I don’t know any of my passwords and neither should you

Sam Rueby Security 0 Comments

While I was at Rochester Institute of Technology studying Networking and System Administration, I had a lot of interest in the Computer Security classes. I think i may have taken the majority of the security classes offered at the time. They were really fun and really interesting. It’s amazing that there are actually tools out there that with a single click, can gain you access to an unpatched version of Windows with an Administrator shell and the user will have absolutely no idea. So even though this isn’t exactly the field I went into ( Penetration Testing for a living would be fun, but I think it would be difficult for me to lie to people, just to prove that social engineering practically always works), I picked-up some good habits from the classes.

I don’t know any of my passwords.

And you shouldn’t either. Well if I don’t know any of my passwords how could I possibly get into anything? I use LastPass like it’s my job. Basically, I create one very strong password and it’s my job just to remember that. Along with that, I use Multifactor authentication. With those two things, I can get into my LastPass account and LastPass knows all of my passwords. When you create a new account, use LastPass to randomly generate your password using the maximum length allowed.

Why is this safer?

We’re terrible at remembering passwords, so we do one of two things:

  • Same password for everything.
  • Different passwords, but have to write them down somewhere.

Same password for everything is bad because once someone figures it out (or you tell them), they have the keys to your kingdom. Different passwords, but written down is almost just as bad. All I have to do is walk past your desk and snap a picture of your sticky notes. Don’t write them on sticky notes? Well, that’s cumbersome!

LastPass knows them all? How could that be safe?

Well, LastPass doesn’t even know your passwords. They don’t know your passwords so bad that if you lock yourself out of your account…they’re gone. So it may sound like a single-point-of-failure, but as long as you have a good master password, you’re in a good position.

Standard password “best practices” are bogus.

XKCD:

XKCD: Password Strength

Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

This may be my opinion, but the only thing you need to do to make a password secure is to make it long. If an attacker doesn’t have access to the database storing them, the only thing they can do it brute force (i.e. guess) or use a dictionary attack (i.e. guess smarter). As long as there’s the possibility of numbers and symbols being in the password, an attacker will have to guess passwords that include them, which will take significantly longer. So passwords don’t need complexity. They need to be long. Such as a sentence in a book.

He wore round glasses held together with a lot of Scotch tape

That would be a pretty good password, and that’s easy to remember.

Shame on any “secure” service that prevents long passwords

Especially from a technical standpoint, I have no idea why any service disallows passwords of any length. If you’re hashing them like you should be in your backend, there will be a predetermined output length. There’s no extra cost in storing longer passwords vs shorter passwords: it’s exactly the same. Because of this, one of the only times you need numbers and symbols in your password is if the service prevents passwords to some silly-short length, e.g. anything shorter than 20 characters. They’re effectively making it easier for attackers.

Just don’t be a low-hanging fruit

Not being an easy target is really the name of the game. Unfortunately, if you’re targeted by a hacker, they’re likely going to be successful. But by using a service like LastPass you’re significantly more difficult to target and thus, significantly safer.