The ABC of password security

[bcearl]

In this thread I want to discuss some pieces of wisdom about password security. This will not be complete, just the basics that I remember at the moment.

First we have to distinguish between online and offline passwords:

Online passwords are passwords that you use to log in. This does not have to be as secure because the site sets the rules how often you can try. For example, a site could refuse your login for a while after 5 wrongly entered passwords.
This means that an attacker cannot try out as many passwords as he wishes in a time as short as he wishes.

Offline passwords are passwords that you use for example to encrypt a file. This password has to be way stronger, because an attacker with the file cannot be forced to do less than a certain number of tries per second.
For example if the attacker can take your encrypted file and put it on as many computer as he wishes to try out as many passwords per second as he wishes. The only way against that is to have a password so strong that an attacker could not get enough computing power to break it.

Note that an online password of a website can become an offline password, e.g. when the website is hacked and the password hashes that the operator stored are leaked.
We will talk about offline passwords now because that is the most important issue for bitcoin users.


Randomness of characters: Depending on which set of characters you use, your password gets more randomness. For example if you use lower latin letters only, you have 26 characters. If you chose a password of length 8, you have 26^8 different possible passwords. To represent 26^8 possible passwords by a binary code, you need log_2(26^8) =  8 * log_2(26) = 8 * 4.7 = 38 bits. That's not much at all.

Code:

character set	number	bits per character
[a-z]		26	4.7
[a-z0-9]	36	5.2
[a-zA-Z0-9]	62	6.0
all ascii	94	6.6

You can see that the size of the character set matters a lot. But what matters even more is the length of the password. The number of possible passwords depends exponentially on the password length. For example for a whole-ascii password each additional character multiplies the number of possibilities by 94. This results in a growth of randomness by 6.6 bits for each character added.


Independence of characters: In the discussion above I assumed all the time that every character has the same probability. That is of course not always true. Attackers know that, and use it. That's why you should not use a dictionary word - in dictionary words the different characters are not independend.
For example, in English words you know that after a "Q" almost always follows a "U". Because of this, the string "QU" has a much higher probability than the strings "QS", "QG" or "QL".


Conclusion: The way to a secure password is to choose from a large set of characters, and choose the characters randomly with the same probability of each characters. The longer the password, the better. If you use AES256 for example, up to 39 characters each additional character adds real randomness to the whole thing. After that, you don't get more for AES, but there exist other encryption algorithms with even longer key lengths (e.g. blowfish up to 448 bits = 68 chars of password).

What I did: When I started bitcoin, I choose a new 12-character whole-ascii password (79.2 bits of randomness). It was a pain to remember in the first hours, but after typing it a few times I got used to it. I use this password now for my encrypted seperate bitcoin user account (on Ubuntu) and for wallet backups.




If you considered that helpful, you might give me a tip: 1HuteXifXc3x8Nq9x8hHGUnFGDU7KFggXD

[1715078025]

1715078025

[1715078025]

1715078025

[1715078025]

1715078025

[1715078025]

1715078025

[1715078025]

1715078025

[1715078025]

1715078025

[Brainslug]

There are actually a few good articles on that topic at PCWorld:
http://www.pcworld.com/businesscenter/article/170662/the_art_of_creating_strong_passwords.html
http://www.pcworld.com/article/154521/why_you_need_a_password_manager.html
and many more.

I personally use KeePass with a strong but memorable password to manage most of my "online" passwords as you call them.
For "offline" passwords I use a simpler Passphrase in combination with a YubiKey (http://www.yubico.com/yubikey), e.g. to encrypt my laptop's HDD or my encrypted file-containers. The YubiKey provides (among other options) a 16-64 character static password. Of course, having to rely on a physical device like a YubiKey brings also some riscs. If you lose the key you're pretty much screwed, that's why I recommend either ordering a second YubiKey and program it with the same static password or writing the password down and storing it in a safe or a lockbox at a bank of your trust. But the most important thing is to never use the YubiKey's static password alone, you should always use it in combination with a leading passphrase so if anybody should actually steal your YubiKey they don't get access to anything you used it for.

To test the strength of your passwords you should always check them at http://www.passwordmeter.com/.

[bcearl]

This Yubico thing looks interesting, but for that price you may better get a smartcard that does public key crypto.

[ius]

This Yubico thing looks interesting, but for that price you may better get a smartcard that does public key crypto.

Really? Have a link? Thought a reader + cards would be alot more expensive (I paid € 18,- for my YubiKey).

By the way, instead of programming a static key you could also use the HMAC-SHA1 feature to derive a key blob from a given challenge (afraid it does require whipping up some code). Makes it a little harder to grab the key though..

[bcearl]

This Yubico thing looks interesting, but for that price you may better get a smartcard that does public key crypto.

Really? Have a link? Thought a reader + cards would be alot more expensive (I paid € 18,- for my YubiKey).

By the way, instead of programming a static key you could also use the HMAC-SHA1 feature to derive a key blob from a given challenge (afraid it does require whipping up some code). Makes it a little harder to grab the key though..

That HMAC-SHA1 looks good. I don't want the PC to know my secret, but I want him to know that I know it.

[Timo Y]

Write you own poem, and keep reciting the poem at least once a week.

Then create your own rule for converting the poem into a password. eg. take 3rd and 5th letter from each word and capitalize if word is a verb... or something more complex. Just make sure you keep the rule to yourself.

40 character password that is both secure and hard to forget. Sorted!

Needless to say, don't ever use that password online.

[fornit]

To test the strength of your passwords you should always check them at http://www.passwordmeter.com/.

imho, that page is a joke.

example:
qwertasdfgyxcvbn = 18%

now replace every third character with a "1":

qw1rt1sd1gy1cv1n = 92%

yeah, right...

[BubbleBoy]

A good password stretching technique can go a long way to secure a short password. Reverting a 50 bit password hashed with SHA1 is trivial. Reverting the same password encrypted with 65.000 iterations of SHA1 (PKBDF2) for a total of 66 bits is much harder, feasible with GPU crackers. Reverting a 50 bit password stretched with a memory hard algorithm such as scrypt is probably not worthwhile for most any bitcoin wallet.

This is not a directly useful to the end-users, but I would hope the authors of wallet encryption will take notice.

[bcearl]

To test the strength of your passwords you should always check them at http://www.passwordmeter.com/.

imho, that page is a joke.

example:
qwertasdfgyxcvbn = 18%

now replace every third character with a "1":

qw1rt1sd1gy1cv1n = 92%

yeah, right...

That comes from the classification of characters, of course that's not exactly accurate. But there is no better way, the randomness of a string depends on the set of possible strings you assert it comes from.

If you assert that it is letters only, you have way less passwords to try, then if you assert that it is letters plus numbers.

The site seems to check only for that, which I mentioned in the OP depends on the assertion that all characters are independently chosen with equally distributed probability.

[bcearl]

I wrote a little program that creates totally random passwords, with same probability for every printable ASCII char: From "SPACE" to "~".

The program is kept simple, so that you don't have to trust anybody and can easily see what it's doing.

Code:

#include <stdio.h>

int main(int argc, char **argv) {
	// check for parameters
	int count;
	if (argc > 1)
		count = atoi(argv[1]);
	else
		count = 8;

	// open random number source
	// "/dev/random" is the secure random number source on Linux
	// "/dev/urandom" is not secure!
	FILE *source = fopen("/dev/random", "r");
	if (!source)
		return -1;

	printf("Your password is:\n");
	int i;
	for (i = 0; i < count; i++)
		putchar('_');
	putchar('\n');

	i = 0;
	do {
		// request 8 bits of randomness
		int c = fgetc(source);
		if (c == EOF)
			return -2;
		// delete most significant bit because of ASCII
		c &= 0x7f;
		// if printable: print it
		if (' ' <= c && c <= '~') {
			putchar(c);
			fflush(stdout);
			i++;
		}			
	} while (i < count);

	putchar('\n');
	fclose(source);
	return 0;
}

Usage:

- Put it in a file called genpasswd.c
- Execute "gcc -o genpasswd passwd.c"
- Execute "./genpasswd 12" for a 12-character password (default is


Looks like this:

Code:

~$ gcc genpasswd.c -o genpasswd
~$ ./genpasswd
Your password is:
________
9k'|Kfk@

The underscore indicates how long the password is (so that you don't miss characters).

[bitplane]

You have to read a lot and have a good memory, my favourite password system is to take either the first or last letter from a memorable sentence in something you have read, will never forget and has a tedious link to the site/file you're logging into.

For example, you could associate a gambling account with a couple of lines from If by Rudyard Kipling:

If you can make one heap of all your winnings
And risk it on one turn of pitch-and-toss

Could make the password "IycmohoaywAriootopat", which you're unlikely to forget. If you read a lot you'll have an endless supply of fresh, very memorable and extremely long passwords!

Now, knowing this, can you crack an old password of mine from the book Fight Club?

Clues: It's 14 chars long, it's based on the first letter of each word in two sentences and includes punctuation.

Here's the md5 sum:

7de46151e06abe0ad53c4513d22e9a43

[bcearl]

You have to read a lot and have a good memory, my favourite password system is to take either the first or last letter from a memorable sentence in something you have read, will never forget and has a tedious link to the site/file you're logging into.

For example, you could associate a gambling account with a couple of lines from If by Rudyard Kipling:

If you can make one heap of all your winnings
And risk it on one turn of pitch-and-toss

Could make the password "IycmohoaywAriootopat", which you're unlikely to forget. If you read a lot you'll have an endless supply of fresh, very memorable and extremely long passwords!

Now, knowing this, can you crack an old password of mine from the book Fight Club?

Clues: It's 14 chars long, it's based on the first letter of each word in two sentences and includes punctuation.

Here's the md5 sum:

7de46151e06abe0ad53c4513d22e9a43

I know about that trick, but I don't trust it. I use it for some passwords, but not important stuff like my wallet.

[foo]

https://www.grc.com/haystack.htm

[ius]

I wrote a little program that creates totally random passwords, with same probability for every printable ASCII char: From "SPACE" to "~".

Nice and simple, yet most distros should have a package for pwgen, which has extra options (easier to memorize, charset, etc.).

[bcearl]

I wrote a little program that creates totally random passwords, with same probability for every printable ASCII char: From "SPACE" to "~".

Nice and simple, yet most distros should have a package for pwgen, which has extra options (easier to memorize, charset, etc.).

Yes, there are lots of tools. The user account configuration in Ubuntu (or maybe it came with Gnome 3 which I installed) also makes password proposals and measures how strong your password is.

I wrote it myself because I really wanted to have a guaranteed equal probability for each character, and no character should be independent on another.

[bcearl]

https://www.grc.com/haystack.htm

The site says:

IMPORTANT!!!    What this calculator is NOT . . .

It is NOT a “Password Strength Meter.”