Difference between revisions of "Password Security"
Line 12: | Line 12: | ||
=== Password Entropy and Quality === | === Password Entropy and Quality === | ||
A lot of studies suggest to take '''Password Entropy''' to meassure the efficiency of a password. A higher entropy indicates a secure password, where less entropy indicates a less secure passwords. Entropy is the amount of information held in a password. The more ''information'' is in your | A lot of studies suggest to take '''Password Entropy''' to meassure the efficiency of a password. A higher entropy indicates a secure password, where less entropy indicates a less secure passwords. Entropy is the amount of information held in a password. The more ''information'' is in your password the more time a hacker has to invest to crack the password. To get a higher entropy you should use more and different characters. | ||
Character Set 1: 26 lower case letters: abcdefghijklmnopqrstuvwxyz | Character Set 1: 26 lower case letters: abcdefghijklmnopqrstuvwxyz | ||
Line 21: | Line 21: | ||
Character Set 4: 31 special characters: ~!@#$ %^&*()_-+= {}∣[] \:“<>?;',. / | Character Set 4: 31 special characters: ~!@#$ %^&*()_-+= {}∣[] \:“<>?;',. / | ||
Revision as of 16:05, 20 December 2021
Summary
This documentation provides advice about secure passwords. It covers known problems with passwords and elaborates various solutions for secure password creation and usage. The issue "bad passwords" is the number 1 vulnerability in the Internet-of-Things (IoT)[1].
Problems with Passwords
There are several more or less widely known bad habits regarding passwords.
Mistakes by choosing Passwords
Personal information is used to create passwords which is a popular target for social engineering (names, dates, etc.), due to the limitation of the capacity a human can remember. Often standard passwords like "123456" or "password" are used. Actually, "123456" has been the most used password for the last years [2]. The re-use of passwords is one of the main challenges: many users use the same password for various accounts. It should be obvious that it is not a good idea to use the same password for online banking and for an Adobe account. The quality of a password depends on how long a attacker needs to find the correct one.
Password Entropy and Quality
A lot of studies suggest to take Password Entropy to meassure the efficiency of a password. A higher entropy indicates a secure password, where less entropy indicates a less secure passwords. Entropy is the amount of information held in a password. The more information is in your password the more time a hacker has to invest to crack the password. To get a higher entropy you should use more and different characters.
Character Set 1: 26 lower case letters: abcdefghijklmnopqrstuvwxyz
Character Set 2: 26 upper case letters: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Character Set 3: 10 digit characters: 01234567890
Character Set 4: 31 special characters: ~!@#$ %^&*()_-+= {}∣[] \:“<>?;',. /
Good Passwords
There are 3 general aspects to good passwords: the length plays a main role, the password must not be trivial, and the password must be easily memorized. Leet speak (i.e. replacing certain letters with associated numbers, e.g. "p455w0rd") is not a good idea because meanwhile all password crackers know leet speak.
Good Password Checklist
- Minimum length of 12 characters
- Contains lower & upper case letters, digits, and special characters
- As random as possible
- Easy to remember
How to Create a Good Password
- Think about your favorite lines of a song, poem, or movie, etc. Take the first letters and special characters to create your password.
Here's an example:
Are you lonesome tonight? Do you miss me tonight? Are you sorry we drifted apart?
The resulting password might be: Ayl2n?Dymm2n?Ayswda?
- Think about approx. 4 different words which make sense for you but in general, the combination does not make any sense at all. Meaningful sentences are no good passwords.
Here's an example:
Concrete Ocean Mouse Egg
You'll have to add a special character and a digit. The resulting password might be: ConcreteOcean4MouseEgg!
Further Advice for a Secure Password Usage
Password Manager
The use of a password manager solves the problem to remember numerous different passwords for various accounts. You have one file containing all your passwords which is secured by one strong password. Our recommended password managers are open source, free of charge, and platform-independent.
Recommended password managers:
- KeePass XC - https://keepassxc.org/
- KeePass - https://keepass.info/
Two-Factor Authentication
Two-Factor Authentication requires a second authentication method besides the password, e.g. Google Authenticator [3] which provides a 6-digit code for each login. A second authentication factor might also be a biometric factor (e.g. fingerprint). You also might use a crypto token (e.g. a Yubico key [4]).
Courses
- Workshops (2017, 2018, 2019, 2020)
References
- [1] https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf
- [2] https://metro.co.uk/2019/12/19/10-worst-passwords-2019-revealed-nothing-changed-11932281/
- [3] https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=de_AT
- [4] https://www.yubico.com/authentication-standards/fido-u2f/