A note about password security

View this thread on: d.buzz | hive.blog | peakd.com | ecency.com

cybersecurity·@bobfromsales·8 years ago

0.000 HBD

A note about password security

<center>Howdy, Steemians! </center>
<center>Let's talk about password security. </center>
<center>
![xkcd passphrase](https://imgs.xkcd.com/comics/password_strength.png)
[Source: XKCD](https://imgs.xkcd.com/comics/password_strength.png)
</center>

In my [previous post](https://steemit.com/hacks/@bobfromsales/a-lesson-about-password-safety), I reviewed how an ethical hacker was able to crack a [Sia](http://sia.tech/) wallet password using Python and a little algorithmic magic. In this post, I plan on talking about some general password advice (to aid in protecting against hacking). 

If you haven't noticed by now, I like to sneak a lot of links into my writing. I think this helps me give you resources without pandering too much over each one. Feel free to click the links as you go, but don't feel like you need to - you won't miss out on any main points if you choose not to go down the rabbit hole.

If you're on this website, I imagine that you know a thing or two about making a secure password. However, I'm sure that some of you rely on other tech to secure your passwords for you. 

Perhaps you use [Dashlane](https://www.dashlane.com/), [LastPass](https://www.lastpass.com/), [1Password](https://1password.com/), or [KeePass](http://keepass.info/) to help keep things secure.

And maybe on top of that you use 2 factor authentication, either through [Google Authenticator](https://en.wikipedia.org/wiki/Google_Authenticator) or [Authy](https://authy.com/)?

But what if you didn't have these services? What if you had to make a password from scratch, needed it to be secure, and needed to be able to memorize it?

That's where pass*phrases* come in.

#### Passphrases

Passphrases are a type of password, and they are exactly what you think they would be: phrases being used instead of a word or an ugly long string of number-letter combinations (which is what our Steemit accounts generate with by default). 

Like the [XKCD](https://xkcd.com/) comic above explains, pass phrases are easier to remember and can be quite longer than a regular password, making them harder to crack. They could be quite easy to throw together and remember. 

#### Pointers

Want some pointers on making a strong passphrase? Well, let's see. 

Are you fond of your first love? Did they have any ... quirks? "Martha always kept her socks on when we had sex. 100% of the time." might be a phrase that resonates with you.

Are you a programmer? "One curly boy (;) out of place and the entire world falls apart!" could be up your alley.

You still have to be careful, though. As insecure passwords can be quickly cracked with a dictionary, passphrases can also be run against similar dictionaries to see if your information compares to a movie quote or a popular saying. Perhaps Martha's odd sock habits are known throughout the land? Maybe it's a phrase used around all the pubs in town? Might be good not to use it for your passphrase, then. 

To ensure that your passphrase is harder to crack, it should be unique (not something that's found on the internet/pop culture), so take a moment to think of a phrase that works for you. 

#### Further reading/resources

[Ars Technica](https://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/) (a popular outlet for security and tech news) has a good article about how some passphrases can still be easily cracked. If you're interested in looking into the math behind it, there are quite a few papers on it (one of which is linked in the Ars story).

There are also videos about the topic out there, if you're not a fan of reading (if that's the case, thanks for making it this far!). In one of these vids, Edward Snowden (love him or hate him) is spot on when reviewing the topic around 2 years ago:

<center> https://www.youtube.com/watch?v=yzGzB-yYKcc </center>

#### Testing
Interested in testing our your password strength? [There's a tool for that](https://howsecureismypassword.net/), although you should be careful about putting your actual password into online text boxes. Using that site, the passwords above would take between 5 quattuortrigintillion  years and 5 septentrigintillion years to crack. Unless, of course, your hacker has access to a quantum computer.

#### Final thoughts
Stay safe out there! At the end of the day, the most important piece of the security puzzle is the user. Don't give your password away, don't write it down where it can be found, and don't use it for more than one service unless you don't mind all of them being compromised at once if there's a back-end security breach. Some online services have been hacked without even compromising a user account, so remember: don't put anything on the internet that you can't afford to have someone uncover.

Like my writing? Give me one of those sweet upvotes! 
Have any suggestions for improvement? Leave them down below.

👍 bobfromsales, kissofearth, amitprasad, hr1, numannvondeygan, temnozor, futasakuya, marvinnarvin, thedawnbreakr, ushinaitakunai, slowpoke, johnnycheadshot, brentt, jao, laninger, profoak, swaggybenjy, josek, immxrtvl, redrover36, crypto-ta, donut, darkrpa77, sexysteemgrandpa, akanbe, biff, foxlobo31, quicksilv3r, lacroix, hvcrypto, jay0cooper, magiliw, greatnesscs, coinsen, indiealt, infinitor, alfonsorich, blubeast, aariman, bp9930, jdc, forgotmypassword,

properties (23)vote details (42)