21 January 2024

Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 2

In the previous blog post, I have covered the different passwords you have to protect, the attackers and attack methods. Now let's look at how we want to solve the issue.

Password requirements

So far we have learned we have to use long, complex, true random passwords. In theory, this is easy.
Now, this is my password advice for 2014:

Password character classes
Use upper-lower-digit-special characters in general cases.
If you don't understand what I just write, choose from this:
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789-=[];'\,./<>?:"|{}_+!@#$%^&* ()`~
If you are a CISO, and say: use 3 out of 4 character class, everyone will use Password12 or Welcome12 as their password (after the 12th enforced password change).

Password length
This is basically the only thing which changes whether the password is in the very high/high/medium/low level. Check the previous blog post for the details about very high/high/medium/low level.

Password length: Very high level class (including work-related/enterprise passwords)
15 character (or 20 if you are really paranoid). Making true random passwords longer than 20 characters usually does not make any sense, even in high security scenarios (e.g. military, spy agencies, etc.). 15 character in Windows environment is a right choice, as LM hash is incompatible with 15 character passwords, thus one (effective) attack won't work. Beware, there might be bugs with using 15 character passwords, with a low probability.

Password length: High-level class
12 character, upper-lower-special characters

Password length: Medium class
10 character, upper-lower-special characters, still TRUE random

Password length: Low-level class
9 character. Why less?

Pin codes
Always choose the longest provided, but a maximum of 8. Usually, more is pretty impractical.

Password randomness
True random, generated by a (local) computer. Avoid Debian. Avoid random generated by your brain. Do not use l33tsp33k. Do not append or prepend the current month, season or year to a word. Do not use Star Wars/Star Trek/(your favorite movie/series here) characters or terminology. In general, avoid any pattern like the above ones. The chances that a true random password generator generates SkyWalker12 is very-very low. And believe me, it is not that hard to crack those. Every algorithm that you would come up with; the bad guys have already thought of it. Use true random. Let the computer do it for you. See details later in this post.

Password history
Never-ever reuse passwords. NEVER!

Password change period
If it is not enforced otherwise, don't bother to change it twice in a year. But! Check if the password cracking speed made your current ones obsolete. If yes, change the obsolete passwords. Immediately change the password if you have been notified that the service you use has been compromised. Immediately change all of your recently used passwords if you suspect malware was running on your computer (do this on a known clean computer). Immediately change your password if you have used it on a computer you don't own, or there is a small chance malware is running on it. Change it if you really had to give your password to someone. Otherwise, goodbye regular password change. We will miss you...

If you are a CISO, and writing security policies, you should have to enforce the password change period based on: do you allow LM hashes? What is the password length requirement for users and administrators? What is the current hash cracking speed, and the forecast for the next 2 years? I think people would be happy to increase their passwords with 1-2 characters, if they are not forced to change it frequently (e.g. every month).
Now after I was sooo smart giving advises people still hate to implement, let's see the practical implementations. At least some people might like me, because I told them not to change the passwords regularly. Next time someone tells you to change all your important passwords regularly, put a lie detector on him, and check if he changes all of his passwords regularly. If he lies, feel free to use the wrench algorithm to crack his passwords. If he was not lying, call 911, to put a straitjacket on him. Only insane paranoid people do that in reality. Others are just too scared to say "what everyone recommended so far is bullshit". Comments are welcome ;) Other people might hate me for telling them using true random passwords. Don't panic, keep reading.
And don't forget to use 2 factor authentication. It might seem a bit of an overkill at the beginning, but after months, you won't notice using it.

(Bad and good) solutions

I will use the same password everywhere

This is a pretty bad idea. If one of the passwords are compromised, either the attackers can access your other sites, or you have to change all of your passwords. There are better ways to spend your life on earth than changing all of your passwords.

I will remember it

Good luck remembering 250 different, complex passwords. Don't forget to change them regularly! ;)

I will use the password recovery all the time

Not a very user-friendly solution. And because the security answer has to be as complicated as the password itself, the problem has not been solved.

I will write it down into my super-secret notebook and put it in my drawer

Although it might work in some cases, it won't work in others. I don't recommend it.





I will use an algorithm, like a base password, and add the websites first letters to the end of the password

Still better than using the same password everywhere, but believe me, if this is a targeted attack, it is not that hard to guess your password generation algorithm.

I will use the advice from XKCD, and use the password correcthorsebatterystaple

Still a lot better than simple passwords, but unfortunately, people are still bad at choosing random words with random order, so it is not the best solution. And again, you can't memorize 250 different passwords ... Even 10 is impossible. Only use this method in special corner cases (see details later), and use a passphrase generator!

I will use a password manager

This is the very first good idea. It solves the problem of remembering 250 different complex and random passwords. Some people might complain about using a password manager, here are those complaints. And my answers:

If someone gets access to this one password store, all is lost.
Answer: If someone accessed your password store, and the master password, you can be pretty damn sure that most of your passwords are already stolen. For extra paranoids, you can use multiple password stores, one for daily use, one for rare cases. Beware not to forget the password for the second one ;)

What if I don't have access to the password store when I need it?
Answer: In the age of cheap notebooks, tablets, and smartphones, in 99% of the cases you should not use that important password on any other device than yours. In the rare cases when you must, you can use either your smartphone to get the password, or use a browser extension like Password hasher to generate different passwords to different websites, with one password. For extra paranoids, you can have different master passwords for the different security levels. And don't forget to change the password after you are back at your own computer.

What if I forgot the one password to the password store?
Answer: If you use your password manager daily, it has the same odds to forget that one password as it is to forget every one of your passwords.

Password managers make phishing attacks easier.
Answer: Who started this nonsense? Good password managers decrease the risk of phishing.

Password managers have the same vulnerabilities as other websites or software.
Answer: Well, this is partially true. There are at least 3 types of password managers, from most secure to least: offline, browser built-in, online. Online password managers give better user experience, with a sacrifice in security. But if you choose one of the leading password managers, and you are a simple home user, the risks are negligible. If you try to store your work password in an online password store, you might violate your internal security policy. For paranoids, use offline password managers, and back them up regularly. If you choose an online password manager, at least use 2-factor authentication. And don't forget, your Chrome password can be easily synchronized to the cloud, shifting it to the online category.

In some cases, like Full Disc Encryption, OS login, smartphone login, or password manager login, the auto-type of password from the password manager is not available, thus choosing a true random password is a pain in the a$$.
Answer: True. Generate pronounceable passwords or passphrases in these corner cases, e.g. with the Linux tool apg you can generate pronounceable passwords. For easy and fast type, don't use capital letters (only lower-alpha - digit - special) in the original password, but increase the length of the password. Add 1 extra character because you don't use upper case letters, add 3 other because it is a pronounceable password, and you are good to go. For extra paranoids change one or two of the letters to uppercase where it is convenient. 
apg -M SNL -m 15 is your friend.
If you want to check what I write here (always a good idea), test the entropy of a true random 10 character password with all character classes, and check it with 14 characters, without uppercase. I recommend KeePass for that. If you comment on this that "Keepass can not measure that it is a pronounceable password, thus the entropy is lower in reality", my answer is: "Check out the current passwords used by users, and current password advises, and tell me if this password is a lot better or not ..." . You have been warned.
 

For the high-level password class, I don't recommend anything your brain generated. There are also suitable offline passphrase generators. Use at least 5-6 words for passphrases.

Password managers are not user-friendly, it takes more time to log in.
Answer: If you set auto-type/auto-fill, and the password manager is opened once a day (and you lock your computer when you leave it), in this case, logging in takes less time than typing it! It is more convenient to use it, rather than typing the passwords every time.

I like to create new unique passwords every time I create a new account, and password managers take the fun away from it.
Answer: Said no one, ever! "38 percent of people think it sounds more appealing to tackle household chores – from folding the laundry to scrubbing toilets – than to try and come up with another new user name or password."

To summarize things. Use a password manager.

General advise

Never use your essential passwords on other computers. They might be infected with a password stealer. If you really have to use it, change the password as soon as possible on a trusted (your) computer.

Don't fool yourself by phishing sites. If you go to the local flea market, and there is a strange looking guy with "Superbank deposit here" logo above his head, will you put your money?

Protect yourself against malware. Use a recent operating system, and even if you use OSX or Linux, it is not a bad thing to have an AV as a "last line of defense". Or to check your pendrive for Windows USB worms.

Never-ever use online web sites to "generate your password", "measure the complexity of your password" or "check if it has been breached". Never! (Except if it is your password manager :) ... )

Update: Sign up on the https://haveibeenpwned.com/ for notification if your e-mail is found in a leak.

Changing passwords frequently is bad advice. It is not effective. Put more energy in other right password advise. 

More info


  1. Hacker Tools Free
  2. Black Hat Hacker Tools
  3. Hacking Tools Pc
  4. Ethical Hacker Tools
  5. Pentest Tools Website Vulnerability
  6. Hacking Tools For Windows 7
  7. Computer Hacker
  8. Hack Tools For Windows
  9. New Hack Tools
  10. Kik Hack Tools
  11. Hacking App
  12. Hacker Tools Apk
  13. Hacking Tools For Windows 7
  14. Hacker Tool Kit
  15. Hacking Tools Download
  16. Pentest Tools Port Scanner
  17. Hacking Tools Download
  18. New Hacker Tools
  19. Hacker Tools
  20. Pentest Tools Alternative
  21. Hacker Security Tools
  22. Hacking Tools Hardware
  23. Hacking Tools Online
  24. Blackhat Hacker Tools
  25. Beginner Hacker Tools
  26. Pentest Tools Port Scanner
  27. Hack And Tools
  28. Hack Tools
  29. Bluetooth Hacking Tools Kali
  30. Hackrf Tools
  31. Pentest Tools Linux
  32. Hackrf Tools
  33. Hack Tools 2019
  34. Tools Used For Hacking
  35. Pentest Tools Download
  36. Hack Tools For Games
  37. Easy Hack Tools
  38. Pentest Tools For Ubuntu
  39. Hack Tools Github
  40. Tools For Hacker
  41. Hacking Tools
  42. Free Pentest Tools For Windows
  43. Nsa Hacker Tools
  44. Pentest Tools Alternative
  45. Hacks And Tools
  46. Pentest Tools Port Scanner
  47. Pentest Tools Find Subdomains
  48. Hacker Tools For Pc
  49. Hacking Tools
  50. How To Make Hacking Tools
  51. Pentest Tools Framework
  52. Black Hat Hacker Tools
  53. World No 1 Hacker Software
  54. Pentest Tools Android
  55. Underground Hacker Sites
  56. Hacker Tools Apk
  57. Hacking Tools Software
  58. Pentest Tools For Mac
  59. Hacking Tools For Windows Free Download
  60. Hacking Tools Windows 10
  61. Pentest Tools Open Source
  62. Hacker Search Tools
  63. Hack Tools For Games
  64. Hacking App
  65. World No 1 Hacker Software
  66. Hack Tools Github
  67. Install Pentest Tools Ubuntu
  68. Hack Tools For Games
  69. Android Hack Tools Github
  70. Hack Rom Tools
  71. Tools 4 Hack
  72. Hacker Tools Apk Download
  73. Hacking Tools Software
  74. Hack Tools Pc
  75. Hack Tools
  76. How To Hack
  77. Physical Pentest Tools
  78. Hacker Tools 2020
  79. Hacking Apps
  80. Pentest Recon Tools
  81. New Hacker Tools
  82. How To Install Pentest Tools In Ubuntu
  83. Free Pentest Tools For Windows
  84. Hacker Tools
  85. Nsa Hack Tools
  86. Pentest Tools Windows
  87. Black Hat Hacker Tools
  88. Hacking Tools Windows
  89. Pentest Tools Apk
  90. Android Hack Tools Github
  91. Wifi Hacker Tools For Windows
  92. Pentest Tools For Ubuntu
  93. Bluetooth Hacking Tools Kali
  94. Pentest Tools Kali Linux
  95. Hacker
  96. Beginner Hacker Tools
  97. How To Install Pentest Tools In Ubuntu
  98. Blackhat Hacker Tools
  99. Hack Tool Apk
  100. Pentest Automation Tools
  101. Hack Tools Online
  102. Beginner Hacker Tools
  103. Nsa Hack Tools
  104. Hack Tools 2019
  105. Hacking Tools Usb
  106. Hacking Tools For Beginners
  107. Hacking Apps
  108. Hack Tools Download
  109. Nsa Hacker Tools
  110. How To Hack
  111. Pentest Tools Free
  112. Hacking Tools For Windows
  113. Hacking Tools For Windows 7
  114. Hacking Tools Online
  115. Hacking Apps
  116. Pentest Tools Alternative
  117. Hacking Tools Kit
  118. Hack Apps
  119. Computer Hacker
  120. Hacker Tools Apk
  121. Hack Tools For Ubuntu
  122. Pentest Tools Android
  123. Free Pentest Tools For Windows
  124. How To Install Pentest Tools In Ubuntu
  125. Hack App
  126. Hacker Tools 2019
  127. Hacking Tools Mac
  128. How To Hack
  129. Termux Hacking Tools 2019
  130. Tools For Hacker
  131. Hacks And Tools
  132. Hacker Tools Hardware
  133. New Hack Tools
  134. Pentest Box Tools Download
  135. Hacker Tools Apk
  136. Hacker Tools For Pc
  137. Hacking Tools Hardware
  138. Hak5 Tools
  139. Hacker Tools For Windows
  140. Hacking Tools And Software
  141. Nsa Hack Tools
  142. Hack App
  143. Hacking Tools And Software
  144. Hacking Tools Windows 10
  145. Hak5 Tools
  146. Hacker Tools
  147. Hacking Tools Kit
  148. Game Hacking
  149. Hacking Tools Free Download
  150. Hacking Tools Mac
  151. Hacking Tools For Games
  152. Pentest Tools Framework
  153. Hack Tool Apk
  154. Hacker Tools Hardware
  155. Hacker Hardware Tools
  156. Hacker Tools Hardware
  157. Hacker Hardware Tools
  158. Hacker Tools 2020
  159. Computer Hacker
  160. Hacker Tools For Pc
  161. Pentest Tools Online
  162. Hack Apps
  163. Hacker Tools Mac
  164. Black Hat Hacker Tools
  165. Easy Hack Tools
  166. Hacking Tools Hardware
  167. Hacking Tools Name
  168. Hacking Tools For Beginners
  169. Computer Hacker
  170. Tools 4 Hack
  171. Hacker Tools Apk Download
  172. What Are Hacking Tools
  173. Hacker Tool Kit
  174. Install Pentest Tools Ubuntu

No comments:

Post a Comment