Password safety

Password safety is a bit of a solved issue at this point, you should be using a Password Manager, preferably one with a good reputation such as KeePass (which I use) and QtPass/Unix Pass which I have recommended to friends in the past. Both of these will generate strong, random passwords that will be stored in an encrypted vault, which requires a password to enter. These passwords are impossible to bruteforce, and even if they are stored as plaintext by a website, having a unique password for each site means that no other accounts can be compromised.

It sounds like you only need one password to prevent breaking into your password vault, right? Well, not quite, that would be a single point of failure for all your accounts, which could get very messy! If you get to the endgame level of security breaches: access of your computer with malware, your encrypted password file can be copied and the password you enter to unlock it can be keylogged.

You need another password for your e-mail account, and that account needs to have 2-Factor Authentication. This e-mail address should be used to register to all protected accounts. Your e-mail address is your last line of defence and it needs a unique password no matter what, because anyone who gets into your e-mail account can quickly cause damage to every single other account you own on the internet. The 2-Factor Authentication is required because spreading the load off to another device makes it far more difficult for attackers to break in. It has been known for social engineers to call up mobile providers and get a new sim card sent out to bypass this, so be careful with your personal information, do not allow anyone to find the answers to security questions.

So what are you supposed to put in for these two passwords you are supposed to remember? Well, xckd has a comic on an amusing (and pretty secure) way of doing it. However, if the attacker has the password hash on their hands and it is in a common format like SHA-1 or MD5, they could perform up to 257 billion hashes per second on a self-funded rig, in fact, most hashing algorithms are always in the billions of guesses per second range, compared to xkcd’s 1000 per second. At only 10 billion per second a previously 550 year long password would take just under 29 minutes. You can extend that by adding another word, but GPU hardware is going to catch up, and you have to add yet another word.

The way I approach it is simple: create a password that will never be cracked by any computer that will ever be built before the end of the universe, using all the time left until the end of the universe. It uses a combination of various password traits organised in easily remembered “chunks”, here is an example password:


Now, this isn’t my password, but it is built up in the same sort of “chunking” rules. Not knowing the contents, number, or order of the chunks makes this password impossible to break. Let’s break up the chunks so that we can see what it is supposed to be in detail:

IHALBOC skit 26 flying 92 v1g1lant 45 *%

Okay, so let’s take a look at the components:

  • IHALBOC I Have A Lovely Bunch Of Coconuts. A seemingly random word made up of the first letters of a phrase. In my password it’s a phrase I made up and have never said.
  • skit – A short word, no more than 3-4 characters, easy to remember but low security.
  • 26 – 2 digit number, easily remembered but insecure on its own.
  • flying – Normal length word. Try not to only use nouns, that narrows down the search space and is insecure.
  • 92 – 2 digit number again
  • v1g1lant – Word with common substitutions, weak on its own.
  • 45 – 2 digit number.
  • *% – Symbols. Feel free to create more chunks of these and put them anywhere.

These chunks are like seperate passwords that you combine together, they are supposed to be able to stand on their own. This makes it easy to remember by simply chaining them together, while including a massive search space for brute force searches and being impervious to dictionary attacks. I haven’t made a password like this yet that doesn’t have a required amount of time to crack several massive orders of magnitude greater than the time needed for the universe to end. In fact, if you pooled together every single computer on the planet, then multiplied that by a million, you wouldn’t even dent the amount of years it would take to crack a password like this. How many years minimum to crack one of these?

1,000,000,000,000,000,000,000,000,000,000,000 Years

While we’re waiting for the illuminati to read my e-mail, anyone want a coffee?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.