Your Passwords Are Bad (and there’s probably no fool-proof solution.)

Adobe, MySpace, LinkedIn, and many other large organizations have had major password breaches in the last few years. Breaches where attackers have exfiltrated usernames, email addresses, passwords, and in some cases, plaintext password hints and other data from the company’s database. The initial response is always, "Log into that service, and change your password before the hackers get in and take over that account!" The sad truth is that it’s rarely that account that matters – it’s the other accounts where you (or your users) used the same password and email address that you’re (or they’re) already using on the compromised account with another service.In the last few weeks, there have been several (https://techcrunch.com/2016/06/29/hacker-takes-over-oculus-ceos-twitter-...) high-profile (http://arstechnica.com/security/2016/06/mark-zuckerberg-twitter-pinteres...) attacks (http://fortune.com/2016/06/27/google-ceo-sundar-pichai/) where the CEO of a large company had their Twitter account hacked because they were using the same password for Twitter as they had been using on another service that was compromised.

These attacks all could have been prevented by the account owners using secure, randomly-generated passwords. The problem is that our brains aren’t so good at remembering random strings of characters without meaning or purpose associated with them, and the last thing any of us want is to lose access to any of our accounts simply because we can’t remember our passwords, so many users tend towards ease of access over absolute security. The idea that I want to try to present to you is to completely forget the word “password” -- Strike it from your memory as though it had never been -- and replace it with the word “passphrase.”Remember back to elementary school math? I know it’s really fuzzy for me too. Remember the mnemonic that they taught you to remember the order of operations? PEMDAS? Please Excuse My Dear Aunt Sally – Parenthesis, Exponents, Multiplication, Division, Addition, and Subtraction. Obviously PEMDAS would be a terrible passphrase, because it’s one that most people know. Let’s try with another example that would be likely to stand up to an offline brute-force attack:“Mps,”Sy’gdm2d’iUd’sdtHRL”” = “My pappy said, "Son you’re gonna drive me to drinkin' If you don't stop driving that hot rod Lincoln"” -- Twenty-four characters, Upper, Lower, Numbers, and symbols. If you’re a Johnny Cash fan, you probably remember that lyric, and won’t be likely to forget it. Try not to hum the song while you’re typing it in, and you should be good to go. Not even a monster GPU-based cracking rig is likely to find that passphrase unless they’re starting with a dictionary of song lyrics, and a rule that tells them how to condense the lyrics down into that format.Try creating a mnemonic passphrase for another phrase that has meaning in your life – a favorite song lyric, a movie quote, a bible verse – whatever works for you. Don’t use this passphrase everywhere – that would defeat the purpose. I recommend using this strong passphrase as the key to unlock a secure, encrypted password manager, such as LastPass, or KeyPassX, and then store unique, randomly-generated passwords for each service within the manager, then you personally still only have to remember a single good passphrase. You can even place an additional measure of security on this by adding two-factor authentication to your password manager, so that in addition to entering your strong passphrase, you also have to enter a 6-digit code generated within a mobile application such as Google Authenticator, or Duo Mobile. If you attach Duo to your LastPass account, you can set it up so that your phone receives a quick pop-up asking you to approve authentication to your account, so that even if someone manages to compromise your strong passphrase, if they try to log in with it, you’ll receive a notification.