8 Thoughts on Passwords and Password Management

In light of the recent disclosures (within 24 hours of each other) of the stealing of passwords (or password hashes) from LinkedIn, last.fm, and eHarmony, I thought I’d share a few thoughts and tips on passwords and password management.

For users:

  1. As Ed Amoroso said in this video use different passwords for different accounts.  If the bad guys manage to compromise one account, they don’t have access to everything you have everywhere.
  2. Use a password manager or encrypted notepad app to keep track of them.  If you are going to use different passwords, you probably won’t be able to remember them, so use one of the applications out there that help you manage them.  The advice for years has been not to write them down, but to some extent we no longer have any choice.  At the very least, there are “notepad” apps for mobile devices that use strong encryption and allow you to encrypt individual notes.  Use a VERY STRONG password to encrypt these other passwords.
  3. Don’t help the bad guys by typing them into sites to “see if they were on the list.”  This one may seem a little odd, but in the aftermath of these breaches, some websites sprung up offering to tell you if your password was on the list.  While some of them may have been legitimate, if the bad guys set something up like this, you just helped them crack passwords they may not have already cracked. Just assume yours was cracked and change it.
  4. As soon as you are aware of the breach, change your passwords, but be ready to change them again, because you can’t be sure they aren’t still in there stealing the new one. Be ready to change passwords in the initial aftermath and again relatively soon afterward.

For those managing passwords in their applications/databases:

  1. Salt them.  If the bad guys get the hashes, make them crack every one instead of getting off easy by potentially getting the passwords for multiple users by cracking just one hash.
  2. Consider using something slower than MD5/SHA for the hashing. This one is related to #3 for users and was explained well in a post on the security company F-Secure’s blog and one by security researcher Thierry Zoller.  While most operating systems (and many applications) have a built-in limit on the number of login attempts in a given amount of time (and then lock out future attempts for some period of time), if the hashes are stolen and the bad guys are attempting to crack offline, make them use a more complex algorithm. The algorithm should only allow them to guess on the order of 10,000-100,000 per second rather than a billion per second. Speed is good for many hashing algorithms, but here it is not.
  3. Allow longer passwords and special characters.  Nothing frustrates me more than setting up an account on a banking site only to discover that your password cannot be longer than 8 characters and can only consist of letters and digits.  This is 2012. Let your users create long passphrases that include !@#$%^&&*()_-+=/?.>,<;:’”
So, what do you think?  Have I forgotten any useful tips or tricks for handling passwords?
Jim Clausing Technical Staff Principal Member AT&T About Jim