Silk Road forums

Discussion => Security => Topic started by: Horizons on March 15, 2012, 12:50 am

Title: Password Security 101
Post by: Horizons on March 15, 2012, 12:50 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all!

For obvious reasons, we Silk Road users tend to be much more concerned about online security and privacy than the average netizen. Here in the security sub-forum, there are always several active threads discussing such subjects as disk encryption, anonymization software, PGP and the relative benefits and shortcomings of different approaches to hiding your real IP from possible attackers, from simple sandboxes to virtualization to full-on hardware separation of net-facing applications. New users frequently come along with questions regarding the safety of their current set-ups.

We're fortunate to have an active community of which several members are both extremely knowledgeable in this area and willing to share that knowledge with the rest of us. I'd quote the most noteworthy names, but there are many and you all know them already. Besides, I fear I might accidentally neglect to mention someone important and feel guilty about it later. ;) However, it seems to me that not enough emphasis is placed on the importance of having a strong password. It takes only one weak link to break a chain, and the best security software and hardware set-up in the world won't save you if somebody somehow obtains access to your passwords. Since all other areas of our on-line privacy are already so expertly covered by other forum members who know a lot more about the technical aspects of web privacy than I do, I figured I could make a small contribution by writing a guide on how to improve your password security. These are some simple tips that you can use not only in your illegal and semi-legal dealings, but also for your everyday life.

I wrote this guide assuming that my reader will know next to nothing about password security, to make sure I'm not leaving out any important details (but please let me know if you notice that I missed something!) Most, if not all, of what I say here is already known to many of you. Nonetheless, it might be helpful for some. I hope it is. And if it isn't, maybe it'll be entertaining. If you're very lazy and just want the good bits, skip ahead to the first reply.

With no further ado, your friendly neighbourhood day-tripper Horizons proudly presents:


PASSWORD SECURITY 101


01) Why should I care about password security? I won't tell my password to anybody!
02) But if any password can be cracked eventually, what's the point in all this extra effort?
03) All right, how do I do it?
03.1) Your Google-fu is weak, old man!
03.2) Size matters
03.3) Be obscure
03.4) Don't go with the crowd
03.5) Don't use a password
03.5) How about a recap?
04) So you expect me to do all that EVERY TIME I need to create a password? I have a life, you know...
04.1) Password Managers
04.1.a) LastPass
04.2) What if I don't trust the cloud?
04.3) I don't want to use a password manager at all. Now what?
05) All my eggs in the same basket?



01) Why should I care about password security? I won't tell my password to anybody!

In the overwhelming majority of cases where an online account is compromised, it's not because someone hacked into your computer or the server and accessed your login info (though that also happens a lot), but because they got a hold of some individual's password, specifically, either though social engineering (e.g. phishing) or by brute-forcing it. This is why you need to have a password that isn't obvious and will take an unreasonable amount of time to crack. There's no such thing as an un-crackable password, but there is such a thing as a very difficult to crack password, and that's what password security is all about.


02) But if any password can be cracked eventually, what's the point in all this extra effort?

There are several applications freely available on the Internet that can guess several hundred passwords per second, or even more depending on the hardware running them. High-budget agencies like the DEA surely have no problem running hundreds of thousands of passwords per second. No matter how good a password you have, it can be guessed eventually, because there is a finite set of characters to choose from when creating a password. What we can and should do is use passwords that make the guessing process prohibitively long, to the point where it's just not worth the effort any more (this point will obviously be lower for buyers and small-time sellers than for the big players).

Usually - and I don't believe that this is the case with SR due to the risk of exploitation to lock someone out of their account (especially since the very nature of Tor makes IP-based bans useless) - websites have a limit of unsuccessful login attempts over time, after which they force you to wait several minutes before trying to log in again. This is an excellent security feature, because it greatly throttles the speed at which an attacker can try to guess your password. Even small lock-outs, like two minutes every ten attempts, already make the process orders of magnitude slower (five guesses per minute instead of hundreds per second). An illustrative example: a six-digit numeric password can be guessed in a maximum of 10⁶ tries. At 500 guesses per second (a low speed, as far as I understand), it would take an attacker a mere 33 minutes and 20 seconds (not counting network communication-related delays) to run through every possible password. But throttled to a maximum of five guesses per minute, that same password will take a maximum of 138 days, 21 hours and 20 minutes to guess. Of course, it's possible that the attacker will get lucky and guess correctly on the first try... but the odds of that happening in this example are literally one in a million. With a measure like this in place, it's easily possible to create a password that will never be cracked during your lifetime. And even without it, you can still make things much harder for those who wish you ill.


03) All right, how do I do it?

A secure password is one that's hard to guess. This means that it has to be long and contain a good mix of alphanumeric and special characters, but it also means that your password shouldn't be in any dictionary. You should make sure that people can't guess your login credentials via some simple Google-fu. Finally, you have to be able to remember your password - NEVER write it down anywhere other people might find it!

03.1) Your Google-fu is weak, old man!

Let's start with my second-to-last point, since there's no real need to elaborate on the last one. Just like all the security measures in the world won't save you from someone who knows your password, the best password in the world won't save you from your own carelessness, or other people's. If you use the same password everywhere, it only takes compromising one website (you might trust Google Mail's security, but what about DealExtreme or that Bonsai enthusiast blog you love that requires a login to post comments?) in order to get your credentials for every other one. ALWAYS USE A DIFFERENT PASSWORD FOR EVERY SINGLE WEBSITE. And try to use different usernames as well, for the same reasons as well as another, very important one: dox. Let's say you're a complete moron and use the same username here and on Facebook (incidentally, there's a thread somewhere around here claiming that Moonbear did exactly this). If you do that, anyone with an Internet connection is one copy-and-paste and a few clicks away from knowing your name, the names of your relatives, what you look like, where you went to school, your birthday, et cetera et cetera et cetera.

Incidentally, many people use these credentials as their passwords, or as the answer to the "secret questions" that are a popular method for recovering passwords. Don't do that. Your daughter's birthday is not a good password, and neither is your spouse's nickname followed by the number 1 – especially if you scream out that nickname during your moments of passion, loud enough for the neighbors and the people in that unsuspecting and totally legitimate flower delivery van parked across the street to hear you. Don't be so obvious. Lie in your secret questions. Say that your school mascot was Margaret Thatcher, your first pet was an Iranian Flying Sea Cucumber named Anathema and your first-grade teacher was called Emperor Zod. Protect your e-mail password at all costs, because if someone has access to your e-mail account, they can rape that "Forgot your Password?" link until they own all your accounts everywhere. Do not use the same e-mail account for accounts connected to your true identity (like Facebook or LinkedIN) and accounts not linked to it. Have nothing else in common between them either. Completely sandbox your online persona from your flesh-and-bone self, and sandbox both of these from your identity here on the Silk Road. If you do otherwise, you're setting yourself up for prison rape. And lest you think I'm kidding, remember that there have recently been two cases of users being threatened with dox here on the forums over sour deals. Some people even go as far as to use different usernames on the SR marketplace and forums, though I don't really see a point in that since they'll usually tell you their market handle if you ask them. But you should have different passwords for your accounts, and if you're a vendor and buyer, you should have separate accounts for each activity - do you really want your potentially unscrupulous colleagues to have your address, knowing that they might see you as a competitor?

03.2) Size matters

Let's go back to the six-digit numeric password. At five guesses per minute, it will take a maximum of 138 days, 21 hours and 20 minutes, running nonstop, to crack that password. What happens if we increase the number of digits from six to seven? It now takes up to 3 years, 292 days, 21 hours and 20 minutes to crack. Not bad, eh? And this is assuming that the attacker knows that the password has exactly seven digits and to try characters from 0 to 9 only. Mixing upper- and lower-case letters and special characters (!, @, $, etc.) into your password makes it even more costly to crack.

03.3) Be obscure

If you've protected yourself against Google-fu, the next item to tick off on your Paranoia Checklist is brute-force and dictionary attacks. Brute-forcing a password basically means guessing several possible passwords until you get it right. For instance, if I wanted to guess our six-digit numeric password by brute-forcing it, I could try 000000, then 000001, then 000002, and so on. In a maximum of 1,000,000 guesses (if the password were 999999), I'd get it right.

But people don't usually choose completely random passwords - in fact, most of them do exactly what I just told you not to do two sections ago, which is precisely why social engineering works so well for hackers. Since you have to remember your passwords, people will usually chose actual words, names, dates or combinations thereof as their passwords.

This is why there are dictionary attacks: the software that's working on guessing your password will prioritize actual words over gibberish - for example, it will guess "alligator" long before it tries to guess "aaagrlhpb" even though the latter comes first in alphabetical order, and if it has to guess a six-digit number it'll go for obvious sequences and dates before it tries random combinations - e.g. after it discards sequences like 123456, 147258, etc., it might restrict its guesses to XYZ, where X is a number between 01 and 31, Y is a number between 01 and 12 (switch those around if you're American) and Z is a number between 00 and 99, then XY where X is a number between 01 and 12 and Y between 1900 and 2012, and only then try to guess combinations outside of these ranges. This greatly lowers the average time it takes to crack a password, since it goes for the most commonly-used ranges first. We want to avoid dictionary words, to make this priority process work in our favour by pushing our actual password to the end of the list. And don't think you're being clever by using your native language instead of English (unless you come from a forgotten Amazonian tribe of which White Man knows nothing, in which ase welcome to the Internet!) or using a simple substitution cipher, like typing "@LL1g@t0r" instead of "alligator". These common substitutions are also included in the dictionaries. In fact, Kate's spell-checker just asked me if I wanted to correct "@LL1g@t0r" to "alligator", and cracking passwords isn't even one of its functions. Which leads me to my next point...

03.3) Don't go with the crowd

Say you have a standard password that you use everywhere. You shouldn't do that (see above), but most people do. Let's also say that your password is "alligator". Now, you're registering an account somewhere that requires you to mix upper- and lower-case letters. What do you do? Most people will just register "Alligator" as their password. What if you have to add a special character? Either it'll replace some letter (like the @ in the example above) or get tossed in at the beginning or - much more likely - at the end of your password: "Alligator!". This is what most people do, and the men in black and basement dwellers who want to get into your account know this. These common gimmicks won't keep you safer, and they carry the added burden of making your password harder to remember (did I replace that A with an @ or a 4? Guess I'll have to try both...). "alligator" and "@LL1g4t0r!" are equally insecure passwords, but the second one is a pain in the arse to remember. Common-sense security measures will usually work against you, precisely because they're common-sense. Remember that your enemies are people too. Arbitrarily deciding that you'll switch your As for #s or 吱s instead of @s or 4s will do you a lot more good, but it's still not good enough.

03.4) Don't use a password

Horizons must be tripping balls. What does he mean "don't use a password"? Well, dear reader, I mean that we should use a passphrase instead of a password. There's only so much we can do with "alligator", but we can do a lot more with "That dapper alligator is smoking a hookah with my pet echidna on Yom Kippur". And it's easy to remember - I bet you've already created a mental image of an alligator in a monocle and top-hat smoking a hookah next to an echidna in a collar and Kippah. And if you hadn't, you have now. With a simple set of three rules to change the structure of the phrase (I'm sure there's a technical name for this - anyone care to enlighten me?), we can turn this phrase into a great password. Let's
a) capitalize every third letter, then
b) replace every fourth letter with a symbol in the order in which they appear on my keyboard, and finally
c) go back and replace every seventh character with consecutive prime numbers.
Quote
thA!dA2@Era#l3G$tOr%5sm"kiN7aHo*Ka11(Ith)y13E-eCh_17na=nyO19kIp§Ur
Abrakadabra! An easy to remember (though annoying to type) sixty-six character password that can't be taken down by a dictionary attack and will give any brute-force attacker a good run for his patience. According to www.howsecureismypassword.net, it would take the average Desktop PC "About 10 trestrigintillion years" to crack this particular password. Who needs login attempt bottlenecks when you have this sort of security?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPYTy9AAoJELazcgjRnEAqESAH/01W1/y33dx673SniwqxK2vQ
pp3JZX+0vogYaj+7uS6YsLOFUasD6mkiFI5kwUahyxbUBDuM7mhI+9A8MdEp9Dp9
PU/Q3y/K6QUCpOUqWMJ27Aas55VA1uwxFXEbdAcpCcyKt/SCDFfGY21w7XjcNulc
CWuz2Pq3qLC5hTze4P5S8uqA7v/KRt+XOy3uLGpYIZrv7D4DCX2LTvNvFD0TxeRP
8Cw0AbK8oTh4gJoZZd8WU4MrZSjjV6Hd/Fd1yWuiRMxB8iJkrthWTIGU0nY0QH3z
evQqmFdpdB/qbwBCO6iXKreHOknoyh5qcMydy+7FvDRyhbsmh/3QUMuXi+2r6g0=
=wxhr
-----END PGP SIGNATURE-----
Title: Re: Password Security 101
Post by: Horizons on March 15, 2012, 12:52 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

03.5) How about a recap?
Your password should be:
a) Easy to remember but hard to crack.
b) Long.
c) Complex.
d) Unrelated to your other passwords or to highly public information about yourself.
e) Not the one I just used as an example. Don't be lazy!

My suggested method to accomplish all of this is:
a) Start with an original but memorable phrase.
b) Come up with an easy-to-remember series of regular substitutions and/or substitution ciphers to make sure that your phrase contains lower-and upper-case letters, numbers and special characters.
c) There is no step c.

04) So you expect me to do all that EVERY TIME I need to create a password? I have a life, you know...

Yes, you do. But it won't be a very happy or productive life if you have to spend the rest of it wearing an orange jumpsuit and trying to pick up the soap with your toes. What if I told you that you only need to remember five passwords? Or maybe even a single one? It's true! Oh, the wonders of technology!

04.1) Password Managers

We're all familiar with password managers. Most modern web browsers (actually, every one I can think of) have a built-in password manager which can store your passwords for you and automatically fill in login forms. This is a textbook example of trading security for convenience, because these password managers usually store your credentials in plaintext. If an attacker compromises your browser or gains read access to your filesystem, they have access to all your info.

But there are stand-alone password manager programs designed for security over convenience (though they can become just as convenient via simple browser plug-ins). My personal choice is LastPass, but I've also heard many good things about KeePass (which is open-source, for those of you who care) and 1Password (which I've never personally used because I find it a bit expensive). All three of these programs (and probably a few others I've never heard about) have pretty much the same functionality, with only minor differences. Since I have much more experience with LastPass, it's the one I'll talk about from now on, but feel encouraged to snoop around and use whatever program suits you best.

04.1.a) LastPass

LastPass stores your passwords in a local and on-line encrypted database (accessible via their browser plug-in, a web interface or even your smartphone - though the smartphone service is only available on a $1 USD/month subscription) that can only be decrypted by your master password - the Last Pass(word) you'll ever have to remember, according to the creators. So long as we create a strong master key, heeding the tips I just laid out, we can forget all our other passwords and leave LastPass to keep track of them for us.

But wait, you say. I can do that myself, by keeping all my passwords in a PGP-encrypted text file! Only I can read it since it requires my private key, and I can put the danged thing online if I want by storing it on my e-mail server or using a cloud service like Dropbox or iCloud. So what's the advantage of installing unfamiliar software on my machine? Good question, dear reader! The advantage is twofold.

First, it's more convenient. When you install LastPass, it will offer to scan the password databases in every browser it recognizes on your computer, import these passwords and then delete them from the browsers. That's a big load of work you won't have to do any more. Via a browser plug-in, LastPass will replace your browser's native password manager, automatically logging you in to sites to which it has your credentials and offering to save newly-typed passwords. But it'll only do that after you've logged in with your master key, so it's safer than the unencrypted functionality it's replacing.

The second benefit is in functionality that helps you improve your security. LastPass can audit your passwords, giving them a score based on factors like character variety and length, as well as point out any duplicate passwords between your accounts. Once you've identified the weaklings, you can head over to the relevant websites and change them for a better password. And the best feature of LastPass: it's also a password generator! LP can generate random passwords of arbitrary length (though the mobile app only goes as high as sixty-four characters), and you can choose to include or not each class of character: lower-case letters, upper-case letters, numbers and special characters. This way, you can create random passwords for every service you want, conforming to their individual restrictions (e.g. "a six-to-eighteen character range with no special characters and at least one letter and one number"), and you won't ever have to remember a single one. And if sixty-four is too little for you, generate four of them, paste them back-to-back and store them in a secure note in LP's vault. Let's see Law Enforcement crack that glorious 256-character baby!

Not enough? Go as high as you want! How does 2048 characters sound?
Quote
CoDGi&ObMSE7z$dQtygSBSMxJnEh5kpqI1Tq74nri3M8VQztZqpKW%TstQe$J9cg4BCCM#O%xK5B!20Ycuug@Gb&G6Zxjz1^nI8T0ccHiqg!3A2%svVlb@Tbc4B9rLPRKbyReYJy*&jEAk%*POy5RY#SBJf22ihL6NfhzJMkCLe5Ka#4VSRhJP97z5ZmVR1DGr*Rt^tnETLHjCd1EU7n@8wpSYHzM!J03vLoK!VG$exCsFFfaea64O!SVmFuF!vkSKGCjFMvUND1IGBPz7YP7nko27N&OV2GXgXn0p4Ik%yhrC6iDBZmdMBOiMZ#CtMQc^iPJ&Bf$nE8V0O1kmdZfODvy2ohn8#uIp!O#kvA%ylW5j94ZCgr#beaDa33Q%97g1^D59Oyv#R!KcEhN*0HE$lMkZHBPR!7QXdAJdZG#mePQU2msqhhsEHAgALqI@i8r!JKY0kpTPZSlPvgbOfn$Ha8vI!709yXTg!EWhEEWvEU22FcQxHqvr2NoeIJeLkl6hu@#Q%A&1t7hNclEA6OXTj5nZuI7B%#HUL4JJ@i!1wh02a^B@1WlZ%oEvh8QROJmN^f2v9r&^boKhKeN1KBPvsc%$alu91*pWJZ@p9J2Zgtd2QMrX7%pXo&ccAsCICOzXmD2*q^F7SJsIkUe!x4uyOdbYWt2&1Chsn1DPO!d1&srnd6WSy!Kc^pnhj*5384A#r05Rr%y@SFSu%Ntwwnu#EjS$8T8Ccb8z7^fbUVpU!yg5NDyvXnvjecDHU&7a1dtXKBzYu%JnNHE5lln&$X$9JcDeMo8w!pC@upgs@a$OVswmeLfHRNS3Vmz&L3L^Qd*v1rHhuY6Pd@6i!uqrl5W@AVVLGbmZVYRF#!*!Cu#Rhym%3yJE#BMtTmi5AfWPJEveHK0i$KzT7viJ8EeyvHWQgM3t%TO25y%6xeBRFG5qP7DFUX3eLFuZuhGSimIZe%Fr7F^b&en@Fev8Qdl1^Uugw8HYT7AKE%LlOIuBp&yNNN4eFVy7d$SZr%NI@wI89lVI0P2Dr$pKoNUO&7bu*uhf@jf3K@*8Z7LK7svS&0bxcU1l8Slc83sS2*3SVefYfohbN%A4ciX5tjqBtjaSj^T^rjk#JU1cV1l^oAakg58hf$&@FGrJHR*PF*Io5q!Q5dUY@knKc1%sfbr8i7ar7Djf!EuW@PFJhF%$rAz1yF7^Hyrum2FTpA#PfzShYO6#ua1IaQRTRxw#yM$@vwBJ&$jQTftPmJ^7P4b9!b*xUQW6rgGZ%sV1dksFcd6%ebRf6j%E7ZEuyRB1w3SklM6Ak^Mtab##d!pzLMmohUB4QY^wRypUl5W42^ddBtcnCNsKn2#wcDNE%&XY1NP#9JVNwEKdOstCUq*on5S$ft9sBtCNlwAzZlR8lTIBdNxZ*KwUzs$dZnm6wMmsbW4HsJDA#L&1BLt&KWZP79YMph^Y^m$5RuGBn^#Mh7nRYYiSAPS@Ji*9cvNuw7XHpRVZ6ArzyDz5hj4RDb2D#nBbp@tNNWxP5^^5qcIodq8xFsoDIDT8ZDHzluvSIdFGWHvMrf3QgyJqnV%8oliKBxp1jxojoqrUE@4%jqTGti0ZKWpuvudPx#6DQOzJZS@BsfPy1xf!%h@KtvLtkBruURXR5PiXhGpODOS^q@peA4xfRdTNy0B&XgXt#OWBmMadErOUlg6UcjhyrUspQvBe&$kVmm9JQ$oRl^giL!hep42BqGTL0d2%hglLE*QkBZUWmjdCco$m$flZfVs8K#JCDR4lBR02gh$BH1LrhPb9OjDJM9np%^FPjsXl8MdcddAFUgoibw^rnNQYnyt&&WosNL^7MT0DMkZERoUrE*kL#WchbEPKdPo7zODz89^nX0bio6VimIYQkrrBSUrnAF2hK60ugAgTFWlq52Qp8u3O$J0DIqB&T3rsS4vH#hTKY3XAR4gWmUpVhSJKZMnixzLBO8@GP4#434szT910asmiFgiYfJbn56Bon8jxX2MJJij7!GPLF8HfckQ2bN$5@yUxgLURGsPxLF2JlIZh6^XRGvE8p#IrgWnOme
Actually, it sounds a little insane. But if you can, why the hell not?

You might be asking yourself what's the point of having a 2048-character password if the master key you'll be using to protect it will almost certainly be less than 100 characters long. The answer is very simple: LastPass uses local encryption for your passwords. Communication with their servers is done exclusively through SSL, and your passwords are encrypted with 256-bit AES and only ever decrypted locally, só that not even they can access them. Other services you use might not be so secure. So, while your glorious 2048-character password might eventually be exposed  to an attacker monitoring your network traffic, your master key will never be transmitted anywhere (assuming you don't have any keyloggers running in the background, but such considerations are beyond the scope of this post).

04.2) What if I don't trust the cloud?

Even though LP encrypts your passwords, you might be apprehensive about leaving them on-line. If that's the case, storing your passwords in a PGP-encrypted text file is probably your best option, but you can still use LP to generate your passwords, and not save them. The damn thing is free anyway, so why not? Even though LP doesn't achieve true randomness (no currently existing algorithm does), it sure as hell gets a lot closer to it than you do - unless you can train yourself to shout out numbers and letters during an epileptic fit and somehow have them recorded.

04.3) I don't want to use a password manager at all. Now what?

There's still a trick we can use to have unique, easy to remember and non-obvious passphrases for every website we visit without using a password manager. The problem is that we'll probably have to make adjustments here and there to conform to more restrictive site-specific password requirements (i.e. maximum character count limits and disallowing certain types of characters), so odds are that now and then we'll need a few attempts before guessing the passphrase right.

This trick consists of making a simple hash sum of the name of the website you want to access. Let's say our hash function is formed by taking the lowercase last letter of the name, followed by the two-digit number of letters in the name (hopefully none of us is in the habit of logging in to multiple websites with hundred-character names), and finally the uppercase first two letters of the name. For the sake of making our new unique passwords a bit longer, why don't we add some fodder at the beginning (or end, or arbitrary position in the middle)? For example, a short passphrase made with those same rules we used in section 03.4: "Lick the sky" gives us liC!tH2@Ky. We can use this very same character string in every single password, since the hash sum will be different anyways. This way, all we have to know is a single short passphrase plus the rules for hashing the service name where we want to log in. If you don't feel the need to add the extra fodder, all you have to know is the hash function. Easy peasy!

This way, our SR Forum password would be liC!tH2@Kym13SI, our SR Marketplace password would be liC!tH2@Kye19SI, our VirWox password would be liC!tH2@Kyx06VI and so on. A problem arises with this method, which is that having multiple accounts with the same service means that they all have the same passphrase. We can go around this by also hashing our username into each passphrase, but that puts us dangerously close to the most common upper limits for passphrases, which tend to be between 12 and 18 characters. It's not a perfect solution, but it's a pretty good one. Still, I prefer to go the password manager route.


05) All your eggs in the same basket?

LastPass isn't a website password manager. It's a password manager. It supports storing your Wi-Fi and proxy passwords and the creation of "secure notes", which are a functional equivalent of an encrypted text file. So, what's to stop you from putting your Silk Road password, your SR Forum password and even your PGP password in a secure note, forgetting them completely and relying on LastPass for everything? Nothing at all. But, lest it be said that I'm being paid by the guys behind the software to advertise it to SR, I should point out that I don't personally do that. I need to remember five passwords: my LastPass master key, my PGP private key password, my SR forum password and my SR market password and PIN. And I end up remembering my bank password too, since the fuckers insist that I use a terribly insecure four-number password (fuck that shit, seriously).

The reason why I prefer to keep these passwords separate is simple: if by some series of unfortunate events my LastPass database is compromised, there's nothing in there to link me to the Silk Road. Remember: you should sandbox your identities. I could, of course, have a second account with LP for my SR-related passwords, but there's just four of them, so it seems more trouble than it's worth. I just might want to generate some absurdly long passwords for SR and keep them in an encrypted text file somewhere (256 characters is a lot more secure than my current 70-ish character passphrases) but for now I'd rather type my current ones out when I log in instead of my much larger PGP passphrase. Convenience over security? Yeah, I'm not completely immune either.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPYTz/AAoJELazcgjRnEAq/dsH/2s9mUHP+SZ942O8y/rlaIRW
VRo5bRvZTa9BHeRZNhe31zNdhyfBlx/CSRZUA3qOTfjhSeVvMht8IBIm0o97uuy2
LZErG/VgMSPeNkd7iUXb24NNhfFEtsg3ovVMijncAme4hss3w+fOqG3Ulmk22eVD
ECO6VSuhsQlMgt0/WlZfAnIjp6v1tPCSZcVotgRoq0Mlwu55Pt0maC6yHPek8sO2
9WxhuFFkngKDh2AoD0qJZvJ1ZYulXcrUeKtE3oK+t9rgn0e8UfgPMOaYsLH35d7V
+9zrRuU6p+GvxI9UIz+TwnlKJBajHyQFIwbHoWTPru5uWeegl8G4Y5+tJ1J8IBM=
=poOd
-----END PGP SIGNATURE-----
Title: Re: Password Security 101
Post by: chiefrogan on March 15, 2012, 01:03 am
+1'd

Great info for lots of people here
Title: Re: Password Security 101
Post by: brutusk on March 15, 2012, 01:17 am
great post, thanks!
Title: Re: Password Security 101
Post by: kmfkewm on March 15, 2012, 03:31 am
you can test billions of passwords per second with a high end GPU. I just learned that on wikipedia when looking up if your laptop would be capable of guessing hundreds of thousands or millions of passwords per second, I think it is hundreds of thousands though.

edit Hm appears to be low millions per second with most modern CPUs. 

I think this comic sums up secure password creation:

https://xkcd.com/936/
Title: Re: Password Security 101
Post by: raven92 on March 15, 2012, 04:50 am
Easy to remember phrases, or random bits of info make great passwords, throw in some salt for good luck.

"My birthday is the 8th of July And C@ke Is A Hell Of a Drug!"

kmfkewm's XKCD article sums it up nicely :P
Title: Re: Password Security 101
Post by: FiveSeven on March 15, 2012, 12:15 pm
Excellent post, I put off getting Lastpass because it seemed annoying but I think I'll give it another shot.
Title: Re: Password Security 101
Post by: JimPooley on March 15, 2012, 12:41 pm
+1

Insightful and informative!
TYVM!!!
Title: Re: Password Security 101
Post by: alpine on March 15, 2012, 05:23 pm
great info!! your right a lot of people will use the same password and if its gets compromised either by court order, they crack your windows password. it would be easy for LE to just enter what they know and they would get lucky. luckily  I have followed this guild line from the beginning.
Title: Re: Password Security 101
Post by: Rush Limbo on March 15, 2012, 08:03 pm
The best password is long, random, and most importantly: ONE YOU DON'T KNOW!

This is why I use KeePass for all my passwords... all are randomly generated and very long :)

Also in places that allow it, a 2 factor authentication adds additional security!
Title: Re: Password Security 101
Post by: Oldtoker on March 15, 2012, 09:01 pm
There are things that Silk Road can do to help also in protecting your passwords on their site (maybe they do, I don't know).  Probably the most effective thing they can do is put a time between password attempts.  For instance if an incorrect password is entered it will not accept another for five seconds.  This greatly increases protection against brute force attacks.  It can turn a potentially five year attack into a 2000 year attack real quick. 
Title: Re: Password Security 101
Post by: cloudman on March 15, 2012, 10:53 pm
I'm a newbie and will be changing all of my passwords shortly, but I always end up forgetting what they are and having to reregister.  That has already happened a number of times for SR and Tormail, I try for a secure passphrase and can never remember it.  I think I will have to break one rule and and write them down and keep in a safe place.  Any suggestions for someone with horrible memory.  I am afraid to use Lastpass in fear that I will lose that lastpasswordever and be locked out of everything at once.  I know this sounds like I am just an idiot, but it is frustrating.
Title: Re: Password Security 101
Post by: Horizons on March 15, 2012, 11:00 pm
I'm a newbie and will be changing all of my passwords shortly, but I always end up forgetting what they are and having to reregister.  That has already happened a number of times for SR and Tormail, I try for a secure passphrase and can never remember it.  I think I will have to break one rule and and write them down and keep in a safe place.  Any suggestions for someone with horrible memory.  I am afraid to use Lastpass in fear that I will lose that lastpasswordever and be locked out of everything at once.  I know this sounds like I am just an idiot, but it is frustrating.

You can always tattoo it on the inside of your eyelids, so whenever you need to remember it you just need to close your eyes and point a bright light at them.

Jokes aside, though, I don't know what to tell you. If you're afraid you'll forget the only password you need to remember, maybe the hash sum method is best for you. You just need to remember some simple rules instead of individual passwords, and if you forget the name of the website you want to access, you're not going to be logging in there anyway.
Title: Re: Password Security 101
Post by: Regional1 on March 15, 2012, 11:49 pm
Horizons, by investing your time and writing skills into this post, you've literally made these forums a better place.  I hope this is stickied. 
Thank you.
Title: Re: Password Security 101
Post by: cloudman on March 16, 2012, 02:32 am
Horizons, by investing your time and writing skills into this post, you've literally made these forums a better place.  I hope this is stickied. 
Thank you.

+1
Title: Re: Password Security 101
Post by: Oldtoker on March 16, 2012, 11:01 am
I'm a newbie and will be changing all of my passwords shortly, but I always end up forgetting what they are and having to reregister.  That has already happened a number of times for SR and Tormail, I try for a secure passphrase and can never remember it.  I think I will have to break one rule and and write them down and keep in a safe place.  Any suggestions for someone with horrible memory.  I am afraid to use Lastpass in fear that I will lose that lastpasswordever and be locked out of everything at once.  I know this sounds like I am just an idiot, but it is frustrating.

Pick phrases that you know and like.  When you write it down use only the first letters of each word.  Maybe throw in an additional one that's not in your phrase and you'll know that it doesn't belong there.  Leave it on a sheet of paper with a bunch of BS notes and comments.  This should be fine as long as your not a Vendor or a high volume purchaser.

Just don't do what most normal users do.  Write them on a piece of paper titled passwords and tape it to the bottom of their keyboard.  ;D
Title: Re: Password Security 101
Post by: Horizons on March 16, 2012, 11:40 am
Thanks for the support, everyone! It always feels nice to be appreciated. :)

And kmfkewm, thanks for sharing. Apparently I was way off in my guesswork. And I actually had that exact xkcd in mind when I came up with the passphrase! ;)
Title: Re: Password Security 101
Post by: Prawl42 on April 22, 2012, 03:42 pm
Hoeizons did a great job here, sticky needed! password security is often overlooked but is the bases of pretty much all security based tasks!
Title: Re: Password Security 101
Post by: mdmamail on April 22, 2012, 04:44 pm
http://keepass.info/
or use passwordgenerator.eu and add in some extra entropy, keep them in truecrypt containers and paste them in here. encrypt or clear your clipboard afterwards. downside of course is forgetting your truecrypt password and losing everything.
Title: Re: Password Security 101
Post by: vlad1m1r on April 22, 2012, 06:29 pm
An excellent post, many thanks!

I have posted in a separate thread about using a pen and paper "book cipher" to secure longer passwords, the advantage being you can write it down safely knowing that by itself the encoded password is useless - please bear in mind this should compliment the above precautions, not replace them!

V.
Title: Re: Password Security 101
Post by: wasder on April 23, 2012, 10:54 am
Going to change my password right now and get LastPass. Thanks so much for this invaluable info.