If you have come to the same conclusion that I have and you need strong random passwords on all your accounts, how will you manage all of them? You know you shouldn’t write them down or keep them in a plain text file, so what to do? Thankfully there are several password management solutions out there, from online solutions to stand-alone offline solutions.

The main difference between the two types systems is if you want access to your passwords online (and do you trust a vendor with all your passwords).

• LastPass has a both a offline and online solution for your password management needs.
• 1Password is the other top password management tool competing against LastPass. They only have an offline solution.

My personal favorite though is KeePass as it is open source software, free, and cross platform. LastPass and 1Password are cross platform as well, but they are proprietary closed source solutions. Any of these options will work fine for the majority of use cases, so don’t spent too much time debating which one to go with. Just remember to use a strong password to gain access to all your other passwords!

I highly recommend having random passwords for every site you have a account on. If you can’t do that, then at least have different passwords for accounts that have payment related information in them. Why? If an attacker got access to your account,then they just got access to all your other accounts as well!

Below are two tips that I found online that don’t make complete sense to me and they highlight how random passwords are solution.

Once you have a strong base password, you can use it to create individual passwords for each of your online accounts. Simply add the first three letters of the service, e.g. “E1d_1D!4Y:)GMa” for your GMail account or “E1d_1D!4Y:)eBa” for eBay.

Assuming the attacker got access to one of your passwords, and they noticed the pattern, they can easily pivot to your other accounts using this password “strategy”.

Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. “seat%tree”

GPU based password cracking will breeze through this type of password. Sure it is easy to remember, but this password “strategy” gets you nowhere.

Several websites state that having a password length of 8 is good enough, but that number was based off of current CPU technology at the time and the time required to to use those CPUs to break them. Graphic cards have been taking over the password cracking scene for a several years now, as password computations (for certain algorithms) are well suited for GPUs over CPUs which can result in several billion password computation/cracks per second!

So why did I recommend a minimum password length of 12 if permitted? Based upon the above information aren’t we screwed? I think it is good enough for now as it is much better than a length of 8 where an attacker can brute force that key space in a couple hours to days depending on the GPU and algorithm used for the password. And a required step to the above scenario is that they have your encrypted password, which would likely come from them hacking into a website and they downloaded all the customer data.

What are your thoughts on password lengths? Is it something you worry about? Do you have a better strategy?

For additional reading on password cracking, Dan Goodin from Ars Technica has a couple good articles on the subject:

• Why passwords have never been weaker—and crackers have never been stronger – Aug 2012
• Oh great: New attack makes some password cracking faster, easier than ever – Dec 2012
• Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” – May 2013

As passwords are your keys to many digital things, you probably want to ensure that it is reasonable secure and strong right? There is a lot of advice out there when it comes to creating a strong password, and while most of it is good, some of the recommendations should not be listened.

Part of my responsibilities as a penetration tester was to see if one could determine a user’s password through means like brute forcing. Through those experiences, I’ve gotten insight into what password strategies work against current techniques attackers use.

So how do you create a strong password? Here are four simple tips to secure your digital accounts.

1. A minimum password length of 12 if permitted
2. Have a mixture of uppercase and lowercase letters, numbers, and special characters
3. Use a random password generator to generate the above
   
4. Use a password manager to store all your strong passwords and make sure you use a strong password on your vault as well!

In the next post series, I will explain how I came up with these tips and why you should follow them.