0 Members and 1 Guest are viewing this topic.
I recently checked in with five security experts to learn about their approach to choosing and storing crack-resistant passwords. They include renowned cryptographer Bruce Schneier, who is a "security futurologist" at BT and recently joined the Electronic Frontier Foundation's board of directors; Adriel T. Desautels, CEO of Netragard, a firm that gets paid to hack large companies and then tell them how it was done; Jeremiah Grossman, founder and CTO of WhiteHat Security; Jeffrey Goldberg, "defender against the dark arts" at AgileBits, a company that develops the popular 1Password password manager; and Jeremi Gosney, a password security expert at Stricture Consulting.Four of these experts said they use some type of password manager to ensure they have a long, complex, and unique password for most accounts they care about. Among these four, however, there was plenty of variation. Grossman, for instance, stores passwords in a plain text file that's stored on an encrypted virtual disk image, and then physically kept on an encrypted USB key."I feel I'm more easily capable of securing something physical than something purely digital," Grossman explained. "When I need to use one, plug it in, copy-paste. Pop out the device. Done."Unlike LastPass, KeePass, and most other dedicated managers, Grossman's home-made solution offers no way to automatically generate random passwords that meet specific site criteria, such as maximum length or passcodes that don't contain special characters. Grossman says he prefers to generate his own passwords, usually by banging on the keyboard."It's a bit more cumbersome than most would want to deal with, but it works nicely for me," he said. "Random length of letters, number, symbol, cap, etc. Doesn't really matter as long as it's 'very strong' because my password storage strategy doesn't require me to remember the vast majority of them."Goldberg, Schneier, and Gosney also said they use password managers to generate and store many of their most important passwords, but all three chose different products. Not surprisingly, Goldberg employs 1Password, which he said synchronizes passwords across all major platforms he uses. "The only exception are my FreeBSD systems, but I don't typically do Web browsing from them, and copy/pasting into an SSH window does the job for me," he said. Schneier, meanwhile, uses the PasswordSafe application he helped develop, while Gosney has recently begun using LastPass.The only one of the security experts who eschews a password manager is Desautels, who said he prefers to remember his passwords or, when possible, use "proximity tokens" with one-time passwords to log in to his computer."Most services that offer password management are built on technology that is vulnerable at some level," he explained. "I don't trust the technology as it is, and certainly won't trust it with sensitive credentials if I have the choice. I use different passwords for each account. I try to make my passwords as long as possible while keeping them easy for me to remember." His longest password is 63 characters long.Schneier said he sometimes also forgoes the benefits of a password manager in favor of passcodes that are easier to remember. He told Ars he still stands by a scheme he first laid out in 2008. It involves picking a long, memorable sentence and turning it into a password. "This little piggy went to market," for instance, might become "tlpWENT2m". In June, in a blog post responding to my password cracking feature, he offered other examples of passwords that are both memorable and hard to crack: "When I was seven, my sister threw my stuffed rabbit in the toilet" becomes "WIw7,mstmsritt..." and "Long time ago in a galaxy not far away at all" becomes "Ltime@go-inag~faaa!". Schneier said he still stands by the advice, although he cautions people to pick their own long sentences. No doubt, the phrases and corresponding passwords he chose in his posts have already been folded into crackers' word lists, so readers shouldn't consider them strong. Schneier said he also stands by advice he published eight years ago to write passwords down on a piece of paper and store it in a wallet or other safe location.