-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpassword.html
216 lines (186 loc) · 11.3 KB
/
password.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>What is a good password?</title>
<script src="password.js"></script>
</head>
<body>
<h1>Making good passwords</h1>
<p><a href="#randomwords">Jump to "four random words" password
generator</a></p>
<p><a href="#randomcharacters">Jump to "random characters" password
generator</a></p>
<h2>What is a good password?</h2>
<p>Too many sites have byzantine requirements for passwords that don't
actually help make them all that much more secure. Some sites require
you to change your password regularly, which probably has more
drawbacks than benefits. Below, I will give you a couple of ways to
generate a good password. However, it turns out that how you manage
your passwords is perhaps more important than the choice of the
password itself. As long as your password isn't too short (at least 8
or 12 letters long) and isn't a dictionary word, common proper name,
or common thing like "password123", your password is less likely to be
guessed than it is to be lost other ways.</p>
<p>If a password isn't leaked, there are a few general ways it can be
guessed: a dictionary attack, using personal information, and
brute-force cracking. Dictionary attacks and brute-force
cracking <i>usually</i> require offline access to a password
database. A well-designed password database will store your password
encrypted, so attackers can't just read it off if it's leaked.
In both of these cases, they then try lots of possibilities to see if
they encrypt to the encrypted form of your password. These attacks
can go over the net, but the large number of attempts necessary will
tend to make the attack noticed by security monitoring software.</p>
<p>A <b>dictionary attack</b> is where the attacker tries words from a
list against the password. There are <i>many</i> fewer six-to-twelve
letter words than there are combinations of 12 random letters. If
your password is a word in the dictionary, then it's easy to guess.
Even if you try to substitute some letters for numbers and symbols—
using "p@ssw0rd" instead of "password"— that is also easy to guess, as
password crackers all know the common substitutions. A good password
should not be a dictionary word, and ideally should be randomly
generated.</p>
<p>Attacks that <b>use personal information</b> might be more, er,
personal. Bad passwords are any word that is connected to you
somehow; your birthdate, the name of your kids, the city where you
were born, etc. All of these things can be automatically guessed by
scraping information about you from the web. If somebody is
targeting you personally, then they might try other things they know
about you: your favorite color, the name of your first pet, etc.
Even if you substitute letters with numbers and symbols (so that the
name Robert becomes R0ber+), these passwords are not very
secure.</p>
<p>A <b>brute-force</b> attack is like a dictionary attack, only here
the cracker is not assuming that the password is a word or a name or
something intelligible, but could really be a random collection of
letters or words. For, say, an eight-letter password, a computer
tries every single combination of eight letters to see if it works.
That amounts to 26⁸, or 100 billion, different passwords, even if the
password is only lower-case letters. While 100 billion sounds like a
lot to you and me, it's actually not as much to a computer nowadays as
you might think. When evaluating the strength of a password against a
brute-force attack, people often talk about "<b>bits of entropy</b>".
More bits of entropy means more tries, on average, somebody will have
to make before stumbling across your password. Eight lowercase
letters, assuming they're chosen completely randomly, have about 37
bits of entropy.</p>
<p>How many bits of entropy is enough? More is always better, of
course, but passwords become more cumbersome the longer they get.
Adding even one bit of entropy approximately doubles the amount of
time it takes to crack your password. It makes a difference whether
your password is attacked online, or if the attacker has the encrypted
password on their own computer. In the former case, 37 bits of
entropy is almost certainly sufficient. In the latter case, somebody
who knew what they were doing using a standard high-end graphics card
could crack that password in minutes, although it depends a lot on the
algorithm used to encrypt your password. If you want to be secure
against people who are really serious about cracking your password,
you probably need 100-200 bits of entropy. However, such passwords
are impractical (do you want to memorize a random string of 40 or more
letters?). Myself, I tend to aim for around 60 bits of entropy in my
passwords.</p>
<h2>Password Hygiene</h2>
<p>How you handle your passwords is more important than what the
password is. You should do all of the following:</p>
<ul>
<li><p><b>Don't use the same password twice.</b> This is the biggest
mistake most people make: they use the same password everywhere.
The problem is that there are security breaches all the time.
Databases of passwords get leaked. If you've used a password in a
leaked database, and it's associated with your email address, then
bad actors will try using your email address and that password at
all other sites. You can avoid this problem by using different
passwords everywhere.</p>
<p>This can get a little overwhelming, especially now that so many
websites ask you to register for an account before you can read or
post anything. What I do is have one "throwaway" password I use
on all sites where it's not that big a deal if all of those
accounts are compromised. However, for your bank, for your email, for
any login at work, for anything you've paid money for, and for
anything that could cause serious embarrassment if your account was
hacked (this would include all social media), you should use a
different password for every site.</p>
<li><p><b>Never send your password through email or text or other open
communication.</b> Having your password sit on an email server
provides another place where a security breach may release it to
the world. If you <i>must</i> email a password, learn how to use
cryptography software and send the password encrypted. (Sadly,
good solutions for encrypted email exist, it's never received wide
adoption, likely in part because government and law enforcement
always push objections and raise fears of terrorists and the
like.)</p></li>
<li><p><b>Don't tell other people your password.</b> If the system
administrator of your bank (or any other place you have an
account) asks for your password, don't give it to them. They
don't need it. (If they do, they've designed their system very
poorly.) They can do the superuser things they need to do without
having to have your password.</p></li>
<li><p><b>Writing your password down <i>might</i> be OK.</b> This
depends on the password. Don't leave your work password on a
sticky-note on your work computer; then anybody who comes to your
desk can log into your account. However, if you keep a notebook
at home where you record your logins to various online accounts,
this is actually not as big a deal as it might seem. (Just be
prepared to change <i>all</i> of them if you lose the notebook or
if your house gets robbed.) However, there's a better
solution:</p></li>
<li><p><b>Consider using a password safe application.</b> There are
applications that store all your passwords encrypted. That way,
you only have to remember <i>one</i> password— the one you used to
encrypt your list of passwords. These applications generally let
you cut and paste the password into your web browser, or wherever
you need it. This lets you use a completely different, completely
unrememberable password for every account. Store it in your
password safe, and, whatever you do, <i>don't</i> forget the
password you use to unlock that password safe. You can find lots
of password safe applications out there, but one I recommend is
the cross-platform
open-source <a href="https://keepass.info/">KeePass</a>. You
can run it on any operating system, and share the password safe
file between devices. (Personally, I just use an encrypted text
file, but the principle is the same.)</p></li>
</ul>
<a id="randomwords"></a>
<h2>"Four random words" passwords</h2>
<p>A dictionary attack works because if you choose any word randomly
from the dictionary, it only has about 15 bits of entropy. However,
if you choose <i>four</i> random words, you're up to 60 bits of
entropy. This method of creating passwords was popularized by Randall
Munroe in his <a href="https://xkcd.com/936/">correct horse battery
staple</a> XKCD comic. (Note that he lists 44 bits of entropy,
whereas I list 60. The difference? He's assuming "common" words,
which are easier to remember. I'm randomly choosing words between 4
and 8 letters without requiring they be common.)</p>
<p>Here's the catch: for this password to be good, <b>the words have to
be truly random</b>. If you just think up four words yourself, you
have <i>many</i> fewer bits of entropy than you would with random
words. People will tend to think of certain words together, and
sophisticated password crackers will take advantage of this to
reduce the number of word combinations they have to try. How do you
generate random words? With a computer. Click the button below to
generate a "four random word" password.</p>
<p>Words between <input id="minletters" type="number" min="3" max="8" value="4" style="width: 3em"> and
<input id="maxletters" type="number" min="5" max="12" value="8" style="width: 3em"> letters,
<select id="startcaps">
<option value="including">including</option>
<option value="not including" selected>not including</option>
</select>
words that start with a capital letter (proper names, etc.).<br>
<input type="button" id="generatefourwords" value="Generate Password"></p>
<div style="border: 2px solid black; padding: 1em; text-align: center; display: none" id="fourwordpassword"></div>
<a id="randomcharacters"></a>
<h2>"Random characters" passwords</h2>
<p>These sorts of passwords are harder to remember than "random words"
passwords, but they require less typing. Again, the password is
better if the characters are <i>truly random</i>, which letters you
think up out of your head won't be.</p>
<p><input id="numrandomletters" type="number" min="8" max="16" value="12" style="width: 3em"> random letters<br>
<input id="randomcapitals" type="checkbox" checked> Include capital letters? <br>
<input id="randomnumbers" type="checkbox"> Include numbers? <br>
<input id="randomsymbols" type="checkbox"> Include random symbols? (Symbols used: !@#$%^&*()_-+=:;,.<>/?~{}[]|) <br>
<input type="button" id="generatebarf" value="Generate Password">
</p>
<div style="border: 2px solid black; padding: 1em; text-align: center; display: none" id="barfpassword"></div>
</body>
</html>