Let’s talk about security

Aaron Lott
Sunday 15 November 2015

If you don’t already use a password manager, this post explains what they are and why we think you should be using one.

Password managers

As the name suggests, password managers typically allow you to store all your passwords securely in a safe. Many also install browser plugins so that you may easily access the passwords stored in your password vault without even having to switch back and forth between your browser and password manager.

While you may need to pay for some, many password managers are free with upgrade options available for more advanced features such as synchronisation with mobile devices.

They all effectively work in a similar way: you only have to remember one master password that lets you into your vault of passwords. Once inside, the password manager stores all your passwords securely, allows you to generate new, complex passwords, and helps you pass your passwords securely to websites when you need them.

In the past I’ve used two managers: LastPass and KeePass.

LastPass

LastPass fills password
So convenient!

LastPass Free for desktop (monthly fee for mobile app) stores encrypted data in the cloud, great for multiple computers.

LastPass encrypts all your passwords and stores them in the cloud, so you can switch between computers easily and still have access to your credentials.

LastPass uses a confidential encryption method and for added security throws in a ‘salt’, often a phrase, that scrambles your password hash even more. Each customer has their own variation of hash, so even if LastPass was compromised the attackers would need to break through the particular hash for each separate customer which would take ages.

Because LastPass, and in fact all of the password manager companies, is a security company it is highly unlikely they’ll have a huge data breach and lose all your data like some of the more recently publicised breaches. Their whole reputation is built on being secure, and seeing as your data would take quite some time to compromise if breached (plus you can always change them just in case), I’m comfortable recommending them as a password manager.

KeePass

KeePass vault

KeePass  Free for desktop only (open source) stores encrypted data locally, good for a single computer.

A nice alternative to LastPass if you’re hesitant about storing your passwords in the cloud, and particularly if you only have one main computer, is KeePass.

Functionally, it works just like LastPass but it stores all your passwords locally on your computer — not in the cloud. You may find this a little less convenient, especially if you find yourself not at that computer and needing to access sites that you’ve secured with long and complex passwords, but it’s great if you’re not confident with another company storing your encrypted passwords on their servers the cloud.

Reassuringly, KeePass is also very secure: it uses some of the most advanced encryption techniques, AES and Twofish.

So with both LastPass and KeePass, even if someone got their hands on your database of passwords it would take a long time before they could breach them. Using these applications you could make all your passwords 30 characters long (or more!) without needing to remember them all. All you need to remember is your master password.

Master password

How your password should look
LastPass has a good point there…

A brief word on your master password, IT Services has some good advice about creating strong passwords so I won’t repeat it. The human brain has an amazing ability to memorise so please don’t write your password down. Even if it’s an especially complex one, trust me, you’ll have it committed to memory in no time and this is far more secure than reusing passwords or having simple passwords. There is no cost outside of memorising a master password and you have everything to gain.

Summary

I really like LastPass for its flexibility, its cost (free) and how it has plugins for Google Chrome and Mozilla Firefox. When you reach a site to log in, all it takes is two mouse clicks to log in with your 30+ character password.

I strongly encourage you to go out and research LastPass or any other password manager before you use it, but I guarantee you won’t regret moving to one and you’ll be so much safer on the web. This is an essential step to safeguarding your online presence and protecting your electronic image.

On the technical side – how secure is your current password?

Over the years the requirements for passwords have been getting more stringent; where once you were advised to create a password of 6 to 8 characters, now many sites recommend 12 to 14 characters, using a combination of special characters, upper- and lower-case letters, numbers, and the like.

Find out how strong your password is at How secure is my password?

how secure site
I hope your password doesn’t get this result 🙁

There is a very good reason for all this: people who would do you harm often have powerful hardware for cracking your password. The major breakthrough in this when they they started using the processing power of graphics cards (GPUs) to guess, or crack, passwords. With some of the top-of-the-line off-the-shelf hardware people who wish to crack a password hash can now make around 250 billion guesses per second. While that’s true for a £10,000 computer, a more modest one, using a GPU from 2011, can still clock in around 4.1 billion guesses per second.

What exactly is being guessed, besides knowing that it’s your password? Well thankfully most of the time they’re not stored in what’s called ‘plain text’ which means no encryption, i.e. your password is stored as is. Here’s the Wikipedia description:

Hashing a password will take a clear text string and perform an algorithm on it (depending on the hash type) to get a completely different value.

A great example of this is a ‘MD5 Hash’, here’s two examples:

password is 22e5ab5743ea52caf34abcc02c0f161d

PASSWORD is 319f4d26e3c536b5dd871bb2c52e3178

So when someone is trying to guess a password they are, in the simplest terms, choosing a test password and checking its value against your hash. If it’s 8 characters it might start as ‘a0000000’ then ‘b0000000’, etc. And it does this very quickly.

But what does this all mean to you?

It means that we need better passwords. And I know some people are thinking “Wow, that’s crazy they can guess so quickly. I just need to remember a new, longer one.” But really, if that one password gets broken or compromised, the rest of your sites, computers or otherwise… you get the picture. So, one main super hard-to-guess password won’t work. The site Lockdown.co.uk has a great breakdown of times to crack certain passwords based on the amount of combinations possible with using upper/lower case, numbers and special characters. And this is from 2009, so his class C computer at 1 billion guess a second is… well conservatively 4 times slower than a modest desktop GPU setup today. (Shortened for relevance. He included setups that are outclasses by simple hardware today…)

Examples

These are just a couple of examples to show the resilience of certain types of password, using the information in the tables below you will be able to make your own examples.

Passwords Combinations Class A Class B Class C
darren 308.9 Million 30 Secs 3 Secs Instant
Land3rz 3.5 Trillion 4 Days 10 Hours 58 Mins
B33r&Mug 7.2 Quadrillion 23 Years 2¼ Years 83½ Days

A. 10,000,000 Passwords/sec

Fast PC, Dual Processor PC.

B. 100,000,000 Passwords/sec

Workstation, or multiple PC’s working together.

C. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.

Oh how the times change, their fastest possible setup was a supercomputer! There’s so much more to how passwords are encoded that makes them harder to crack, but the base of it all is a simple password or singular password is a liability. An 8 character password, the last in the above table, will now take probably 15-20 days to brute force crack on average hardware. We need longer complex passwords and I think the best way to accommodate that efficiently is using a password manager.

More information

25 GPU cluster
All your passwords are now belong to me.

And perhaps if you wanted to do a little more reading or if you’re not convinced on the hardware side of cracking passwords, ArsTechnica has a write up: 25-GPU cluster cracks every standard Windows password in <6 hours (Picture of this beast above). The takeaway there is a good guy (i.e. not a hacker) cracked EVERY combination of 8 character password (using Upper/lower case, numbers and special characters) in 5.5 hours. That’s the standard enterprise password length. And he crunched every single possible combination, a brute force attack, in that time. Wow.

The website ArsTechnica has a bunch of articles on this type of thing, so check them out if you want to learn a little more or if, like me, you just find this sorta thing interesting.

Share this story