Thread: How to make a strong easily remembered password.

Originally Posted by Demonblade

You seem very knowledgeable on this topic Nefariousbob, you say quote "On this note, I recommend not overdoing it on password complexity or length, although in practice the point of "overdoing it" is practically immeasurable." So I have a question about this, currently I'm using a program called KeePass Safe.
It encrypts your password, and you can make it any length that you want randomly generated or of your choosing. The password vary from 12-24 characters usually, and I thought I was pretty safe about things. But since you mention this Rainbow hacking, should I be concerned and change my password strategy.

If you have passwords stored in any sort of encrypted database, they should generally be quite secure. With proper encryption, the only typical threats to your database are the compromise of your master password/encryption key, or an inside attack, meaning the software itself could be malicious or become infected with a virus. Also, the use of an encrypted database relieves you from having to remember each of your passwords, so there is no harm in making them long, complex, or entirely random. Short, simple, or easy to guess passwords will still be susceptible to brute-force, dictionary, or social engineering attacks; over-the-top passwords will still be more likely to suffer from collision attacks, such as rainbow table look-ups.

I do advocate the use of encrypted databases to store passwords, since this enables users to use unique passwords for each website they visit, without having to remember each. This can make the difference between someone using a forum account of yours to post some spam and someone completely hijacking your online (and maybe even real) identity. However, it is important to weigh the advantages against the fact that if the database becomes compromised, everything becomes compromised. Because of this, I recommend multiple databases (e.g. one for social networking accounts, one for banking accounts, one for public forum accounts, etc.) Further, in lieu of a master password, I highly recommend the use of encryption keys, stored securely, although if you lose said keys, you forever lose access to your database.

It is difficult to say whether a password is more prone to collision attacks than others, so the only real thing to go by is your own judgement. Just do your best to keep your passwords to yourself (don't blab on yourself or write them down, don't use the name of the cat you don't ever shut up about, don't use computers you can't definitely trust, etc), avoid trusting shady websites with your "usual" passwords (I use really generic passwords on sites I don't have good reason to trust), and most importantly, don't advertise yourself as a target. As mentioned, most compromises are accomplished through social engineering or eavesdropping, and not brute-force, dictionary, or data theft.

If anybody is feeling exceptionally paranoid, here is the most secure procedure I can think of to safeguard your identity:

(Notes: The procedure below assumes that EVERYBODY is trying to steal your passwords, and therefore avoids the use of password management software like KeePass. If you REALLY want to go down this route, I recommend using GnuPG to generate your keys and to encrypt/decrypt your data. At this point, you may as well also disable your Internet connection while GnuPG is running. Realistically, KeePass (I can't speak for others) is probably NOT trying to steal your passwords, and can help simplify security. Specifically, steps 2, 3, and 5 can be handled by KeePass - please see the KeePass documentation for information on how to do this.)

1. Buy two small flash drives that support 128-bit or 256-bit AES encryption. 1 GB each should be more than enough for most anybody to store their entire identity. Encrypt each with a different master password. One will serve as an emergency backup in case the other dies.
2. Generate 1024-bit or 2048-bit keypairs to represent each part of your identity. You may want a pair for work-related accounts, one for file-sharing accounts, one for social networking accounts, one for financial accounts, and so on. Keep one copy of each keypair on each flash drive, and delete any and all other copies.
3. Use these keys to encrypt your password databases. So, you may take your "work account" key and use it to encrypt a text file that will contain login/password information for your company's Intranet, online payroll system, etc. Then, you may take your "file-sharing account" key and use it to encrypt your P2P login/password information in a separate text file. Do this for each type of account information that you wish to store securely.

Checkpoint: You now have two encrypted flash drives, each with a unique password. Both flash drives contain all of your public/private keys, and each keypair is only used to encrypt/decrypt one database. So, if someone steals/hacks your "file-sharing account" key, your "financial account" database will still be safe. The databases should never be stored on these flash drives, and one of the flash drives should be kept safe at home in case the other is lost. Be sure to keep the backup flash drive up to date. Never share your private keys, and limit sharing of your public keys to people/websites you can trust. Do not lose your keys - without a copy of your keys, you will never be able to recover your encrypted data. Unplug your flash drives when not in use, and for added security, store your databases on a third AES encrypted flash drive with unique password.

4. Download some rainbow tables, and an appropriate cracker. Quantity is proportionate to how effective this will be at checking your passwords' security. Do NOT use online services which let you look hashes up in their tables - they WILL store your password/hash combination, rendering it entirely insecure. Once you have as many rainbow tables as you can stand, configure your cracker. Using high-end modern graphics cards and multiple hard drives with large caches and low seek times will deliver the best performance.
5. Start generating candidate passwords. They should be at least 8-10 characters, and no more than 20-24 characters in most cases. Random strings of mixed-alphanumeric and keyboard symbols are fine. You can simply open a text document, smash on your keyboard for a while, and break up your resulting gibberish into password-sized chunks of text. Don't worry about the security of these text chunks just yet. If you have lots of accounts to secure, I suggest using GnuPG to generate your gibberish,
6. Now that you have a list of potential passwords, fire up your cracker and start checking each password. Give the cracker as long as you like, but don't waste your entire life on this step. The idea here is not to actually crack your password, but to make sure no collisions are detected in a short period of time. Chances are that if someone does obtain one of your password hashes, it will be one of many, and they won't spend too much time working on each. If your cracker turns up matches for any of your potential passwords, delete said password(s) from your list of candidates.
7. Finally, you have compiled a list of secure passwords, and you're ready to put them to use. Log in to each website on which you want to secure your account, and change your password to one from your refined list. For each changed password: plug in the flash drive containing your keys, decrypt the appropriate account database, add the name of the site, username, and your new password, then lock it back up. Update your backup flash drive ASAP; write yourself a note to do so if need be. Do not use any of your passwords twice, and do not save a copy of your password list. Destroy evidence of your generated gibberish when finished updating your passwords, and if you need more later, generate more later.
8. Next time you want to visit your favorite website: pop in your flash drive, decrypt the appropriate account database, and type (DO NOT COPY/PASTE) your username/password from the file into the website. Once you've typed your info, lock your flash drive back up then go ahead and login to the website.

Maybe I'll go back through this at a later date and turn it into a full-fledged explanation of password security, but for now, consider this a guideline.