My Personal Password Policy (PPP)

Padlock

Remembering passwords is a hassle!  We all know the things that we are supposed to do but we are all human beings (aren’t we?) and it’s almost impossible (and certainly very impractical) to set strong, unique, and memorable passwords for each and every account we have.

I’ve come up with a policy about how I deal with my passwords.  My love of TLAs means that I have decided to call it my PPP or Personal Password Policy.  I’m quite proud of it tbh (the acronym too) and I hope that you find it useful and/or interesting.

Note: I use the word “cracker” when most people are more familiar with the word “hacker” being used.   Read more about why I do this.

Entropy

The entropy of a password (in information theory terms), is a number which you could say represents its “strength” and the estimated time it would take to crack it – in general, the larger the number the stronger the password. It is measured in ‘bits’ and every time it increases by 1 bit, the average time it takes to crack the password doubles.

However, it’s pretty much impossible to know the real entropy for passwords that have been thought up by a human brain.  For example if a certain character in a human-created password is a ‘q’, the chance of the next letter being a ‘u’ is much larger than usual because ‘u’ tends to come after ‘q’ in the English language.  Hence adding the ‘u’ adds very little entropy.  Certain words would add less entropy for some people than for others.  For a massive tennis fan, the string ‘tennis’ probably has a lot less entropy than for someone who has never even heard of the game, i.e. it’s a lot more likely to appear in their password.

We are often told not to make passwords based on dictionary words and a number of people think that if they use dictionary words but replace certain letters with digits, this will increase the strength of their passwords a lot.  But it doesn’t!  Password cracking software can easily try a few replacements such as ‘0’ for ‘o’, ‘1’ for ‘i’, ‘5’ for ‘s’, ‘4’ for ‘a’, etc without much extra effort.  So ‘p455w0rd’, ‘m0nk3y’ and ‘l3tm31n’ are still bad choices of password because the process of replacing letters with numbers doesn’t really increase entropy very much.

To make a truly “strong” password, it’s not really a matter of the range of characters that it uses, how long the password is, etc, but a matter of how strange or odd your password is.   So I want to think up passwords that are easy to remember and yet very strange.  Ones that are quick to type yet long enough to be very secure.  Can I really do this?  I’m not really convinced that I can tbh.  So I don’t try.

I use two methods of password creation and they both involve using an automated process to generate the passwords for me so that the entropy can actually be calculated.

  1. Each character in the password is chosen at random from a pool.
  2. Each word in the password is chosen at random from a pool – this is called a “passphrase” (more on this later.)

Read more about Password Strength on Wikipedia

Password generation

My passwords are all unique, randomly generated, and have at least 15 alphanumeric characters.  I use a bookmark in my browser to this secure page on random.org which I click whenever I want to generate a new password.

To avoid ambiguity when reading, this page does not use certain characters because they can often appear very similar:

  • ‘1’ (the digit one)
  • ‘l’ (lowercase letter ‘el’)
  • ‘i’ (lowercase letter ‘eye’)
  • ‘I’ (uppercase Ietter ‘eye’)
  • ‘0’ (the digit zero)
  • ‘o’ (lowercase letter ‘oh’)
  • ‘O’ (uppercase letter ‘oh’)

This means that each character is a random choice from 10-2=8 digits, 26-2=24 upper case letters and 26-3=23 lower case letters.  This is a total of 8+24+23 = 55 possible characters

Alert! Alert! The next part involves a bit of maths!  If you don’t understand something, don’t worry and just skip over that part.  When a character is chosen at random from a pool, the entropy of it (measured in ‘bits’) can be calculated like this:

Entropy per character is:  log2(55) = log(55) / log(2) = 5.781… bits

(log2 means taking the binary logarithm of a number.)

This can be multiplied by the number of these random characters in the password and you have the total entropy for the whole password.  Using passwords with 15 of these random characters gives a total entropy of:

Total entropy = 5.781… x 15 = 86.720… bits

Wikipedia says: NIST recommends 80-bits for the most secure passwords” so 15 characters seems like a good number to go for.  Note: In the future, as computer processing power increases and password cracking software therefore becomes faster, the entropy required to be considered “secure” will exceed 80 bits.

Let’s imagine a situation where I decided to generate randomly an 8 character password (for example) and it turned out, just by pure chance, to be generated as “password”?  What should I do with it?

Theoretically, I would use it because, for the system that I used to come up with the password, the entropy is the same.  However, password crackers are often not just based on trying every single possible password by “brute force” – they will use dictionary-based attacks assuming (correctly) that people are fallible and most choose passwords based around words that feature in a popular spoken language.  Crackers use lists of the most common passwords in a bid to understand us, the users, as well as possible.  Knowledge is power!

So in this case, I would probably reject the “password” password and choose something else.  But the effect of this is that by doing so, I will effectively be reducing the entropy of my password generation system.  Random passwords can randomly include dictionary words too, but I want to exclude them and other weak passwords so therefore my list of all possible passwords has been reduced.  This is definitely worth doing but it’s something to be aware of.

Similarly, if I randomly generate a password with digits, upper case and lower case letters, what happens if I generate a password and it happens, by chance, to have only lower case letters?  A password cracker that was brute force searching for passwords with only lower case letters in could stumble across the password.

So I insist that my passwords contain at least one digit, at least one lower case letter, and at least one upper case letter.  This does reduce the theoretical entropy compared to choosing totally at random but this is more than made up for as it means that the password won’t be cracked by someone searching for only letters, only numbers, only lower case letters and numbers, etc.

Master Password – one password to rule them all

So I prefer to use unique 15+ character passwords with characters that are randomly generated.  But how the hell do I remember them all?  I don’t; I get my web browser (in my case, Mozilla Firefox) to remember them for me.  Most of you probably already let your web browser remember passwords for you.  However, there’s quite a big problem with this if you do it in the standard way.  The browser has to store your passwords in a file on disk.  By default, it’s quite easy for anyone to access these passwords if:

  • They use your device when you are logged in, open up your web browser and simply tell it to show them your passwords!
  • They get you to run a ‘malware‘ program, e.g. one that emails them the password file in the background when you run it
  • They steal your device/hard drive and extract the passwords directly from it (although disk & filesystem encryption can make this harder)

One solution to this is to encrypt the password data with a special key which Firefox calls the “Master Password”.  When it wants to access my password data file for the first time since it has been loaded, it asks me for my Master Password.  Once I give it the correct one, it can decrypt the data file and it has access to all my stored passwords.  If anyone asks Firefox to display my passwords, it will always ask for the Master Password regardless.  Beware: once Firefox can read my passwords, so can any add-ons/plugins that it has bolted onto it.  This means that I am extra careful about installing add-ons and plugins.  But I do have one installed to make this Master Password stuff easier:

Saved Password Editor: Improves the Saved Passwords window, allowing editing, cloning and even creating my own entries manually!

But haven’t I now gone around in a circle? OK so I might have just one password to remember but I still need to remember it.  This is why my Master Password is a Diceware passphrase.

Passphrases and Diceware

Red dice

The popular web comic, XKCD, summed up the misunderstanding of password security and passphrases nicely in this fab comic.

Passphrases are easy to remember (with a bit of practice and a reasonable imagination!) but hard to crack (even if we assume the cracker knows exactly how the passphrase was generated – which they almost certainly won’t!)  If the cracker knows the generation method, the entropy is so high that it will still be very very difficult for them to crack the password.

A popular and simple method of choosing a passphrase is using a method known as Diceware.  This involves literally rolling a regular, six-sided dice five times and writing the number down each time.  This number, which will be between 11111 and 66666, corresponds to a unique word from a list of simple, short words.

6^5 = 7776 possible words

With 7776 words in our pool, the entropy per word (rather than per character) is:

Entropy per word:  log2(7776) = log(7776)/log(2) = 12.925… bits

So if we choose a six or seven word passphrase with words from this pool, the entropy is:

12.926… bits x 6 = 77.548… bits
12.926… bits x 7 = 90.474.. bits

So a seven word Diceware passphrase would exceed the 80-bit entropy recommended by the NIST and a six word one would come pretty close.  The actual words chosen are irrelevant but the Diceware word lists (there are a few lists for different languages) are formed from words that are quick to type and easy to remember.

Here’s an example of a six word Diceware passphrase that I just created as a demonstration:

social edify curve wound bacon lucky

At first glance, it might not look easy to remember.  However, if you look at it for a while and try to form a connection between the words, ‘speak’ them out loud in your head, visualise them, etc, it normally doesn’t take that long until the phrase is committed to memory.  By all means write your passphrase down on a piece of paper and keep it folded up somewhere safe (like your wallet or purse).  Once you think you have it memorised, either dispose of the paper securely (burn it?) or lock it away somewhere really safe just in case you forget it.   Note: don’t use the phrase above as your own passphrase!

Sync

Cat in sink

With this above system in place, I use a very cool feature in Firefox called Firefox Sync that enables me to synchronise my passwords (as well as my bookmarks, history, preferences, etc) between my devices automatically.  The data is stored encrypted on Mozilla’s servers and they never have access to the encryption key, so even if their servers are compromised, my passwords will be very very hard to access.

Adding a new device is also really easy, especially if I have an already authorised device with me (such as my Android mobile phone.)

Two-step verification

Two-step verification/authentication can be a great boost to the security of any account.  It means that you need two pieces of information to log in – a password (as usual) and also another code which proves that you have access to your mobile phone, email account, etc.  This is achieved using an app on your smart phone, by sending you an SMS/text message, email, etc.

Often you can ask the site to ‘remember’ your device for a period of time so that you do not need to perform the second authentication step when logging in from it for a while.

One thing to be aware of with two-step authentication is that, if you lose access to your phone, email account, etc, then you will be unable to log in.  Often sites will let you set backup options to use if this happens, e.g. special codes that you can print out beforehand and use instead or a backup telephone number/email address.  Make good use of these or you risk being locked out of your account completely!

If you have two-step verification enabled on an account, it’s probably safe to use more simple, easily memorable passwords (if you ensure that your mobile phone/email account is kept safe.)  For example, if you use GMail and have two-step verification enabled, you could set your password to something less strong but more memorable in the knowledge that anyone attempting to gain unauthorised access to your account will need access to your mobile phone/an already authorised device too.

I think that everyone should enable two-step verification whenever possible, especially for important sites such as PayPal.

Out with the old, in with the new

Here’s a table to see how my new PPP compares to my old way of doing things.  It’s pretty much an improvement in all areas tbh.  (Green text represents something positive and red text something negative.)

My old “policy” My new policy
Passwords to memorise None on my main PC, all of them on any new device 1 on all devices – the Master Password
Passwords strength
Low entropy – often based on dictionary words with letter→number substitution, patterns on a QWERTY keyboard, etc. 80bit+ entropy
Uniqueness of passwords Poor – maybe about 5 or 6 in total, excluding slight variations All totally unique
Malware protection Practically none – any other process running as me on my device will be able to read all Firefox passwords with a bit of effort (stored unencrypted on disk) Password file is encrypted with Master Password

Conclusion

I think that my PPP is a good compromise for the large majority of people.  It’s not perfect, but it’s an improvement on the way that most of you will probably be dealing with your passwords.

Thanks for reading.   Feel free to rant at me in the comments (or even to say something nice/interesting/constructive if you are feeling radical!)

Comments

  1. Interesting read. I’m happy to see I’m not the only person with at least a mild obsession with the inherent flaws with passwords as a form of security.

    I actually use LastPass, and in so doing, can easily change all of my passwords regularly (currently bi-monthly) without too much hassle. Considering I only have to remember one master password, I make sure it’s a doozie…

    Right now my master password is a 48 character, randomly generated string comprised of mixed case, numbers, and special characters. Each time I change my passwords, I change this one as well.

    Now I obviously can’t remember it right off the bat, so I write it on the back of a business card and put it in my wallet. What’s funny is that after about a week of entering it off the back of a business card, I have it memorized. So for the following ~7 weeks, I don’t even have to pull it out of my wallet.

  2. My system is rather similar, but instead of saving passwords in the browser, I favor KeePass, synchronised using a cloud service like DropBox. It’s more fully-featured than the Firefox password manager, and less exposed to attackers.

    To mitigate against an attacker stealing my database from the cloud, I use both a master password *and* a key file. The key file never goes into the cloud, it just gets copied once to whatever devices I trust. Good luck breaking into the database without it.

    1. I haven’t tried KeePass myself but I’ve heard good things about it. Firefox Sync 1.1 (what I’m using in addition to Master Password in order to sync the passwords between devices) also involves an encryption key that is stored only on the local devices and not the Sync server. Thanks for contributing 🙂

  3. Hi ben,

    it’s good to see posts on passwords and security, but i have a couple of thoughts/questions:

    the majority of compromised passwords are acquired through either malware or social engineering, now to a degree your system works to prevent the second, however how often do you change your passwords? You assume that encryption protects from malware, however as we see the increase in key and screen logging deployment, its debatable how much this helps you.

    I’d use a simpler system that is based on passphrase but is potentially less secure and simpler to remember, and then change different random parts of the passwords on an asynchronous placement and timeframe for each application.

    this doesn’t remove the risk of passwords being stolen, but does mean that you reduce the likelihood of them being stolen by malware/key/screenloggers.

    now of course that compromises the ability of most people to remember them – for example on systems that force password reset every 30 days (common in the old days of mainframe security for example) you had always 5 times the number of password reset requests – the user norm was for users to use the same password, and count upwards/downwards according to month eg password01 in june, password02 in july, obviously its not smart to start at 01 in either january or the month you gained access, but it did offer time limited protection, and perhaps crucially left the compromised password only usable for a small period of time.

    nicer is to take alphanumericspecial passphrases and change the location of the special characters on a regular basis.

    My current strategy is grouped into

    low risk – 8 digit alphanumericspecial based on passphrase and changed yearly.
    medium risk – 10 digit alphanumericspecial based on passphrase and changed monthly.
    high risk (ie anything that costs me money) – 10 digitalphanumericspecial based on passphrase and changed weekly.

    i also where possible log failed attempts after changing passwords, so you get an idea if and what has been compromised.

    just some thoughts for you 😉

    1. Hey Rob,

      I need to investigate more into things like memory dumping to work out how difficult it would be for malware to access Firefox’s memory space to access the decrypted passwords. In many cases though, if you run malware, especially if it is then granted administrator/root access, you are completely buggered anyway.

      I agree that in the more secure systems, passwords should be changed regularly. However, imho changing passwords frequently is useful only in protecting against brute force attacking. Because you are moving the goal posts regularly – changing the password during a brute force means that you might well be changing it to one they have already checked and therefore they are wasting their time for the rest of the run.

      Once they are in though, they are in. I don’t care how long they have to access my account. I may well be scheduled to change my password tomorrow – but if they can log in as me for any period of time, it’s Game Over as far as I’m concerned.

      You say that your system is simpler and easier to remember but I don’t think it is. My system involves remembering one single Master Password which does not need to change and that’s it. Plus my system has the benefit of measurable entropy.

      But maybe we’ll have to agree to disagree 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *