Password Security Hints and Suggestions
What does everyone need to know about passwords?
This document was updated on Sunday, October 14, 2018. Please keep
in mind that, while the principled thinking is believed to be
reasonably applicable at the time of writing, any analysis about
tactics and technology is likely to be vulnerable to changes over
time, so if it's been "a long time" since the document was updated,
you'll probably want to do some google searches and see what other
suggestions and thinking is out there to make sure the approaches
still make sense.
The unfortunate reality is that passwords are pretty terrible for protecting security.
Anyone who's active on the Internet is going to have a lot of
passwords. The thing to remember is, system operators and services
use passwords because passwords are inexpensive to deploy, and pretty
convenient. It's not because passwords provide good quality
protection. Remember, a password is just a piece of information --
"some secret you know." If someone else knows it, it's not really all
that safe. In fact, a password can only be as an idea can be. Once
anyone uses it, shares it, or even write it down, there's a potential
for the password to be copied in an unauthorized manner and misused --
the hard, cold reality is that any secret can leak.
The underlying weakness of passwords isn't limited to leakage by
malice or mistake: passwords can also be guessed by attackers. One
way attackers guess passwords is to use really big dictionaries and
special software to handle easily guessed variations on those
dictionaries. Even well-trained, smart people are likely to
end up choosing really bad passwords when they create passwords by
hand. In some security-conscious environments, I've still
seen "password1", "abcdef", or "summer2018". Password attackers have
figured out that password selection is really weak, and have built a
lot of good mathematic models to predict those weaker
Another method is to use "brute force" or "rainbow" style attacks
-- where an attacker iterates across every possible combination of
characters within a certain length. Computers can easily guess
15,000,000 keys per second right using a consumer grade, "gaming
ready" computer one might find at the local electronics store (the
kind of computer that parents might buy their kids today). Password
cracking computers don't take the budget of the NSA or a nation-state
anymore -- and, when they need a lot of computing power, criminals
steal computing time by infecting computers with malware, and have
even been known to rent high speed computing by the hour with a
(stolen) credit card and a working email address.
But attacks aren't the only threat we have to address. People still
have to be able to type and access (and in many cases remember) any
passwords they need to use.
Making passwords have the "right amount" of complexity is kind of
a big deal.
High quality passwords are quite difficult to create, manage,
remember, and protect. And even if somone does it well today,
password assignment still needs to be revisited periodically because
the situation and assumptions that underlying those assignments
change. Remember that hacking dictionaries and techniques get better
over time, and the technology (such as that being used for attacking
passwords) improves pretty substantially (capabilities might actually
double approximately every 18 months, following Moore's
What makes it worse is that we're always going to be balancing
trade-offs between USABILITY and SECURITY-ASSURANCE. The harder a
password is to break/steal, the more likely it is to be forgotten
unless precautions are taken, and the more likely it is to have errors
when used. And the easier it is to remember and type, the more likely
it is to be vulnerable to even relatively unsophisticated attackers
who are able to arm themselves with a rapidly expanding array of
technological capabilities and have weaponized statistically informed
models that can predict how people choose passwords. This is why real
randomness, with a wide statistical aggregate distribution, is the
best solution. Sadly, this becomes pretty complex and difficult to
think about... but explains why passwods aren't very good for
Most people don't choose fully random passwords -- they usually
have some kind of logical pattern to it, which can end up giving a big
shortcut to a password attacker.
Magic Wands and Silver Bullets for this password connundrum: how can anyone be safe?
Anyone who tells you they have a complete, usable, useful answer to
the password problem probably also has a bridge to sell
In reality, passwords can only function as part of a mature,
intellgent approach to protect authentication. There are almost
certainly other elements that are going to be required. It seems like
there are going to be non-technology protections that are required.
For instance, user and administrator training can maintain awareness
of how our practices put ourselves and others at risk. Good passwords
don't do any good without having an audit/logging/review and response
capability, to deal with problems when mistakes are made. But beyond
that, we probably need to be looking at how to use "Multi factor"
authentication -- a password PLUS something else. This combination,
offhand, seems to be the best path forward, but it's inconvenient and
still has significant implementation challenges that need to be
understood and addressed.
Most security problems can be considered across a handfull of
stages of problem resolution:
- Identify the threat landscape, the nature of the vulnerabilities
you're facing, the degree of risk that environment poses, and your
readiness and willingness to accept the probability and impact of an
adverse event occurring.
- Protect yourself from the vulnerabilites and threats by
implementing protections in technology, process/procedure, and
awareness. Invest in as much protection as you're willing to spend
on, based on a recognition of diminishing returns and the reality that
the overall risk will never get down to zero.
- Detect problems by monitoring behaviors. There has been a shift
in the strategic thinking for information security. Given the speed
of change and the complexity of systems, there's a very high
probability that -- regardless of how well we work on protection,
we're still going to have occasional security problems despite our
best efforts. By instrumenting and working on detection, we have the
capability to limit the overall impact and damage of a security
- Respond to detected problems with a well-considered plan to
address the hazards in a manner that will contain or mitigate damage
down to an acceptable level.
- Recover by knowing how to approach fixing whatever ends up broken
as a result of the adverse event. Learn from what happend and work to
improve your identification, protection, detection, responses, and
recovery for next time... because there will be a next time.
Ultimately, it's not just the IT department or your service
provider that needs to be involved in finding solutions: there are too
many behaviors outside their control (including a bunch of behaviors
that are ultimately user behaviors). By taking on this
"Identify-Protect-Detect-Respond-Recover" mentality, and learning how
to ensure what role you as an indvidual play in this process, we can
build more successful solutions. Ultimately, achieving a state of
well-managed security will have to include you and the collaboration
and cooperation of others.
BONUS: are passwords the only thing I have to worry about?
Any information or data you care about -- and that list of data is
probably a lot bigger than just your passwords, bank account numbers,
and baby/wedding photos -- will probably benefit from periodically
undergoing some real, deliberative scrutiny. The process of thinking
about the security of your data (which reflects the degree to which
confidentiality, integrity, and avaialabiilty is being protected from
adverse impacts) doesn't change, though some of the questions we
detail below might need a little tweaking to hit your exact use cases.
Just a little something else to think about.
Back to the top of this article
What is WDY Enterprises doing to support its users?
WDY Enterprises, LLC does have a series of security controls in
place that help to protect your hosted accounts. While we don't
document the extent of our security implementation on public web pages
(and don't disclose all of the details, even in private to customers),
we do have a number of things which are pretty clear and evident:
- All authentication channels offer encryption so that your
credentials can have some protection in transit. HOWEVER, users do
have the option to use unencrypted POP3, unencrypted IMAP, or
unencrypted SMTP/Submit (which is provided for backward compatibility
for older computers). Webmail is not offered without encryption.
- Even so, WDY Enterprises authentication still has several
technical limitations stemming from how we interface with users. For
instance, passwords have both maximum and minimun lengths (customers
can contact our support apparatus to discuss current limits, because
we do update things occasionally). And we explicitly and deliberately
won't stop you from picking a bad password, if that's what you want to
do (if your choices are likely to affect the security or stability of
our services, we'll step in, but not before).
- We do monitor open intelligence sources to look for evidence of
compromised user accounts that can link to users' email addresses. On
a best-effort basis, we will check and will notify you of any such
discovery by an automated email message. As of this writing, we limit
users to no more than one email alert per week.
- The system has a number of techniques to limit the effectiveness
and speed of brute force attacks, but we recognize (and so should you)
that this is just a delaying tactic. No general defense can be 100%
effective against well-resourced, well-planned, and well-executed
attacks -- especially when the underlying asset and strength of
protection is ultimately controlled by the user and when,
unfortunately, the most common attacks are based on leveraging users'
inattention or misunderstanding.
- We do provide awarenesss materials online, like you're reading
now, and our support capability can help educate our customers when
opportunities arise and circumstances permit.
- WDY Enterprises, LLC believes in self-determination and user
empowerment. Ultimately, we think customers will be dissatisfied if
we become unnecessarily heavy-handed with security requirements.
Adding additional technical security implementations comes at a cost
and the degree of net positive return is very unclear. Fundamentally,
password management is a user "security hygiene" problem. Behaviors
need to be regulated and evaluated by you, the user, to really be
Back to the top of this article
Password practices we try to follow, when passwords are necessary
- What are the alternatives to using passwords in a given context?
Sometimes, you need a password because it's the only kind of mechanism
you can apply... other times, it's too expensive or complex to do
something else. If there aren't alternatives, is this a risk that you
either need--or ultimately want--to accept? If there are
alternatives, what are the costs and benefits? What are the
advantages and disadvantages? What choice is right for you?
- Use a unique, high entropy password for every single service you
access online, based on pushing up toward the technical limits of what
you can use. Re-use of any password--even a great one--at multiple
sites or services significantly increases the risk that it will be
captured or lost and find its way into the hands of nefarious
- Use strong passwords that mix combinations of both upper and lower
case letters, numbers, symbols, and shift across both cases. The full
ASCII alphabet of printable characters has only 95 possible values, so
the number of password cmbinations is 95 raised to the power of the
length of the password you choose. At the time of this
writing, Internet-facing passwords probably need to be at least 14
characters long to avoid being "completely trivial."
- In our view, the current best practice is to use high quality,
password generating software and to store the password in a
software-based password vault that allows you to not have to type in
every password every time you need it. This generates long, complex,
random strings and helps to facilitate understanding exactly how
strong a password is before it gets relied upon to protect
- No matter how you choose passwords, it's really a good idea to use
and manage some kind of "password vault," in a manner consistent with
your level of risk tolerance to losing control or access to everything
the vault references. The key characteristics of a good vault are its
safety from loss or destruction, the ability to control access to the
vault, and the accuracy and completeness of the password data you
- It's okay to use a notebook as a password vault, for instance.
It's low tech, but that's not fundamentally a problem... just look at
the characteristics of a good vault and make sure you're addressing
those three characteristics sufficiently for your personal appetite
for risk. Just be aware that you still have to manage the complexity
problem of how you enter, manage, and make backups of your passwords,
if you keep them on paper.
- It's also okay to use a digital password vault program (the
question is whether it mitigates the right risks for you, though, and
whether it introduces new risks that require additional effort to
control). There are some instant gotchas you need to work to avoid
with a software based password vault -- because it's electronic, it's
much easier to lose a copy somehow, so we do recommend that you ensure
it's an encrypted password vault, using a mathmatically strong form of
software-based cryptography... which will almost certainly exclude
office suite programs (word processors, text editors, and
- It's probably even okay to use a digital password vault service,
where your passwords are stored in an online "cloud-based" service, at
least as long as you understand the risks and the rewards and are
comfortable with how it works and how it might fail. A password vault
service needs to be reviewed in terms of all of the same ways that a
password vault program, and in addition must consider the degree of
security within the service and how the service is designed and
implemented to ensure your stuff doesn't end up in someone else's
hands. The cryptographic issues are more complex and will require
further work to understand fully. That doesn't mean that a service
can't work... but it does mean you have due dilligence to
- Ask yourself the following questions about passwords and password
vaults, and be sure you're comfortable with your answers and the
consequences of those answers. Keep in mind that, ultimately, you're
probably going to end up having to extend some degree of trust. It's
up to you to decide how much trust you're willing to extend, what the
advantages and disadvantages are, how might things go awry, how likely
is that, and what will the results look like.
- What are the ways I might lose access to or control of my password
or password vault? Are there particular kinds of risks I need to
think about being able to recover from, or special forms of
vulnerability I need to address, e.g. "forgetting" or "misplacing" or
"destruction due to fire/water damage"?
- Who and what will have access to my passwords? What assurances do
I have that any of those people or things are not going to introduce
confidentiality, integrity, or availability problems with my password
- What happens if I lose a password or password vault? How hard
will it be to recover (can I recover?) to a known good state if it
gets lost? Can it be misused if someone gets their hands on it (or a
copy of it)?
- What happens if I'm incapacitated and someone needs access my
stuff? Getting technical, it's important to think about someone who
might have to act on your behalf, which I'll call your agent -- it
might be your successor, attorney, trusteee or, yes, even executor.
Will they need to be able to access to the vault? Can they? How do
you ensure that they can GET access, but don't necessarily already
- How much change will occur to your password vault? How will you
ensure that whatever you do to address the "what if I lose it"
question doens't lose "too much" data when getting to an acceptable
state? How will you ensure that your agent has access to complete and
accurate information, or that the agent can recover from the vault
being lost? How long will it take to recover? Are all of these
Back to the top of this article
Password mistakes to avoid
If you keep an electronic copy of your passwords on your computer,
make sure it's got some reasonably strong encryption on it.
Unfortunately, most people don't have the right training to recognize
what makes encryption strong or weak. While this is certainly not
sufficient for a complete assessment, a good start is to look for
documentation that identifies the product as storing data in an
encrypted form, using an encryption algorithm like the Advanced
Encryption Standard ("AES" also known as "Rijndael"). Appropriate
"key lengths" vary by application, but looking at today's technology
for this application I would be skeptical of anything that doens't use
AES-256 (256-bit key length). Don't use basic productivity
tools (word processor, text editor, spreadsheet or the like) to retain
electronic copies of passwords because they don't store data in
encrypted form: you really want your passwords to be stored
in a purpose-built password manager... and not all of those programs
or services are of equal strength and quality. For service-oriented
password vaults, ensure that the access mechanisms are also encrypted
using the strongest possible encryption methods.
Don't forget to keep a backup of your password vault whenever it
changes, and periodically in addition to whenever it changes (just in
case). Further, make sure that backup is stored safely in a manner to
mitigate the possibility of loss or damage.
- Never (ever!) re-use your GCFN.ORG password (or the
password to any email account). If you do, you're
really increasing the likelihood that you'll experience some kind of
identity theft online. Many (maybe even most) online services use or
offer email based resets and confirm all sorts of stuff by email -- so
once they get your email, they can look for the receipts of where
you've been doing business and reset your passwords, giving them
access to huge amounts of your online life.
- A generalization of the above: don't re-use the same password at
multiple sites. If site A has a security problem and leaks their
credentials, it really shouldn't give them credentials to site B.
Even more generally speaking, password re-use across any context is a
bad security practice.
- Do not use words that can be directly found in any known
dictionary or published book. Pretty much every dictionary of words
can be (and probably have been) plugged into password cracking
- Do not choose a password that in any way resembles the username or
account identifier it's linked to, as that's part of the guessing
strategy most password cracking software uses.
- Do not use simple, adjacent keyboard combinations. Phrases like
"qwerty" and "asdzxc" and "123456" are trivial to crack and are
well-understood in attacker tools today.
- Do not choose passwords based on details that may not be as
confidential as you might expect, such as your birthdate, social
security number, phone number, names of family members, pets, home
address, zip code, housing history, income history, current and past
employers, etc. Based on the highly publicized credit bureau
data breaches at Experian and Equifax and the Federal and state
government data breaches that have made it into the news, one should
expect that highly detailed profiles including most imaginable
personal data about you are readily and easily
- Don't let youself be convinced that the simple transformations of data
you do in your head are protecting you.
- First off, many forms of simple transformation will not stop an
attacker. The various ways you can substitute symbols or numbers for
letters ("p@$$w0rd") are finite in number and are well understood, as
are common misspellings and can be expressed in automated rules to
follow: password attackers use these "rules based" transformations as
part of their dictionary attacks. Any transformation that's not based
on cryptographic principles and which has not undergone strict
scrutiny (either in the academic community or in the non-classified
government space) should be considered suspect. Transformations are
not always entirely worthless, but they have far less security value
than most people seem to think.
- While it's true that pass phrases based on some transformation of
memorable phrases can generate reasonable passwords, the approach
isn't guaranteed to work. It's unpopular to say this, but most people
aren't as smart as they think they are about security issues (and that
includes security professionals!). Leveraging a wide amount of
research and my review of the literature has led at least me to
conclude that phrase generation is inconsistent at best, and that with
almost no exceptions, you're better off doing something more
- At the same time, simple transformations are likely to make it
MUCH harder to remember and recover passwords if you need to. You're
much more likely to be protecting your password against
yourself (that is, making it harder to use without
gaining security value) when you use simple transformations.
Back to the top of this article