the user passwords yourselves. A script that goes through each user in the db and generates a new random password (or just nulling it if that’s secure) so that a user is required to reset their password using the forgot login feature which sends new password to email.

    That way hacker can’t use any existing passwords he’s discovered and all users are required to create a new password.

    It’s a PITA but probably fastest way to get 2+2 back online.

    • Noah Stephens-Davidowitz

      Hi micro,
      In the 2p2 case, the hacker gained access to the hashed passwords. He’s not accessing the server to brute force the passwords–He has the list on his computer, and he simply needs to use brute force to figure out what password created the hash.

      The hacker gave 2p2 an ultimatum. So, yes, he did show people what he was doing

      The hash is not two-way… It’s md5. There’s no such thing as a two-way hash–Hashes are one-way by definition.

      I gave 2p2 essentially that advice and some more specific advice. I’m in contact with them while they fix this.

    • oops. Meant encryption not hash.

    • Noah Stephens-Davidowitz

      I think you just said it backwards again? 😛 Regardless, the functions that we’re talking about here are hash functions. Encryption’s not really the right tool for this problem. A lot of people say encryption when they mean hashing, so no big deal to swap the two unless you’re a nit and a crypto nerd like me,

  4. Oh yeah… and the obvious make sure to apply any OS and vbulletin updates that might plug any holes.

    One more thing about the announcement the hacker sounds like he’s telling you what he’s done. Is he also telling you how he did it? Sometimes people do that just to get your attention so you act and fix problems. Hoping that’s the case and he’s not being really malicious.

  5. Googling your password seems like terrible advice. You’re telling people to put their shiny new password into their browser history, Google search history, and whatever crapware toolbars they might have installed that read the searches.

    And what do you hope to gain by it? Even if the phrase existed somewhere, it’s not like a hacker can just brute force every phrase in the history of language hoping one of them is your password. If you want ensure uniqueness, that can much more safely be done by adding the weird punctuation, numbers or capitalization, like you said.

    • Noah Stephens-Davidowitz

      Yeah… you’re not the only person to say that.

      On balance, I think that it’s a good idea for most people, since most people are really really bad at recognizing a bad password, whereas Google’s really good at it. I’m not aware of any attack that considers the possibility that people might Google their passwords, and I doubt that will change because of my blog. Plus, if a hacker is logging your data from a crapware toolbar, he can get all your passwords. If a hacker has access to your browser history–that means he has access to your system, so again, he could get your password in much more reasonable ways than checking everything you’ve Googled.

      If a hacker gets access to Google search history, the database is much too large to use to brute force passwords.

  6. As far as googling a new password goes, I’m not worried about a hacker accessing my browser history, I’m worried about what Google does with the information I give them voluntarily. Maybe I’m being paranoid, but they certainly have the means to connect my search to my identity.

    KeePass generates random passwords, and since it is open source I trust that they are in fact random although I haven’t examined the code personally. So I don’t see the need to use Google.