2019-05-30 13:43:56 +01:00
|
|
|
Why is Password Reuse a Problem?
|
|
|
|
|
--------------------------------
|
|
|
|
|
.. image:: password_reuse_1.png
|
|
|
|
|
.. image:: password_reuse_2.png
|
|
|
|
|
.. image:: password_reuse_3.png
|
|
|
|
|
|
|
|
|
|
About password strength
|
|
|
|
|
-----------------------
|
|
|
|
|
How is strength measured?
|
|
|
|
|
=========================
|
|
|
|
|
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
|
|
|
|
|
password:
|
|
|
|
|
|
|
|
|
|
.. math::
|
|
|
|
|
s = log_2(a^n)
|
|
|
|
|
|
|
|
|
|
* 0889234877724602 -> 53 bits
|
|
|
|
|
* ZeZJieatdH -> 60 bits
|
|
|
|
|
|
|
|
|
|
Why are weak passwords problematic?
|
|
|
|
|
===================================
|
|
|
|
|
Weak passwords are trivial to crack in many situations. A password with 53 bits
|
|
|
|
|
may be cracked by a criminal organisation in less than an hour.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What about strong passwords?
|
|
|
|
|
============================
|
|
|
|
|
They are difficult to remember, a problem especially when you use a different
|
|
|
|
|
strong password for every service. You are also tempted to write them down, or
|
|
|
|
|
reuse them.
|
|
|
|
|
|
|
|
|
|
It's surprisingly difficult for humans to generate good passwords!
|
|
|
|
|
|
|
|
|
|
Password Managers to the Rescue!
|
|
|
|
|
--------------------------------
|
|
|
|
|
Password managers allow you to create a unique and strong password for every
|
|
|
|
|
service.
|
|
|
|
|
|
|
|
|
|
Additional benefits:
|
|
|
|
|
|
|
|
|
|
* Remembers passwords for you
|
|
|
|
|
* Generates passwords for you
|
|
|
|
|
* Automagically fills in passwords on websites for you, this is important!
|
|
|
|
|
* Makes passwords available on all your configured devices
|
|
|
|
|
* Can store additional related data, usernames, answers to security questions,
|
|
|
|
|
pins for debit/credit cards
|
|
|
|
|
|
|
|
|
|
Any of the mainstream password manager is equivalent in the above respects.
|
|
|
|
|
|
|
|
|
|
Can you trust password managers?
|
|
|
|
|
--------------------------------
|
|
|
|
|
Yes*
|
|
|
|
|
|
|
|
|
|
How do they keep passwords secure?
|
|
|
|
|
----------------------------------
|
|
|
|
|
1. User supplies a password
|
|
|
|
|
2. The password is used to derive an encryption key. This process is designed
|
|
|
|
|
to be slow, even on modern hardware
|
|
|
|
|
3. The so generated encryption key is used to encrypt/decrypt your passwords
|
|
|
|
|
|
|
|
|
|
Note that the security of the encryption depends on the strengh of your
|
|
|
|
|
password. With a poor password (50 bits), it would take the entire computing
|
|
|
|
|
power of the world less than a month to crack the database. With a decent ish
|
|
|
|
|
password (60 bits), it would take on the order of 50 years on average. With a
|
|
|
|
|
better password (70 bits), it would take on the order of 50,000 years.
|
|
|
|
|
|
|
|
|
|
Generating a Strong Password
|
|
|
|
|
----------------------------
|
|
|
|
|
Passphrases are better than passwords:
|
|
|
|
|
|
|
|
|
|
* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
|
|
|
|
|
* correct horse battery stable -> 44 bits of entropy, easy to remember
|
|
|
|
|
|
|
|
|
|
Use passphrases everywhere you have to remember.
|
|
|
|
|
|
|
|
|
|
Generate passphrases with Diceware
|
|
|
|
|
==================================
|
|
|
|
|
1. Roll 5, 6 sided, *physical* dice
|
|
|
|
|
2. Read the numbers left to right
|
|
|
|
|
3. Find the word with that number on a list 6^5 (7776) words
|
|
|
|
|
4. Repeat until desired length is reached. For a password manager, use at
|
|
|
|
|
least 7.
|
|
|
|
|
5. Write down your passphrase on paper and keep it somewhere secure
|
|
|
|
|
6. If you are 100% confident that you will not forget the passphrase, destroy
|
|
|
|
|
the paper by burning
|
