Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Humboldt Squid is "Timid" |
| Self-Enforcing Protocols »
August 10, 2009
Here's some complicated advice on securing passwords that -- I'll bet -- no one follows.
- DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008,
column. Although Scott focused on free programs, I really like CallPod's Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor's site.
- DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven't visited in long time. Don't reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
- DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.
No matter how much you may trust your friends or colleagues, you can't trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
- DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
- DON'T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
- DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
- DON'T use the "remember me" or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
- DON'T enter passwords on a computer you don't control — such as a friend's computer — because you don't know what spyware or keyloggers might be on that machine.
- DON'T access password-protected accounts over open Wi-Fi networks — or any other network you don't trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian "Gizmo" Richards' Dec. 11, 2008, Best Software column, "Connect safely over open Wi-Fi networks," for Wi-Fi security tips.)
- DON'T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.
I regularly break seven of those rules. How about you? (Here's my advice on choosing secure passwords.)
Posted on August 10, 2009 at 6:57 AM
• 100 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interesting. I actually follow all of these and take it further by generating random 25+ character 'passwords' for accounts (where the app/site doesn't restrict you to shorter ones)
Password advice like that strikes me as inane.
Many passwords are nuisance passwords, required but for no good reason. These don't have to be secure. For example, my password to the Dallas Morning News. The site has absolutely no information that I want to keep private.
There are sites that do have my data that I want to keep private. For these I use passwords generated by a truly random process (not a computer random number generator). I find they are not that difficult to remember after a few uses. It's like learning the fingering for a new score if you play a flute. The mind creates patterns from the random characters, and your fingers remember the patterns, which can be as simple as the alternations of letters and numbers. The characters are heard as ditty-DAH di DAH ditty-dit DAH. (I'm a touch typist).
For each important site, I do use completely different passwords. If I had accounts with two different brokerage firms, each would have a different random password. My thinking here is that if one password is compromised, the other isn't.
I disagree strongly with the advice not to record one's passwords. Recording your password is nothing more than keeping your keys on a keychain. Recording allows you to maintain genuinely secure passwords for those cases when secure passwords are appropriate.
You have to use your brains. If you are signing up for a recipe mailing list there is absolutely no need for a secure password. If you are signing up for a Linux forum there is still no need for a secure password. But your bank account you probably want secured.
The one I'm particularly bad with - and I suspect many of us are - is having my computer automatically sign in and remember my passwords.
I'm guessing it nullifies the rest of my efforts... it just makes life so much easier!
"DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins"
Type in my email password every 10 minutes when my email client wants to check for new mail?
The forgotten tip: Don't enter passwords on your own computer. Most people don't know if their computer is part of a botnet and you are part of most people.
The author forgot to say 'Never store your password on any computer that is on a network. Set up an offline PC with a very encrypted hard drive that is securely bolted shut and sunk in a huge block of concrete. Copy your passwords, which you can only access after entering 3 other passwords, turning two different keys in physical locks, and passing a fingerprint and retina scan, from the screen of the offline PC into your networked PC. After using ANY password, use a third PC to log in and change the password immediately after logging out. Reformat and re-install both networked PCs after use.'
Seriously, come on, the author of this piece would have made better use of his time by helping people understand the risks rather than a bunch of silly rules. e.g. 'Your bank account is very critical, consider being much more careful with it than your youtube logon. And remember that your primary email account can be used to reset your bank account password using the reminder links'
Every bank I have used (4 banks in 2 different countries) requires either a phone call where they ask lots of very fine detaild about the account--at the very least you need to be getting all the account statements to answer them. Or coming into the bank to get a new password for the ebanking.
Emails accounts are not used except one bank and only *with* the banks email system via --ebanking...
Really do any banks let you reset a password just via some default email account.
Normal people can't be expected to do all this. Even Bruce Schneier can't. The password manager solution generally fails when you have multiple computers.
If I followed all those (and I don't) then when I die nobody could access the various control panels and systems which they would need to safely close down the operations I run or, indeed, tweet/blog to let others know I had passed away. Thus there is a record of sites with passwords securely locked away. In two parts (intermediate key) of course ;-P
Plus numbers 1 and 3 are in opposition. Using a password manager *is* storing them in a file on your computer (aka digital something).
there are different levels of passwords:
lvl 0 - for news site which don't give any information/provide a way to damage your image (can be the same everywhere)
lvl 1 - more important, someone could opotentially damage your image on that site, a forum for example (depends on your level of implication on the site, but could be the same )
lvl 2 - most important, must be different on each website and must be a strong password for each (paypal, online shopping, banks)
of course between levels the password must change, but in the same level I often use the same password (not for lvl2 though).
Rules are for people who knows nothing about computers to inject them with some common sense on security, but I would never expect anyone to follow all these rules all the time: it's just a good way to start !
Regarding "password managers". I would treat any I had not written myself (and I have written a couple) with great suspicion. All you need is for the password manager code to be hacked and all your passwords are available. Think of it as all your eggs in one basket.
I find that I'm less bothered about password security these days than the fact that most sites are not secure by default by using https exclusively. For a busy site the cryptographic overheads can be negligible if you choose the server hardware with care (and for a quiet site you don't much care if it takes 100mS longer to respond.)
@Jeff - The author is a world renowned security expert who has blogged *very frequently* about risk. Those of us who actually follow his blog on a regular basis would get pretty bored if he re-hashed it for every update.
@Larry - It's not that Bruce Schneier can't, he's just determined his level of risk and made a decision about risk vs convenience.
The password manager solution doesn't fail at all - I flip between my linux box, an XP workstation, my blackberry and my macbook using KeepassX - keeping them sync'd isn't hard.
And with all that said, I'm not normal people. Normal people would find that cumbersome and annoying. I've been doing it (or similar) for years so it's routine.
Generate some random passwords, write them down in a notebook (the paper kind) and lock them in your desk. Anybody who has physical access to your notebook also has physical access to your computer to keylog or backdoor it at will. Storing them with some password safe program on your computer does not increase your security, it just decreases usability.
Don't the first and third items on this list conflict? Doesn't a password manager store your passwords on your computer?
Maybe the third should be modified to reflect that putting passwords in an unencrypted file on your computer is the bad idea.
I think I break 9 of those Ten Commandments. The only one I follow is "thou shall not click on email links".
And, in regards to you Wired piece, I don't know about Windows, but Linux and MacOSX let you encrypt your swap file/partition, which will defeat the "make dictionary from swap" option of a password cracker.
But... it's not on by default, and it adds a performance penalty.
dang... I should preview first... s/regards to/regard of/ ?
What do you think about password hashing as a technique for generating passwords without the need for an actual password manager?
Obviously it creates a single point of failure from a keylogger attack but it's great for anti-phishing and super simple and portable. For instance, PwdHash(.com).
Frequently changing passwords is the biggest FAIL in password management. It just encourages bad passwords. Unfortunately since auditors say you have to do it - it gets forced down everyone's throat with no serious debate.
*rolls eyes* If someone already has the access to your machine to attack the password application you are pretty much screwed already.
Password Safe (http://passwordsafe.sourceforge.net/) on a thumbdrive makes it easy, for free.
At work I often get "You don't know your Extranet password?" I love being able to reply that I have no earthly idea what ANY of my passwords are, um, except for Password Safe :p
I also have copies of the pwsafe.psafe3 file at home and work, and keep them in sync with, of all things, Windows Briefcase.
It's not a big deal.
someone above said it already, but you it is better to consider what web accounts are worth security measures. for instance, any forum, site like digg/reddit, etc i'm on i could care less about. the only bit of information available on those accounts would be my email address and that is public anyway.
second, personally, i don't trust or use password manager software. i'm of the opinion that putting my trust in one single piece of software to manage critical data is foolish.
one problem i see with the list above is that if you're on a domain/network you don't have the option of different accounts for different computers. using ldap, you use a single account for access across the network (depending on policy and your privileges). it seems a bit naive to me to suggest that a corporate user ask it/is to create multiple accounts for him just so he can log in differently on inidividual computers.
password management is about risk assessment and organization, not useless rules of thumb.
is it really that difficult to remember 5 or so passwords? i use a random password generator to create passwords and i don't have a problem remembering the important ones.
are people really that lazy?
I violate the first one.
I probably should consider using it for my less important passwords. My more important ones are already pretty secure.
I always find it interesting that password "do's and don't's" still pop up over and over these days, which only acts as a testament that today's security is still weak because many people just don't do the basics.
I pretty much follow all the rules, but I've been known to use passwords on untrusted networks that were not using SSL. Nevertheless, I beleive using a password manager solves most of these points inherently.
For example, if you need to generate a password for a new site, simply use the tool to automatically create a huge random password (you don't have to remember it). Then, simply refer back to the tool when you need to access the site. Moreover, you can set your own password policy - regardless of the site's - to ensure the password is changed regularly, among other things.
Technically speaking, using the first rule effectively negates rules 2, 3, 4, 5, & 7.
@tim & @nathan concerning key loggers. I would argue that auto-generation of passwords in a password manager and using the "click" to copy capabilities that exist in most, if not all, will avoid having the user to type them in. However, Tim's point is still valid... if your system is compromised in anyway... it's open season.
Actually, the more I think about it, the more I've come to feel that dictionary words should be encouraged - if used properly. Broadly, it's about as easy to remember each "symbol", whether a word or a letter. So it is about as easy to remember "fox carrot can" as "q k d", but one is more secure. Using all words might make a password too long, but a mix of words and characters can provide a balance of security, length, and memorability.
Store 'em in a password manager - yep, have one of those.
Change 'em - not so much. I'll change the important ones occasionally, but not the trivial ones.
Keep 'em secret - the only passwords I share with other people are the ones to the networking gear in the house, and that's just because I'm not the only one living here. There's assorted low value passwords lying around in unencrypted files though (mostly web browsers on my own machines).
Keep 'em random - some of my passwords for trivial sites break these rules
Keep 'em different - rubbish. Using the same password for multiple low value sites (e.g. different discussion forums) isn't a problem. Yes, using your banking password for a different system would be dumb, but that's a long way short of *never* reusing a password.
Keep 'em manual (part 1) - I break this one on my home machines. Someone sitting in front of my home PC and logging in isn't part of my threat model for them. If I had kids it would be a different story ;)
Keep 'em manual (part 2) - break this one too. For a low value site, having the browser store a cookie is less hassle than logging in all the time.
Keep 'em to your own machines - again depends on the value of the site. I try to follow this rule for high value sites, but don't really care for low value ones. If I have to break it for a high value site for some reason then I'll likely change the password as soon as I get back to my own machine.
Keep 'em to your own networks - see comment on previous rule.
Don't trust email, ever - yes, this is really good advice. The PetNames extension for Firefox makes it work even better. I'll still break it for internal links at work though.
Thinking about password entropy is just kinda weird. Saying "don't use dictionary words" is simple, but wrong. If your password space is limited and fairly short, OK, but if you can put in a really long password, then it's better advice to note that a random dictionary word is less difficult than a random string of the same length. But if you choose a word from among, say, the 10K most common password strings, that's still going to be around 13 bits of entropy. Seems to me that if you infix a single random character, you increase that entropy significantly. Combine 3 or 4 of those words with those infixes, and fairly soon you should have a fairly strong password, even against someone who knows what your password algorithm is.
The real mind-bender for me is that tools like PRTK are, I believe, pretty much deterministic. Which means, for a given set of parameters it's given, there is a single password that it will use *dead last*. So that would be the best password to use, right? So everyone should just use that password, right? I think I see a flaw in this reasoning... sort of.
It's OK to use the same password for different sites, as long as they are all sites you don't care about very much. If someone got my facebook password, they could probably sign on to other web forums in my name using the same password. Big deal. What I would NOT do, is use the same password for anything important (like financial or medical services). It would be a bad idea to use the same password for your bank site and for anything else. I also don't use work password(s) for any non-work purposes and vice-versa.
When choosing a password to use for a site, you should consider how important the security of that account is to you. You can use the same password for a bunch of low-importance sites if you don't care too much that a compromise of one of them, would expose your login details for all of them. For high-importance accounts, use a unique password for each one (and try to minimize the number of such accounts that you need to have, so that the passwords are easier to remember/keep track of).
I have two password "schema" that I use consistently. They are immune to dictionary attack, and I'm so confident in the obfuscation of the "code" that I can leave it written on a post-it by my keyboard.
Even with several listed together nobody could possibly work them out without the "key" (which remains safely secured in my head).
Believe it or not, this is very simple with the key.
If you follow the link, even before you get to the dos and don'ts, the author writes:
"You can see whether your current passwords — you do use more than one, right? — are rated "strong" by using Microsoft's online Password Checker. I bet you'll be unpleasantly surprised by the results.recommends testing password strength against Microsoft's password checker."
I think we went over this one before. Just a reminder, Microsoft's password checker states that "Password1" is strong! This is aside from the fact that using any online tool to store, test, or synchronize passwords seems rather questionable.
@tim I was thinking more about the password manager being hacked by and within the company that supplies it. ie the delivered s/w reports home each time a password is entered or extracted.
OTOH, if the computer is on a network and is already full of security holes (such operating systems are available commercially) what makes the password manager executable files magically protected from change?
@AlanS: Wait, I'm supposed to go to Microsoft's site and type in passwords I might be using? And I went and checked and it's not even https? This sounds like a bigger security risk than all the others the article warns against.
Maybe I should set up a rival "password checker" site and see how many passwords I can collect.
That's a bunch of bad advice.
I have dozens of accounts. I'm sure not going to cycle passwords on them all, especially since most of them don't matter.
Use dictionary words--just augment them appropriately so they're not brute-forcable. Entirely non-dictionary passwords are unrememberable and untypable, and I'm not interested in password managers.
Use the same password for low-security sites. I'm not coming up with a new password for every little forum; that's just useless.
I'm sure going to have my browser log me into sites. Advice that causes me massive inconvenience is useless.
I'm sure going to use "remember me". Any site with actual sensitive data (credit cards) makes you log in again anyway. (If they don't, they're failing at basic security--so don't use it. If they don't do this right, they're getting other stuff wrong, too.)
Password advice that doesn't differentiate between important and unimportant passwords, that doesn't recognize that people have a lot of accounts to deal with, that place a 1:0 importance ratio on security vs. real-world practicality--is uselessly academic.
I am always weary of typing a password in on someone elses computer. Heck, i have a keylogger running on my computer just incase someone uses it.
"DON'T use passwords comprised of dictionary words"
What about Diceware? Those are strong passwords/passphrases made up of dictionary words.
I guess I'm weird because I actually do follow the advice. I use KeePassX as my password manager and I use randomly generated passwords of the longest length allowed by the particular site.
In places where I can't use the password manager (startup encryption password, windows password and the password manager password) I use sufficiently complicated passwords that I've developed through the years.
Oh to add, I also treat the "forgot your password" questions exactly as another password.
One of these days I am going to publish a list of 1000 really strong passwords (or build a pseudo generator that randomly selects one of a thousand) with a recommendation that users use one from the list just to see if anyone would use one.
If a time factors are built into the authentication process that prevent rapid testing then you can probably get away with a password that has a much lower entropy.
NIST has a nice table in for determining entropy. See "Appendix A: Estimating Entropy and Strength" in SP800-63. Also see NIST SP800-118 "Guide to Enterprise Password Management". Both available here:
"Even with several listed together nobody could possibly work them out without the "key" (which remains safely secured in my head)."
If that's true, then you can safely share your system, and just keep your key secret.
And coincidentaly, I also break seven of those rules on a regular basis.
could it be:
Clearly, we should figure out which password PRTK tries LAST and just all use that. ;)
(No, of course I'm not serious.)
I wasn't suggesting using Microsoft's password checker, quite the opposite. The advice to use Microsoft's checker is at the start of the article Bruce quoted from.
I wonder how many people use Microsoft's checker? It's the first think that comes up in a Google search of password strength. Scary.
I didn't read past the first piece of really, really bad advice: item 1. He uses a proprietary password manager, which he can't build from source? I can't think of a more stupid thing to do. How does he know this proprietary password manager isn't emailing all his passwords to a hacker? He doesn't.
This article reads to me like an extended advertisement for CallPod or similar password managers.
The rest of the text is really just filler for the main message, which seems to be that you should choose and trust a password manager app.
It could have been written much clearer and tighter. In other words the article could have been (A) use a manager like others have reviewed - note that my favorite is X and (B) follow password safety tips like those provided by security experts Y and Z. I see little original content here other than the opinion at the start about paying $15.
I got a chuckle from this one: "DON'T use the same password for different sites"
Yes, always use a random password that you'll always need your password manager to remember...did I mention this is really an article about password managers? In reality this is why many people (with good intentions) end up relying on password-resets to access their account.
They forgot one:
"DON'T let the fact that you haven't been using good password management so far discourage you from doing it from now on."
I personally have signed up for tons of sites in my college days that I no longer know what the username / password is or even what sites they are. I have no list, and that's kind of discouraging trying to keep track now, having to go and backtrack what social sites I use. I really should, though.
That said, a good way to remember long, complex, strong passwords is to get them from a passphrase - take a favorite movie quote, or line from Shakespeare, or some other source, and use the first letter of each word. I often change stressed words to capital letters, too. I've been fond of using bad jokes as passphrases in the past:
"Three strings walk into a bar." ->
There, we've got upper and lower case letters, numbers and punctuation. Eight characters, nice and strong, and easy to remember.
Having used Mashed Life for 1 year, now I'm completely hooked to it because of its 100% platform independence in-cloud architecture. I even use it often on my iPhone to log on to sites without bothering typing on the tiny keyboard.
In the real world, often password mgmt is also a social activity. Inevitably, I have to share my FedEx account with my co-workers, AT&T, Netflex account with my family. And Mashed life addressed this social reality in a brilliant and super convenient way, even my grandmom can use it without any problem.
Not quite, but close.
And without the information in my head you would have little hope of deciphering it (except simply by chance).
Not only followed and sage but a necessary thing....
Well, I think a good password would be something like: "Beckyspass%wordadvicesSUCKS"
Easy to remember and no one is going to bruteforce it. I wish "experts" could stop giving stupid advices no one is going to follow anyway.
>They are immune to dictionary attack,
Dictionary attacks might have been the only practical attack circa 1999 for persons lacking government level resources.
Today, Rainbow tables handle that need quite nicely upto some length that starts becoming more "passphrase" then "password."
If you don't have a system that locks out after a few bad attempts -- something that was fairly resistant to dictionary attacks already, it doesn't matter. Say a hacker who snags an entire security database so they can rainbow table it offline.
I wonder if any botnets have been configured to do due distributed rainbow table analysis yet a la SETI?
"[...] generated by a truly random process (not a computer random number generator)."
I thought linux /dev/random was (truly) random. Am I wrong?
I have 3 levels of password security...
low: Sites I just don't care about. They all use the same password, 6 random lower-case letters that was assigned to me when I opened an account on tripod many, many years ago.
medium: Sites I have some slight interest in keeping private, but wouldn't really cause me too much trouble if they were discovered. These all use the same password as well, but it's longer and more complicated.
high: These are sites like my email and banks. Each gets its own, unique, randomly-generated password using the best standards the site will allow (e.g. my email password is much stronger than my bank password because of the stupid limits Bank of America places on passwords). With the exception of my email password, which I've memorized, I can't access any of these sites except when I'm at home where I have a program for keeping track of my passwords. Hence it's a tradeoff between security and convenience.
Yes, no passwords stored unencrypted.
Yes, well, I use KeePass, but that's encrypted. I think they mean plain text files here.
Yes, I generate passwords randomly.
Sort-of. I have an "insecure" password for sites that I don't care if someone pretends to be me on. Internet forums, etc. Important things get their own passwords.
Yes, I type a password to log in.
Meh. Bank, etc, I use pw manager. Forums and such, just firefox.
Sort-of. Same as above.
Do you trust your ISP? How about their upstream? How about THEIR upstream? What about the server's ISP? This rule would prevent entering any passwords except on totally private networks. And with the MD5 breakage creating a CA-level cert, well, you can't always trust HTTPS anyway.
Yes. Though it's easy enough to check if the e-mail link is legit.
I actually follow most of those though I do have different password levels for different sites. My only recommendation is to remember that the most important account you have online is your webmail account since someone with access to that could unlock every other site you have using the "send me my forgotten password" feature.
I agree that writing passwords on a piece of paper in your desk is dumb, but I don't think writing passwords on a piece of paper in your wallet is.
Hasn't Bruce recommended that in the past, based on the reasoning that any average person knows how to (and more importantly, practices) keeping their wallets secure?
Plus you can add a little obscurity in the way you write them down so their usage isn't obvious to a garden-variety thief.
Password expiry and rotation is absolutely and completely pointless for the vast majority of personal accounts. It only comes into play if you have multiple principals accessing the same account. Nearly everyone doing it otherwise has bought into groupthink and not seriously considered their threat model --
I mean, why does my Blackberry password expire? Only I know it. If I leave my company, the blackberry is useless without the service they pay for, and if I was trying to get any confidential data off it I've had years of prior time. Additionally password expiry encourages bad behavior from users, which is far more troublesome, and opens up repeated and predictable attack opportunities during password changes.
In addition, focusing on short password complexity has been a losing game for over 10 years, as illustrated by some of the earlier posters. Passphrases in the 20-50 character range not only offer substantial resistance to brute force attacks but they're a hell of a lot easier to remember than line noise jibberish at comparable risk level.
The best password advice out there is not following directions on those silly "Secret questions" and using another normal password there, and keeping at minimum different groups of passwords as mentioned. I may reuse or do slight variations on random forums I don't care about, but all my financial and mail accounts have unique and long pass phrases.
All these "password advice columns" seem to be largely games of one-up-manship comparable to version-number races between vendors. Most of makes no sense, but you better come off sounding tougher and more authoritative than the last guy!
"Hint: iPhones seem to be designed to forget passwords to quickly and securely wipe data."
I guess you haven't heard about the little problem with Blackberry's in the United Arab Emmerates?
Put simply Blackberry has handed over some of it's PKI "code signing rights" to another organisation (Etisalat a UAE-based carrier). They sent out a software update to all the phones on their network.
Unfortunately for the users this "trusted code" contained malicious code (rogue-ware) in the form of "ET Spyware", that intercepts the Blackberry users plaintext emails and text messages and sends copies to a central Etisalat server...
As the rogue-ware had a "command element" to it, it could potentially have been made to "push" any user plain text up to the server including the output of a password safe...
Fortunately for the users the code was sufficiently ham-fisted in the way it worked, that it drained the Blackberry phone battery in a matter of a couple of hours and the resulting investigation found the rogue-ware.
You can read more at,
Oh and for those with a short memory Blackberry made a lot of commercial ground over the fact that US President Obama uses a Blackberry and the NSA passed it as being secure.
There are two points to note from this,
1, There is no such thing as "trusted closed source code" signed or otherwise (think about that next time you download the latest app for your computer or iPhone etc)
2, For whatever reason somebody will always do an "end run" around any security you put in place.
There is a third point (PKI is brittle and useless) but the Moderator will give me a "yellow card" for "Off Topic" if I'm not careful ;)
The upshot is as I have said for many years a "security token" must be "immutable" except under some very specific conditions involving a "physical interlock" that is effectively "inaccessible to the user" and extremely "tamper evident" (ie the token stops working entirely).
"Recording your password is nothing more than keeping your keys on a keychain."
Err no it's not quite the same. If I lift your key chain I cannot make "easy copies" of the keys on it. That is there is a degree of "preventative security" involved which puts a "work factor" on the person trying to make copies.
A simple "recording" such as writing down on a piece of paper does not add any "work factor", you can still lose your wallet or let the piece of paper become visible inadvertently (whilst you are asleep in the shower etc etc).
Therefore you need to add the extra "work factor" to make it equivalent to a key chain.
If you do, do that then yes you are correct when you say,
"Recording allows you to maintain genuinely secure passwords for those cases when secure passwords are appropriate."
As a general point "key management" is actually a much much harder problem than other aspects of security.
Most solutions are either not robust or insecure.
A classic example of this is with PKI where a root private key becomes lost or compromised.
There is a recent example where a Hardware Security Module (HSM) failed and the root private key was lost in trials of a prototype health card system,
Does anyone have any evidence to show that mandatory password changes have a security benefit?
Regarding "Putting them into a file on your computer ... is tantamount to giving them away," where do you keep the password manager?
Sir, could I translate your article to Russian for further use in our company as instruction for our workers?
P.S. I'm sorry, but my English is not so good as I want...
I keep puzzling about what would be more convenient: use a password manager to remember my password to trueCrypt, or store the password manager itself inside a trueCrypt volume. The second one is more secure, but it requires accessing a secure volume even for typing a single password into some silly website, while the other way around exposes the password manager to the attacker.
Instruction to all Employees
From now on all passwords must obey the following security rules
1. You must not use words that are in the dictionary.
2. You must not use keyboard sequences eg qwerty
3. You must not use repeated letters eg zzzz
3. All passwords must contain at least one digit and one non-alphanumeric character.
4. You must not use common acronyms.
5. You must not use proper names.
6. You must not include numeric squences that are memorable dates eg 1066.
7.You may not use valid postcodes.
8. You may not include car registration sequences.
Our security experts have now determined that there is only one passwords that satisfies all of these rules. It will be issued to all staff in the next security bulletin.
Hmm how about,
"Any phrase from any published work"
"Any known or predictable numerical sequence"
I guess the real question is "when do we give up on passwords for something better".
Or are they like Sir Winston Churchill's comment about democracy (see Hansard, November 11, 1947),
"Many forms of Government have been tried, and will be tried in this world of sin and woe. No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time."
Let's see a quick,
And Churchill becomes a "man of the times" again 44 years after his death...
Great advice. Too bad my (German) bank uses a 4 digit numerical pin as online banking password together with my (publically available) account number, and doesn't let me change it.
> DO use a password manager ...
Yep. Password Safe, hereinafter "PS". Used for everything except my work and home Windoze logins (password manager not running yet when logging in!), and my cell phone unlock PIN, plus the PS master password itself. And yes, I have backups!
> DO change passwords frequently. ...
I don't generally follow this, because nearly all of my PS generated passwords have approximately 105 bits of entropy, and so it is pointless. There are 2 special cases I change once a year. Plus I might login to something low-grade at a riskier PC, like say, IMDB at the library, but then I change it as soon as I get back to a trusted machine.
> DO keep your passwords secret....
> DON'T use passwords comprised of ...
Yep. Follows trivially from using PS.
> DON'T use the same password for different sites.
Yep. Follows trivially from using PS.
> DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
Yep, I follow this. Logon passwords are two of the four passwords I actually have memorised. Everything else bootstraps off PS.
> DON'T use the "remember me" or automatic sign-in option available on many Web sites.
Yep, I don't do this. In fact Firefox is set to delete all cookies at the end of every session. (Contrary to various claims, I have never found this to be an issue with anything at all.)
> DON'T enter passwords on a computer you don't control — such as a friend's computer —
I sometimes violate this for certain proverbial "low value accounts", such as accessing IMDB at the library, but then I change the password when I get back to a trusted PC. If I'm expecting to be using untrusted PCs for a while, e.g. email access whilst travelling light, I'll actually create a couple of "disposable" accounts beforehand, change the password everytime I login, and cancel them afterwards. In principle the owner of a key logger could get to the password quickly enough to take over the account before it's changed, but it's never happened yet, and all I need to do is use the backup account to tell everyone to stop using the compromised one.
> DON'T access password-protected accounts over open Wi-Fi networks —
Yep, I follow this one. Actually I rarely use an open Wi-Fi link for anything except general interest browsing, or checking e-mail over an account that SSLs the entire session.
> DON'T enter a password or even your account name in any Web page you access via an e-mail link.
I also follow this - which is arguably the most important rule on the list!
I'm a little surprised that Bruce says he violates so many. It's true that they are a PITA to obey without a password manager, but using PS -- which he designed! -- solves 99% of the problems and enables you to be this strict quite easily.
Step 1) Write an article about passwords, with a link to a password 'checker'...which is really collecting passwords. (Step 1a: remember to pay off Microsoft insider.)
Step 2) Sell newly compiled list of passwords to 'the usual suspects'.
Step 3) Write another article about passwords and password lists...
@AlanS: Wait, I'm supposed to go to Microsoft's site and type in passwords I might be using? And I went and checked and it's not even https?
It also doesn't require you to submit your password before checking it, though. It is client side.
It still isn't very good, however. It rates an eight character password that includes symbols, numbers and letters higher than a random hundred letter password.
I keep all my important passwords in an encrypted truecrypt container.
TC containers can be read on Windows, Mac OS and Linux and I don't need any additional "password managers".
Oh BTW, wouldn't it be cool if we had "advanced passwords" which would be able to e.g. require certain characters to be entered and then deleted again or a "wait time" of n seconds between one or more characters of the password.
The password is considered correct only if these additional requirements are met.
"Conventional" passwords are so 1970's
@Alexei: "I keep puzzling about what would be more convenient: use a password manager to remember my password to trueCrypt, or store the password manager itself inside a trueCrypt volume."
Commonly, password managers will encrypt the passwords you store in them, so you will need one "master password" to access the others anyway.
There's no real need to put the already-encrypted database file of the password manager into another encrypted container.
That would be nifty, but of course to access a remote server you'd probably want to track things client-side (if only for accurate timing across the internet). And then, of course, you'd need some way of representing/encoding the advanced information.
You'd probably have to combine it with the password text to create some sort of Unique Identification Key bitstring, which to the untrained would seem a lot like a password, but obviously it wouldn't be because it would be a UIK.
What exactly is the difference between
password1 and password1^H1 ?
It does offer a new dimension to the password space, but at the cost of extra complexity for the user.
And that's the true problem - as users, we can't even mentally handle the complexity of the passwords we already have.
several suggestions in choosing passwords to work around the automated cracking programs:
-- obfuscated perl one-liners that are silly enough to stand out in your memory
-- diceware (10 words)
[ (7776^10) > (2^128) ]
-- an acronym string of some outrageously memorable bit of designer prose
'As i walked down the streets of the West Village, i was quite taken by the pulchritude of the denizens thereof; many of whom were of not readily determinable gender ' ->
--equations as root
here you have a particlar luxury, in that the equations don't have to be valid, just memorable ;-)
e = mc^2
but as we all know ;-)
in crypto, RSA
c = m^e mod n
so e = mc^2 becomes:
e = m [(m^e)^2 mod n]
= m [m^2e mod n]
= [e = m^(2e+1) mod n]
(not being 'picky' about squaring the mod n in the nonsense
-- combined longer pronounceable nonsense words as root
(somewhat similar to an obscure Minbari cursephrase of the Warrior caste, but the cracking software is probably restricted to Earth language dictionaries ;-) )
there are probably many other schemes that would be effective
I've used SSH and Squid on my home machine to access wireless internet in a coffee shop.
I'm particularly fond of www.grc.com/password for my password generation. I highly recommend checking it out.
I'm going to guess you also wrote the passwords backwards. Or transpose the pairs of letters. I do the transposition trick myself, sometimes, when I have to write one down. abcdef would be written as badcfe.
I still think it's reasonably secure that way, to write down passwords if you've got a trick. You know there's an extra letter at the end that you have to remove, or there's one at the start you have to add, or anything like that.
Given a lengthy list of encoded passwords and lots of time they might eventually be cracked, but it's probably not worth the effort for most would-be intruders.
> DON'T access password-protected accounts over open Wi-Fi networks — or any other network you don't trust — unless the site is secured via https.
Well there are some flaw in ssl (see last black hat archive for example).
https over open wifi shouldn't be trust. Prefer usage of VPN (or ssh tunnel).
There are different levels of passwords and each comes with its own set of rules. For instance, I use the same password for all forum sites which require them. I regularly post in several car forums, a baseball forum, a tech forum, etc. I see no problem using the same password for all those sites. Worst that can happen is that someone posts something offensive using my screenname. The password I use for those sites I use for nothing else.
Then there are the passwords I use for banking and credit card stuff. Very strong and changed regularly. I use them for nothing else.
Lastly, there are passwords I use to access my PCs and servers at work. They have strict password policies which force changes and deny the recycling of passwords.
If I need access to my PCs or servers at work, I VPN in and then remote into my desktop. I do not access my banking or cc websites from anywhere but home. About the riskiest thing I do is access my email from wifi networks not under my control, such as hotel wifis. I should probably use the VPN for that, although my email is boring as hell. Not much of interest to anyone there.
I can't believe nobody has asked Bruce _which_ 7 rules he breaks. And more importantly, I want to know _why_.
Is it that certain rules above fail the Schneier Sanity Test? (For instance, there are some very clever people who think that changing your Unix password every N days can introduce more risk than it mitigates, such as through SSH keystroke timing attacks.) Or is it just that he's purposefully demoted himself a la Twelve Monkeys such that his accounts now no longer have much value to bother defending?
Come on, people! We need to petition our guru for the real wisdom!
Not so bad ... I break only 5 of those rules :-)
A common proverb says : "do as I say and not as I do."
Defining rules seems to be easy, but using them is another story.
Thank you for this post. For many years I use "Oubliette" on my WinPC. Unfortunately they stopped some times back with further developments. But I still use it. Now, having an iPhone I found Keeper and love it myself. The drawback was syncing with my PC. Every now and then I have a bit cash free. Your article convinced me that Keeper is the right place to invest. Next time I will purchase the PC version and then bring over my data from Oubliette - unless Bruce, you have another solution.
It would be interesting to hear from Bruce why frequent password change is needed. How does it helps?
@Hugo: I'd also be interested in hearing, from anyone, how frequent password changes increase security.
I've wondered about this for years: Even if you change your password daily, once it's compromised the bad guy would have an average of 12 hours to work his nefarious plans. Seems to me that should be ample time for most purposes (e.g., running to the liquor store with your debit card, sending nasty emails to your boss, etc.).
Am I missing something? I'm genuinely curious.
@ Hugo, triceratops,
"...in hearing, from anyone, how frequent password changes increase security."
Well you have to stand back from the issue and ask,
"Why where password systems developed this way?"
To which the answer is another question,
"Who's security is being protected?"
And this is where historicaly on a batch or multiuser system there are three heirachical players to consider,
1, The System Owner.
2, The System Admin.
3, The System Users.
The System Owner makes money by making a service available to users and to ensure that the owner and users can do their "business" and not bother with "system things" there is an administrator to keep things running.
Traditionaly money was made on resources be it CPU or System Time, Storage, or Output.
The Owners accountants want to maximise income and the users accountants want to minimise costs...
So from an accountants point of view it is important to have "acountability" for the resources used. Part of this is ensurimg that all use is "valid use" which means strict user acount control.
The more frequently the user account passwords are changed the less the window for illicit use by either users or others (ie crackers in more modern parlance). In some companies the password was changed at close of business at the end of the week and the new password given by the Owners Admin to the users accountant first thing on the Monday morning, the users would que up at the acounting departments "admin desk" to get the password along with any stationary...
Some 40 years later this legacy viewpoint of changing passwords frequently still remains.
The only security value in changing passwords is on shared accounts and as we (should) know shared accounts lack accountablity via auditing and this due to SabOx etc is most definatly a no no these days.
So the need to change is at best marginal in an out of date insecure usage model that by and large does not exist any longer.
The only place it still has value is in OS's where there is only one "admin" account and it is difficult or impossible to provide role based access or delegate specific actions in a controled and audited fashion (and I would politly sugest if you have such an OS you should stop working with museum pieces).
There is a residual security value in suspending accounts that are either not used or have changed usage patterns but providing the password is sufficiently random etc there is very little point changing it.
So as far as I can see it is tradition and not a lot of other reason to keep it, oh and the likes of MS build it in so it gets used by "box tickers" as a method of policy...
I'm sure that there are people out there who hold strong views on the subject one way or the other but then people put mustard on their steak or eat vindalo ;)
It would be interesting to hear from Bruce why frequent password change is needed. How does it helps?
@Hugo, triceratops, Bilge:
What Clive says is pretty well right. However there is another argument often used today, which is superficially quite convincing, but also wrong. The argument concerns dictionary cracking of a hashed (one-way encrypted) password.
The argument presumes a cracker who has somehow stolen some sort of hashed credential (whether a copy of /etc/shadow, an NTLM hash sniffed off the network, or whatever.) The attacker is proceeding to grind into these hashed credentials with some sort of brute force or dictionary attack. The attacker has some probability per unit time of success, depending on the entropy of the passwords, and his number of trials per second. His total probability of success is the life expectancy of the password multiplied by this rate, i.e.:
P = Tr/N
where P is probability of attack success, N is size of password space (here assumed uniformly distributed for simplicity), r is the attack rate, and T is the maximum permitted password life.
Now the argument goes like this: obviously we want to minimise P. We have little control over N: users will be given advice on choosing passwords, and perhaps we will even do some password strength checking, but there will always be some guy who chooses his car registration number. We also have little control over r: we can make password hashing slow to reduce this rate a bit, but we can't make it too slow or else it will annoy users, and we simply have no control over how much iron the attacker can throw at the problem. Thus to minimise P, our best bet is to minimise T.
Obviously we can't make it too small, or it will be really inconvenient to change passwords so often, so how small should we go? Well at some point in the past people threw some guesstimated numbers at the problem and came up with various figures from a week to a year or so, depending on what parameters you guessed, and a lot of folks settled on a month as being not too inconvenient yet not too risky.
Unfortunately, the whole line of argument is baloney, for two reasons. The more important and cuter reason is that if the attacker can still gain access to a hashed credential (and we've done nothing to stop him), then he is not "defeated" by the password change, he just has to start again (or if he is already randomising his search order: he changes nothing, just keeps going!) That might seem like a lot of extra work but actually it turns out that on average, all these password changes at most double his time until success, no matter how frequently they are done. Even if the hapless user is forced to change his password at every login, he achieves at most a doubling of the time until the cracker controls his account! This is really not very helpful.
The second reason it is baloney is that the calculations are now totally dated (that is, the calculations that people once did to come up with a month as the right order of magnitude.) If your users are still choosing 6 character dictionary words as passwords then be warned, they can be cracked not in a month but in a fraction of a second. Changing it once a month is useless because it will be broken again somewhere between hitting "Enter" and lifting the finger off the key. If you are a paranoid bastard like me and use 16 character random strings then you were immune to dictionary attacks back then and you still are. But most users need to have graduated from 7 or 8 character pronounceable non-words up to *at least* 10 character random alphanumeric strings (e.g. "ZY1L5QKA9D"), or 14 character pronounceable nonsense (e.g. "sotrebtapmundo"). For many people this is simply too much, and so the reality today is:
a) if system security prevents the cracker from getting a hashed credential to chew on, then all of the above is moot; but
b) if the attacker can get a hashed credential, then it is still moot, because most users will be dog meat in minutes.
@Clive,Roger: Thanks! You pretty much confirmed my suspicions, but it's good to see some solid arguments.
The cited set of rules is rather paranoid. Very few people would stick to them all. As many other has commented, the rules simply ignore the importance of a particular password and treat all information stored under protection of any password as near-top-secret.
Myself, I just have roughly three categories of passwords:
1. Very important passwords: bank accounts, credit cards' PINs, passwords used at my workplace, passphrases to a few SSH and GPG keys I use, password-manager password etc. I use strong but easy to remember passwords, and I keep them in my head. I change them according to the applicable policy or just occassionally when no policy is in place.
2. Important passwords: email/shell accounts, paid services of various kinds (like my domain registry password, online newspaper access etc.) and one or two social networking sites. In this category I use random-generated passwords and keep them in a home-grown 'password manager'. I rarely change them, if at all, unless I feel one could have been compromised.
3. Marginal passwords: forums, web shopping and other sites that require a password for no reason at all. I have two or three not-so-strong passwords that I reuse between sites. I also store them in the 'password-manager' but rather as a record of which unique email address I give to what site, so I could kick their butts (or blacklist the address at least) if they happen to leak it or give it away.
Some exceptions: infrequently used PINs that I am sure I am going to forget are written down and kept in a (relatively) secure place. Some web shops that are stupid enough to store credit card details are sometimes promoted to Category 2 (but I use a secure 'virtual' card for online shopping so the promotion is rather useless anyway).
For the Category 1 I use two methods of choosing passwords. For ones that are to be typed in frequently (like a main work account password beeing also the screen lock password), I choose a dictionary word of 8 to 12 characters long (sometimes with a spelling error) and apply simple substitution cipher (with several variants) that is easy to perform in my head thus getting a string of letters, digits and/or symbols (I stick to those symbols that are easily typed on a keybord, unshifted). Most often than not I am able to choose a word with all 8 characters different or only one of them repeating. This is hardly different from generating a random alphanumeric password, but easy to recover if I happen to forget it. The dictionary word + mental substitution method is actually useful only a few days or weeks after a password change; after that I just get to memorize the resulting string and even forget what word it was based on.
For passwords that are typed infrequently (like once a day for an SSH agent) I choose long passwords that are a complete sentence or two - often a couple of lines from a little known work of literature along with due punctuation and a few spelling errors thrown in, sometimes in foreign or exotic language. These are easy to remember (in the same way you memorize a poem or a song's text), yet in case I forget them I know where to look them up. Try to brute-force them!
To secure your on-line banking or other high security password setting, use a LiveCD which you can hash against the original image's hash before and after to establish it hasn't been tampered with, or at least you're just as borked as everybody else. Unless someone has borked your hash function too.
@ Black Bart
Using a Live CD is a good but slightly paranoid idea. Hashing is a nonsense. How could any malware tamper with CD-R (not -RW)? And nothing stops any malware tamper with the RAM copy of running software - if the software proves defective.
i have forget both my email account password and security question answer too. but i can remember some of the information with in it.i need some of the information with in it too.please help me to get my password/security question amswer
To everyone who asked: Periodic password changes exist to greatly reduce the practicality of brute force attacks, which is the only viable attack vector for an attacker if you follow these rules.
They /only/ cause problems when people who can't remember their passwords pick their new password to be the same as their last one, or otherwise choose it to be dumbed-down and easy to remember. But you shouldn't be doing this in the first place; instead rely on an OPEN SOURCE password manager to remember your passwords for you.
@Roger: I don't follow your logic. The first rebuttal you give against this argument is that changing your password does not defeat a brute force attempt, it merely causes it to start over. I maintain that these two are one and the same. The same applies even if he is randomizing his search order, because entries that he has already tried now could be possible passwords again and he must try those again.
For example: Assume a password of complexity N is being attacked with computing power of attack rate r. Assume that P is 100% after a period of 1 year. Now if we institute a password change every 30 days, using your formula which is correct, we reduce the probability of a successful attack to a mere 8.33% for the same period of time.
Your second reason does not make much sense to me either. The formula you gave is still true. I agree with you however that password complexity is at least as important, if not more than, password lifespan.
Another reason why password changes are good tho is that they cover possible leaks that are difficult to account for, such as cookies, use of public computers, use of open wifi, etc.
"The same applies even if he is randomizing his search order, because entries that he has already tried now could be possible passwords again and he must try those again."
I can't answer for what Roger ment by "randomize" but I have seen a similar problem before and it always causes confusion 8(
If you have a set of passwords there are two ways you can randomly select to do searchs,
1, from the whole set.
2, from the remaining set.
That makes a fundemental difference in that the first search will only end when a match is found. And the second will stop either on a match or when the remaining set reaches zero size.
The second major difference between the two is the first search may never try all passwords in the set, and will try some passwords over and over again. Where as the second trys them all once, just in a random order.
From the way you and Roger have worded things I suspect he was thinking of search type 1 and you are thinking of search type 2.
I found this Schneier article because I was looking for the sound, technical info that would help me decide which, if any, Password Manager to allow on my system. After all, I have been thoroughly disappointed by the description even in PCMagazine of leading Password Managers, since they give glowing reports of ease of use, but aside from vague assurances, nothing about the security protocol implemented. I cannot even tell where, if anywhere, these products store the Master Password.
But this is the problem: especially for a mobile phone, which could easily be stolen and find its way into a hacker's hands, it is dangerously insecure to store the Master Password anywhere. Even if it is encrypted, since the program must have the decryption key somewhere. So what I was looking for is a mention that only a secure hash of the Master Password is stored. But I cannot find this, even for the Password Managers recommended by this article.
So that is my $64000.00 question: which of these Password Mangers implement a protocol so secure that they are willing to admit what it is?
I hate the "Don't use dictionay words advice". It only make sense if you are talking about short passwords.
I use pass phrases:
Easy to remember, and very secure.
Some points are good, but some are way to paranoid. In the time of mobile internet, it is quit impossible to avoid Wi-Fi, in my opinion...
Imagine that a hacker is trying to access your bank account which is protected by a complex 16 - digit random password, that one on-line test site claims may be "secure" for a few trillion years. You can't remember it, reliably, so you write it on a specific page of a specific book in your local library, which you can remember; it's not real convenient, but very trustworthy.
One day, you are advised you must upgrade to a new library card, before you can return to access your secret book and password; they mail the card to you, and a thief steals it from your mailbox. He still has little more than a hint regarding the whereabouts of your word, but you once again can access it with your additional bit of knowledge. However, what if instead you can't wait, call the librarian and have her look up the book and page for you; she writes the password on a postcard, mails that, and the thief steals it from your mailbox, expediting his ability to access your bank account which he already has from prior mailbox raids.
You have no knowledge of the theft, so have no reason to alert the bank; by the time you figure out the breach, your account has been drained.
The library was open to everyone, yet in reality no one would ever have found, much less associated the password with you and your account.
Like most identity compromises, the enterprising thief uses both new and old tech to conveniently circumvent the most secure portions of your system, and creates a novel bypass. This is how they use those "low risk" accounts, blogsites, etc. to obtain enough info to call your bank, bluff through the personal question lists, then simply get everything updated via the contact they choose. All your super-security is meaningless if the Agency/Authority is easily conned.
1) Most any personal computer can be very secure, simply by using a strong password to logon, then any of the off-line Password managers.
2) Every corporate, networked, online computer is at far greater risk, because breaches can be ongoing, long-term, invisible, and the perceived value of success is much higher - i.e. the presumption that the large system machine holds more, and more valuable information worth the effort to hack.
3) Every trend towards online/"cloud" anything is a potential security threat to users - see 2).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.