from Hacker News

Strong Passwords

by simbalion on 9/3/16, 12:43 AM with 47 comments

  • by LeoPanthera on 9/3/16, 1:39 AM

    Having worked in IT, this is the kind of "guide" that I hate. It's theoretically correct, but wildly impractical and therefore not useful at all.

    Do not let perfect be the enemy of good. Right now, people's password hygiene is not even "good".

    Some specific criticisms:

    > At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.

    Sometimes you have to type in a password, even if you use a password manager. Maybe you are using a public computer. 32 character passwords are laughable. NIST recommends 80 bits, that's ~14 characters. Entirely sufficient.

    > Do not use online password services

    If it means you're using different, reasonably strong passwords for all your accounts instead of just one password shared with everything, then PLEASE DO use an online password service. You will be vastly more secure.

    Getting "normal" people to use good passwords means their password manager has to be super easy to use. LastPass is fine. 1Password is fine. Hell, even writing your passwords down in a book is fine, as long as you look after the book.

  • by 3pt14159 on 9/3/16, 1:35 AM

    If you are like me and you like the idea of password managers but don't trust them because they're giant targets for cyber criminals and intelligence agencies have at my trusty ruby script:

        puts ((rand * 1_000_000_000).to_i.to_s + \
      ("a".."z").to_a.sample(10).join + \
      ("A".."Z").to_a.sample(10).join + "_")
    Some benefits: If you need to enter in a password on your phone the numbers / capitals are all in a row, so you're not constantly shift-on / shift-off-ing. There is multi-case alphanumeric with a symbol, so it passes most website checks. If the website is something dumb and they don't allow special characters your underscore is right at the end so you can just delete it, and since it is an underscore it's a special character usually allowed (unlike % for example) because they're not weirdly encoded, even in URLs.

    You can save your passwords in a gpg'd text file if you want, though it usually doesn't matter that much. Just store them in chrome and use two-factor. If you get logged out just password reset to your email.

  • by zyxley on 9/3/16, 1:12 AM

    One of the more persistent annoyances of the modern web for the tech-savvy is the experience of putting a long, randomly generated password into a site and getting an "invalid characters" error.

  • by krupan on 9/3/16, 1:20 AM

    I haven't lookek at keepass in a long time, and a quick glance at the website didn't help. The author of TFA says that keepass handles synchronization for you. Is that true? Because it didn't do that in the past.

    Also, can keepass generate secure passwords for you? That's something I love about lastpass.

    UPDATE: also, how easy is it to use on an Android?

  • by emddudley on 9/3/16, 1:27 AM

    > At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.

    That is a non-starter....

  • by babby on 9/3/16, 2:21 AM

    The only complicated part of this method is securing the key, and the key is definitely required or you may as well just save it as plain text.

    You sync your DB across multiple cloud services, and to decrypt you use a weak master pass and strong key.

    I've been struggling with how to move that key around.

    .1) Put it on a USB drive or hide it in your filesystem.

    This is cumbersome and losing the drive could be disastrous. It's also trivial to scan a filesystem for key-like files.

    .2) Use an authentication dongle.

    This one is better but requires third party hardware in most cases, and is slightly expensive.

    .3) Bluetooth/NFC to your device.

    This can be intercepted at extended ranges as proven at defcon etc. Though is admittedly the most convenient method. The data can be signed, but I haven't seen anything out there that implements this well just yet.

    .4) Timed one time passwords, PushBullet etc.

    This feels like a bonus feature.

    I'm not sure how to go about this. You lose or leak the key then you're screwed.

    Is there a wristwatch or phone app with signed credential sharing based on wearer input, compatible to a standard?

  • by Spooky23 on 9/3/16, 1:20 AM

    Just use diceware. Simple and effective.

    http://world.std.com/~reinhold/diceware.html

  • by discreditable on 9/3/16, 1:44 AM

    For passwords I need to be able to remember (not many) or share (initial passwords for user accounts) I use a passphrase generator. Everything else is random 24-character Keepass.

    Plugging my super simple passphrase generator built upon the EFF wordlist: https://spg.brashear.me

  • by rcthompson on 9/3/16, 3:11 AM

    What about 8-character passwords with letters, numbers, and symbols? What if it includes non-ASCII characters?

  • by sunstone on 9/3/16, 1:51 AM

    Any 'password manager' is a priority target. Just use longish pass phrase and don't walk around with a target on your back.