2012-06-06

Password policy

In light of today's supposed LinkedIn breach, it seems like an appropriate time to finally write up my password policy.

Many people have cottoned on to the idea that having the same password on different sites is a bad idea. There's various technical solutions to this, such as generating a site-specificpassword. I, however, believe this scheme to be too inconvenient; they require you to always have access to the site or tool, and don't work well in public places.

What we're really trying to do here is:

  1. Have different passwords on different sites.
  2. Have passwords that are (very) hard to guess.
  3. Be as lazy as possible.

What the first means is: If an attacker is given my password for a specific site, they can't easily derive the password for any other site. I am willing to risk the chance of them retrieving the password for multiple sites.

My proposal is to have a way to generate secure, site-specific passwords in one's head:

  1. Remember an excessively long password.
  2. Come up with some way to obscure the site name.
  3. Put the obscured site name in the middle of your long password, and use that password for the site.

That is:

  1. Remember an excessively long password: 14 characters is a good start. (My) pwgen can help you come up with suggestions. Note that this password doesn't need to be full of capitals, numbers or symbols; the sheer length makes it secure. "c8physeVetersb" is around a thousand times "more secure" (higher entropy) than "A0Tv|6&m".
  2. Come up with a set of rules to obscure the site name: For example, take the "letter in the alphabet after the first character of the site name", and "the last character of the site name, in upper case". e.g. for "amazon", the obscured version of the site name would be "bN".
  3. Mix them together: e.g. I'm going to insert the first bit, 'b' after the 'V', and the second bit, 'N' after the last 's', giving me "c8physeVbestersNb".
  4. Use this password on Amazon.

Even if Amazon are broken into, all the attacker will get (after many CPU-decades of password cracking), will be "caphyseVbester5Nb", which, even if they know you're using this password scheme (but not the details of your transformation), doesn't tell them anything about your password on any other site.

All you have to do is remember the alphabet (uh oh).


I additionally recommend:

  • Sticking to alphanumerics (a-z, A-Z and 0-9); lots of sites have issues with other characters. Even big ones. Even if they seem to work first time. Please, guys, stop failing at this.
  • Sticking to 16 characters or shorter. Many websites are arbitrarily limited around here. Please, guys, stop doing this: It makes it look like you're not storing your passwords properly.
  • Having most of the security near the start of the password, so that when you encounter a bankwebsite that limits you to eight characters, you can just drop the end without losing all of your security. Not even going to comment on this.
  • Keeping a list of sites you have accounts on, so you can change all the passwords at the same time, if you ever want to change scheme again.


Commenting is disabled for this post.

Read more of Faux' blog