{"id":4,"date":"2013-12-01T00:33:47","date_gmt":"2013-12-01T00:33:47","guid":{"rendered":"http:\/\/www.bennish.net\/blog\/?p=4"},"modified":"2020-10-30T23:49:59","modified_gmt":"2020-10-30T23:49:59","slug":"my-personal-password-policy","status":"publish","type":"post","link":"https:\/\/www.bennish.net\/blog\/2013\/12\/my-personal-password-policy\/","title":{"rendered":"My Personal Password Policy (PPP)"},"content":{"rendered":"<p><a href=\"https:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/small_1750378617.jpg\"><img loading=\"lazy\" class=\"alignnone wp-image-60 size-full\" src=\"http:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/small_1750378617.jpg\" alt=\"Padlock\" width=\"165\" height=\"240\" \/><\/a><\/p>\n<p>Remembering passwords is a hassle!\u00a0 We all know the things that we are <em>supposed<\/em> to do but we are all human beings (aren&#8217;t we?) and it&#8217;s almost impossible (and certainly very impractical) to set strong, unique, and memorable passwords for each and every account we have.<\/p>\n<p>I&#8217;ve come up with a policy about how I deal with my passwords.\u00a0 My love of <abbr title=\"Three Letter Acronyms!\">TLA<\/abbr>s means that I have decided to call it my PPP or <em>Personal Password Policy.<\/em>\u00a0 I&#8217;m quite proud of it tbh (the acronym too) and I hope that you find it useful and\/or interesting.<\/p>\n<p>Note: I use the word &#8220;cracker&#8221; when most people are more familiar with the word &#8220;hacker&#8221; being used.\u00a0\u00a0 <a href=\"http:\/\/www.techrepublic.com\/blog\/it-security\/hacker-vs-cracker\/\">Read more about why I do this<\/a>.<\/p>\n<p><!--more--><\/p>\n<h2>Entropy<\/h2>\n<p>The <a href=\"http:\/\/en.wikipedia.org\/wiki\/Password_strength#Entropy_as_a_measure_of_password_strength\">entropy of a password (in information theory terms)<\/a>, is a number which you could say represents its &#8220;strength&#8221; and the estimated time it would take to crack it &#8211; in general, the larger the number the stronger the password. It is measured in &#8216;bits&#8217; and every time it increases by 1 bit, the average time it takes to crack the password doubles.<\/p>\n<p>However, it&#8217;s pretty much impossible to know the real entropy for passwords that have been thought up by a human brain.\u00a0 For example if a certain character in a human-created password is a &#8216;q&#8217;, the chance of the next letter being a &#8216;u&#8217; is much larger than usual because &#8216;u&#8217; tends to come after &#8216;q&#8217; in the English language.\u00a0 Hence adding the &#8216;u&#8217; adds very little entropy.\u00a0 Certain words would add less entropy for some people than for others.\u00a0 For a massive tennis fan, the string &#8216;tennis&#8217; probably has a lot less entropy than for someone who has never even heard of the game, i.e. it&#8217;s a lot more likely to appear in their password.<\/p>\n<p>We are often told not to make passwords based on dictionary words and a number of people think that if they use dictionary words but replace certain letters with digits, this will increase the strength of their passwords a lot.\u00a0 But it doesn&#8217;t!\u00a0 Password cracking software can easily try a few replacements such as &#8216;0&#8217; for &#8216;o&#8217;, &#8216;1&#8217; for &#8216;i&#8217;, &#8216;5&#8217; for &#8216;s&#8217;, &#8216;4&#8217; for &#8216;a&#8217;, etc without much extra effort.\u00a0 So &#8216;p455w0rd&#8217;, &#8216;m0nk3y&#8217; and &#8216;l3tm31n&#8217; are <strong>still<\/strong> bad choices of password because the process of replacing letters with numbers doesn&#8217;t really increase entropy very much.<\/p>\n<p>To make a truly &#8220;strong&#8221; password, it&#8217;s not really a matter of the range of characters that it uses, how long the password is, etc, but a matter of how <strong><em>strange or odd<\/em> <\/strong>your password is.\u00a0\u00a0 So I want to think up passwords that are easy to remember and yet very strange.\u00a0 Ones that are quick to type yet long enough to be very secure.\u00a0 Can I really do this?\u00a0 I&#8217;m not really convinced that I can tbh.\u00a0 So I don&#8217;t try.<\/p>\n<p>I use two methods of password creation and they both involve using an automated process to generate the passwords for me so that the entropy can actually be calculated.<\/p>\n<ol>\n<li>Each <strong>character<\/strong> in the password is chosen at random from a pool.<\/li>\n<li>Each <strong>word<\/strong> in the password is chosen at random from a pool &#8211; this is called a &#8220;passphrase&#8221; (more on this later.)<\/li>\n<\/ol>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Password_strength\">Read more about Password Strength on Wikipedia<\/a><\/p>\n<h2>Password generation<\/h2>\n<p>My passwords are all unique, randomly generated, and have at least 15 alphanumeric characters.\u00a0 I use a bookmark in my browser to <a href=\"https:\/\/www.random.org\/passwords\/?num=50&amp;len=15&amp;rnd=new&amp;format=plain\">this secure page on random.org<\/a> which I click whenever I want to generate a new password.<\/p>\n<p>To avoid ambiguity when reading, this page does not use certain characters because they can often appear very similar:<\/p>\n<ul>\n<li>\u20181\u2019 (the digit one)<\/li>\n<li>\u2018l\u2019 (lowercase letter &#8216;el&#8217;)<\/li>\n<li>&#8216;i&#8217; (lowercase letter &#8216;eye&#8217;)<\/li>\n<li>&#8216;I&#8217; (uppercase Ietter &#8216;eye&#8217;)<\/li>\n<li>&#8216;0&#8217; (the digit zero)<\/li>\n<li>&#8216;o&#8217; (lowercase letter &#8216;oh&#8217;)<\/li>\n<li>&#8216;O&#8217; (uppercase letter &#8216;oh&#8217;)<\/li>\n<\/ul>\n<p>This means that each character is a random choice from 10-2=<strong>8<\/strong> digits, 26-2=<strong>24<\/strong> upper case letters and 26-3=<strong>23<\/strong> lower case letters.\u00a0 This is a total of 8+24+23 = <strong>55<\/strong> possible characters<\/p>\n<p><strong>Alert! Alert! The next part involves a bit of maths!<\/strong>\u00a0 If you don&#8217;t understand something, don&#8217;t worry and just skip over that part.\u00a0 When a character is chosen at random from a pool, the entropy of it (measured in &#8216;bits&#8217;) can be calculated like this:<\/p>\n<p>Entropy per character is:\u00a0 log<sub>2<\/sub>(<strong>55<\/strong>) = log(55) \/ log(2) = <strong>5.781&#8230;<\/strong> bits<\/p>\n<p>(log<sub>2<\/sub> means taking the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Binary_logarithm\">binary logarithm<\/a> of a number.)<\/p>\n<p>This can be multiplied by the number of these random characters in the password and you have the total entropy for the whole password.\u00a0 Using passwords with 15 of these random characters gives a total entropy of:<\/p>\n<p>Total entropy = 5.781&#8230; x 15 = <strong>86.720&#8230;<\/strong> bits<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Password_strength#Bit_strength_threshold\">Wikipedia says<\/a>: <em>&#8220;<a href=\"http:\/\/www.nist.gov\/\">NIST<\/a> recommends 80-bits for the most secure passwords&#8221;<\/em> so 15 characters seems like a good number to go for.\u00a0 Note: In the future, as computer processing power increases and password cracking software therefore becomes faster, the entropy required to be considered &#8220;secure&#8221; will exceed 80 bits.<\/p>\n<p>Let&#8217;s imagine a situation where I decided to generate randomly an 8 character password (for example) and it turned out, <span style=\"text-decoration: underline;\">just by pure chance<\/span>, to be generated as &#8220;password&#8221;?\u00a0 What should I do with it?<\/p>\n<p><em>Theoretically<\/em>, I would use it because, for the system that I used to come up with the password, the entropy is the same.\u00a0 However, password crackers are often not just based on trying every single possible password by &#8220;brute force&#8221; &#8211; they will use dictionary-based attacks assuming (correctly) that people are fallible and most choose passwords based around words that feature in a popular spoken language.\u00a0 Crackers use lists of the most common passwords in a bid to understand us, the users, as well as possible.\u00a0 Knowledge is power!<\/p>\n<p>So in this case, I would probably reject the &#8220;password&#8221; password and choose something else.\u00a0 But the effect of this is that by doing so, I will effectively be <span style=\"text-decoration: underline;\">reducing<\/span> the entropy of my password generation system.\u00a0 Random passwords can randomly include dictionary words too, but I want to exclude them and other weak passwords so therefore my list of all possible passwords has been reduced.\u00a0 This is definitely worth doing but it&#8217;s something to be aware of.<\/p>\n<p>Similarly, if I randomly generate a password with digits, upper case and lower case letters, what happens if I generate a password and it happens, by chance, to have only lower case letters?\u00a0 A password cracker that was brute force searching for passwords with only lower case letters in could stumble across the password.<\/p>\n<p>So I insist that my passwords contain at least one digit, at least one lower case letter, and at least one upper case letter.\u00a0 This does reduce the theoretical entropy compared to choosing totally at random but this is more than made up for as it means that the password won&#8217;t be cracked by someone searching for only letters, only numbers, only lower case letters and numbers, etc.<\/p>\n<h2>Master Password &#8211; one password to rule them all<\/h2>\n<p>So I prefer to use unique 15+ character passwords with characters that are randomly generated.\u00a0 But how the hell do I remember them all?\u00a0 I don&#8217;t; I get my web browser (in my case, <a href=\"http:\/\/www.mozilla.org\/firefox\/\">Mozilla Firefox<\/a>) to remember them for me.\u00a0 Most of you probably already let your web browser remember passwords for you.\u00a0 However, there&#8217;s quite a big problem with this if you do it in the standard way.\u00a0 The browser has to store your passwords in a file on disk.\u00a0 By default, it&#8217;s quite easy for anyone to access these passwords if:<\/p>\n<ul>\n<li>They use your device when you are logged in, open up your web browser and simply <a href=\"http:\/\/nakedsecurity.sophos.com\/2013\/08\/08\/chrome-firefox-display-plain-text-passwords-with-a-few-clicks\/\">tell it to show them your passwords<\/a>!<\/li>\n<li>They get you to run a &#8216;<a href=\"http:\/\/en.wikipedia.org\/wiki\/Malware\">malware<\/a>&#8216; program, e.g. one that emails them the password file in the background when you run it<\/li>\n<li>They steal your device\/hard drive and extract the passwords directly from it (although disk &amp; filesystem encryption can make this harder)<\/li>\n<\/ul>\n<p>One solution to this is to encrypt the password data with a special key which Firefox calls the &#8220;Master Password&#8221;.\u00a0 When it wants to access my password data file for the first time since it has been loaded, it asks me for my Master Password.\u00a0 Once I give it the correct one, it can decrypt the data file and it has access to all my stored passwords.\u00a0 If anyone asks Firefox to display my passwords, it will always ask for the Master Password regardless.\u00a0 Beware: once Firefox can read my passwords, so can any add-ons\/plugins that it has bolted onto it.\u00a0 This means that I am <span style=\"text-decoration: underline;\">extra<\/span> careful about installing add-ons and plugins.\u00a0 But I do have one installed to make this Master Password stuff easier:<\/p>\n<p><a href=\"https:\/\/addons.mozilla.org\/addon\/saved-password-editor\/\">Saved Password Editor<\/a>: Improves the Saved Passwords window, allowing editing, cloning and even creating my own entries manually!<\/p>\n<p>But haven&#8217;t I now gone around in a circle? OK so I might have just one password to remember but I still need to remember it.\u00a0 This is why my Master Password is a Diceware passphrase.<a name=\"diceware\"><\/a><\/p>\n<h2>Passphrases and Diceware<\/h2>\n<p><a href=\"http:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/red_dice.jpg\"><img loading=\"lazy\" class=\"alignnone size-full wp-image-62\" src=\"http:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/red_dice.jpg\" alt=\"Red dice\" width=\"240\" height=\"184\" \/><\/a><\/p>\n<p>The popular web comic, XKCD, summed up the misunderstanding of password security and passphrases nicely in <a href=\"http:\/\/xkcd.com\/936\/\">this fab comic<\/a>.<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Passphrase\">Passphrases <\/a>are easy to remember (with a bit of practice and a reasonable imagination!) but hard to crack (even if we assume the cracker knows <span style=\"text-decoration: underline;\">exactly<\/span> how the passphrase was generated &#8211; which they almost certainly won&#8217;t!)\u00a0 If the cracker knows the generation method, the entropy is so high that it will still be very very difficult for them to crack the password.<\/p>\n<p>A popular and simple method of choosing a passphrase is using a method known as <a href=\"http:\/\/world.std.com\/~reinhold\/diceware.html\">Diceware<\/a>.\u00a0 This involves literally rolling a regular, six-sided dice five times and writing the number down each time.\u00a0 This number, which will be between 11111 and 66666, corresponds to a unique word from a list of simple, short words.<\/p>\n<p>6^5 = 7776 possible words<\/p>\n<p>With 7776 words in our pool, the entropy per word (rather than per character) is:<\/p>\n<p>Entropy per word:\u00a0 log<sub>2<\/sub>(<strong>7776<\/strong>) = log(7776)\/log(2) = <strong>12.925&#8230;<\/strong> bits<\/p>\n<p>So if we choose a six or seven word passphrase with words from this pool, the entropy is:<\/p>\n<p>12.926&#8230; bits x 6 = <strong>77.548&#8230; bits<br \/>\n<\/strong>12.926&#8230; bits x 7 =<strong> 90.474.. bits<\/strong><\/p>\n<p>So a seven word Diceware passphrase would exceed the 80-bit entropy recommended by the <a href=\"http:\/\/www.nist.gov\/\">NIST<\/a> and a six word one would come pretty close.\u00a0 The actual words chosen are irrelevant but the Diceware word lists (there are a few <a href=\"http:\/\/world.std.com\/~reinhold\/diceware.html#languages\">lists for different languages<\/a>) are formed from words that are quick to type and easy to remember.<\/p>\n<p>Here&#8217;s an example of a six word Diceware passphrase that I just created as a demonstration:<\/p>\n<pre>social edify curve wound bacon lucky<\/pre>\n<p>At first glance, it might not look easy to remember.\u00a0 However, if you look at it for a while and try to form a connection between the words, &#8216;speak&#8217; them out loud in your head, visualise them, etc, it normally doesn&#8217;t take that long until the phrase is committed to memory.\u00a0 By all means write your passphrase down on a piece of paper and keep it folded up somewhere safe (like your wallet or purse).\u00a0 Once you think you have it memorised, either dispose of the paper securely (burn it?) or lock it away somewhere really safe just in case you forget it.\u00a0\u00a0 Note: don&#8217;t use the phrase above as your own passphrase!<\/p>\n<h2>Sync<\/h2>\n<p><a href=\"http:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/sink_with_cat.jpg\"><img loading=\"lazy\" class=\"alignnone size-full wp-image-63\" src=\"http:\/\/www.bennish.net\/blog\/wp-content\/uploads\/2013\/12\/sink_with_cat.jpg\" alt=\"Cat in sink\" width=\"240\" height=\"160\" \/><\/a><\/p>\n<p>With this above system in place, I use a very cool feature in Firefox called <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/firefox-sync-take-your-bookmarks-and-tabs-with-you\">Firefox Sync<\/a> that enables me to synchronise my passwords (as well as my bookmarks, history, preferences, etc) between my devices automatically.\u00a0 The data is stored encrypted on Mozilla&#8217;s servers and they never have access to the encryption key, so even if their servers are compromised, my passwords will be very very hard to access.<\/p>\n<p>Adding a new device is also really easy, especially if I have an already authorised device with me (such as my Android mobile phone.)<\/p>\n<h2>Two-step verification<\/h2>\n<p>Two-step verification\/authentication can be a great boost to the security of any account.\u00a0 It means that you need two pieces of information to log in &#8211; a password (as usual) and also another code which proves that you have access to your mobile phone, email account, etc.\u00a0 This is achieved using an app on your smart phone, by sending you an SMS\/text message, email, etc.<\/p>\n<p>Often you can ask the site to &#8216;remember&#8217; your device for a period of time so that you do not need to perform the second authentication step when logging in from it for a while.<\/p>\n<p>One thing to be aware of with two-step authentication is that, if you lose access to your phone, email account, etc, then you will be unable to log in.\u00a0 Often sites will let you set backup options to use if this happens, e.g. special codes that you can print out beforehand and use instead or a backup telephone number\/email address.\u00a0 Make good use of these or you risk being locked out of your account completely!<\/p>\n<p>If you have two-step verification enabled on an account, it&#8217;s probably safe to use more simple, easily memorable passwords (if you ensure that your mobile phone\/email account is kept safe.)\u00a0 For example, if you use <a href=\"https:\/\/mail.google.com\/\">GMail<\/a> and have two-step verification enabled, you could set your password to something less strong but more memorable in the knowledge that anyone attempting to gain unauthorised access to your account will need access to your mobile phone\/an already authorised device too.<\/p>\n<p>I think that everyone should enable two-step verification whenever possible, especially for important sites such as <a href=\"https:\/\/www.paypal.com\/\">PayPal<\/a>.<\/p>\n<h2>Out with the old, in with the new<\/h2>\n<p>Here&#8217;s a table to see how my new <abbr title=\"Personal Password Policy\">PPP<\/abbr> compares to my old way of doing things.\u00a0 It&#8217;s pretty much an improvement in all areas tbh.\u00a0 (Green text represents something positive and red text something negative.)<\/p>\n<table border=\"1\" width=\"100%\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><b>My old &#8220;policy&#8221;<\/b><\/td>\n<td valign=\"top\"><b>My new policy<\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>Passwords to memorise<\/strong><\/td>\n<td valign=\"top\"><span style=\"color: #4f8f00;\"><span style=\"color: #008000;\">None on my main PC<\/span>,<\/span>\u00a0<span style=\"color: #941100;\">all of them on any new device<\/span><\/td>\n<td valign=\"top\"><span style=\"color: #008000;\">1 on all devices &#8211; the <em>Master Password<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<div><strong>Passwords strength<br \/>\n<\/strong><\/div>\n<\/td>\n<td valign=\"top\"><span style=\"color: #941100;\">Low entropy<\/span>\u00a0&#8211; often based on dictionary words with letter\u2192number substitution, patterns on a QWERTY keyboard, etc.<\/td>\n<td valign=\"top\"><span style=\"color: #008000;\">80bit+ entropy<br \/>\n<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>Uniqueness of passwords<\/strong><\/td>\n<td valign=\"top\"><span style=\"color: #941100;\">Poor<\/span>\u00a0&#8211; maybe about 5 or 6 in total, excluding slight variations<\/td>\n<td valign=\"top\"><span style=\"color: #008000;\">All totally unique<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>Malware protection<\/strong><\/td>\n<td valign=\"top\"><span style=\"color: #941100;\">Practically none <\/span>&#8211; any other process running as me on my device will be able to read all Firefox passwords with a bit of effort (stored unencrypted on disk)<\/td>\n<td valign=\"top\"><span style=\"color: #008000;\">P<\/span><span style=\"color: #941100;\"><span style=\"color: #008000;\">assword file is encrypted with Master Password<\/span><br \/>\n<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Conclusion<\/h2>\n<p>I think that my PPP is a good compromise for the large majority of people.\u00a0 It&#8217;s not perfect, but it&#8217;s an improvement on the way that most of you will probably be dealing with your passwords.<\/p>\n<p>Thanks for reading.\u00a0\u00a0 Feel free to rant at me in the comments (or even to say something nice\/interesting\/constructive if you are feeling radical!)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Remembering passwords is a hassle!\u00a0 We all know the things that we are supposed to do but we are all human beings (aren&#8217;t we?) and it&#8217;s almost impossible (and certainly very impractical) to set strong, unique, and memorable passwords for each and every account we have. I&#8217;ve come up with a policy about how I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"templates\/template-full-width.php","format":"standard","meta":[],"categories":[10,11],"tags":[17,14,16,13,15,18],"_links":{"self":[{"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/posts\/4"}],"collection":[{"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/comments?post=4"}],"version-history":[{"count":54,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/posts\/4\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/posts\/4\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/media?parent=4"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/categories?post=4"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bennish.net\/blog\/wp-json\/wp\/v2\/tags?post=4"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}