Take Control of 1Password (1.2.1) (2014)

Chapter 3. Understand Password Security

To use 1Password effectively, you should know a few basics about what makes passwords more or less secure. This information will help you choose a good master password (which protects all your other passwords) and make smart decisions about using 1Password’s password generator.

If you’ve already read my book Take Control of Your Passwords, which discusses password security in detail, you can skip this chapter. If not, read on for a brief overview of the major points you need to know when choosing passwords.

Learn Password Security Basics

The whole idea of a password is that it’s private—something known only to you and to the entity with which you have an account (a bank, Web site, cloud service, etc.). If someone else learns your password, that person can access your data, which could mean stealing your money, impersonating you online, taking over your computer, and worse. So, your main goal when picking a password should be to select one that won’t be guessed.

Most people think of “guessing” as a strictly human activity. For example, a friend or colleague might guess that your password is the name of your dog, your anniversary, or your favorite ice cream flavor, and that’s why you should never use words, names, or numbers someone might associate with you as passwords.

However, most of the time it’s not people doing the guessing directly, but rather computers. A friend might never guess poiuytrewq as a password, but it would be among the first guesses by a program designed to crack passwords, because that string follows a pattern (in this case, a keyboard pattern). Cracking software is great at identifying the patterns people commonly use to help them remember passwords, including patterns based on words, names, numbers, and shapes, not to mention substituting numbers for similar-looking letters (3 for E, 4 for A, and so on).

Now, suppose the worst happens and one of your passwords is guessed, leaked, stolen, or hacked. That’s bad news, but it suddenly becomes much worse if you used the same password in lots of different places. For example, hackers probably don’t care about your Facebook password as such, but they’d still love to know what it is, on the theory that you use the same one for your email account, bank accounts, PayPal, and other services that they could then access instantly. And that’s exactly what hackers do—they immediately try stolen passwords on lots of different sites. The moral of the story is that you should never reuse passwords in more than one place. Make every one unique!

Even if you choose a unique, random password—a meaningless string of letters, numbers, and symbols—you’re not necessarily safe. I know of cracking systems based on ordinary, off-the-shelf computer hardware that can try every single possible password of up to eight characters in just a few hours. This is called a brute-force attack, and it’s guaranteed to succeed eventually. The only way to defeat a brute-force attack is to make every password so complex that “eventually” is longer than the attacker can afford to spend trying.

Fortunately, that’s easier than it sounds. Cryptographers use the term entropy to mean a mathematical approximation of how strong a password is—that is, how well it can resist guessing. It turns out that you can increase a password’s entropy, thereby increasing the average time it would take for a brute-force search to crack it, in any of three ways:

· Make it longer. Every character you add to a password exponentially increases the number of possible passwords that must be checked. For example, if each character in a password can be one of 52 possible choices (upper- and lowercase letters), then an eight-character password has about 53 trillion (52⁸) possible combinations. Add just one character, and the number of combinations jumps to almost 2.8 quadrillion (52⁹).

· Use a broader range of characters. The example above used only alphabetic characters—26 lowercase and 26 uppercase. If you add 10 digits and the 33 punctuation characters on a standard U.S. keyboard, you get a total of 95 characters in each slot. That means the number of possibilities for an eight-character password jumps to more than 6 quadrillion (95⁸), and for a nine-character password, it’s over 630 quadrillion (95⁹). So, simply by including upper- and lowercase letters, digits, and symbols in your password, you can massively increase its entropy without making it longer.

· Make it random. Even in a brute-force search, patterns are checked first. So ABCdef123!@# still isn’t a great password. Even though it’s 12 characters long and contains all the different character sets I mentioned, its entropy is still fairly low because it follows an obvious pattern. Random combinations will be checked later, which increases their entropy. I should add that “random-looking” isn’t the same as random. Humans are terrible at picking truly random passwords, so that’s a task better left to computer programs (such as 1Password).

You can use these methods individually or in combination. For example, if your password contains only English words in lowercase alphabetic characters but is adequately long, it can have just as much entropy as a shorter, random password. (That’s essentially the point of the wonderful and now famous Password Strength comic from XKCD—although I’d recommend a slightly longer password than correct horse battery staple.) But the highest-entropy passwords use a combination of all three factors.

Tip: You can check any password’s entropy using a number of free online tools, such as zxcvbn (get it?). However, keep in mind that all entropy calculations are only approximations that make assumptions about the sorts of patterns cracking software will test.

A number of people have asked me why it’s important to have high-entropy passwords that can resist billions of guesses per second when most Web sites, apps, and local computer accounts take more than a second to process a single login—and many lock you out after only a few incorrect attempts. The answer is that most successful password cracking attempts don’t go through the “front door,” as it were. Instead, an attacker gains access to a file containing encrypted passwords (for example, by stealing a company laptop or by hacking into a network), and then uses cracking software to decrypt those passwords directly. This is known as an offline attack. And it’s exactly that sort of attack that could be used to guess your 1Password master password if anyone were to obtain that file. That’s why your master password should be especially strong!

Understand Optimal Password Length

How long should your passwords be? There’s no simple answer. I can say unequivocally that all your passwords should have more than nine characters (assuming longer passwords are permitted). Beyond that, I could throw out some arbitrary number, such as 14 random characters, but even that might be far too short if it’s used on a system with a weak encryption algorithm, yet it would be too long for a site that restricts passwords to a maximum of 10 characters. Aiming for a certain level of entropy (which is measured inbits) is slightly better—75 bits might be a good target—but even then, it depends on the context.

Instead, let me make a few broad recommendations:

· For passwords that 1Password will always enter for you—especially Web logins—you have nothing to lose and everything to gain by using the built-in password generator to make them as long, complex, and random as the site permits.

However, every Web site has its own set of rules for passwords. There are varying length restrictions. One site may forbid punctuation while another requires it; one may limit special characters to @, #, and $ while another accepts only _, +, or *. Some sites require upper- and lowercase letters and digits, making a long phrase (such as correct horse battery staple) a nonstarter, even if it has high entropy. Therefore, although you may choose highly secure default settings, you’ll have to vary them as needed.

· For some passwords, you may encounter situations where neither autofill nor copy-and-paste is possible. I’m thinking, for example, of entering a Netflix or Amazon password on your TV or a Wi-Fi password on your printer. An additional disadvantage in these cases may be not having a full keyboard.

When choosing such passwords, the “as long, complex, and random as possible” rule works against you. Stick with something of a more modest length, such as 12–14 characters. And even if you start with a random password, you may want to rearrange the characters slightly to limit the number of times you have to switch onscreen keyboards (for example, a device might put all the lowercase letters on one screen, the uppercase letters on a second, and digits plus punctuation on a third).

· Your 1Password master password must be strong because it protects all your other passwords. And yet, you’ll have to type it frequently—and sometimes on the tiny virtual keyboard of a mobile device. So a 50-character random password would probably drive you to distraction. If you choose a random password with all the major character types, 12–14 characters is a reasonable compromise. After all, the longer a random password is, the harder it is to memorize, and you do not want to forget this password!

If you want a password that’s more memorable and easier to type, compensate for the lower entropy by making it considerably longer, such as using a complete (and preferably nonsensical) sentence, as I suggested in Choose a Master Password.

Password Dos & Don’ts

No matter how great your password is, it’s not secure at all if it’s posted in public view. That’s obvious, I hope, but I’ve seen lots of unsafe password practices. Here are my personal dos and don’ts for better password security.

Do:

· Choose a particularly strong password for your email accounts. Email passwords are crucial because if you click a “lost password” link, a hint or reset instructions will typically be sent to your email address. So, someone who guessed your email account’s password could use it to learn or change many of your other passwords, too.

· Use two-factor authentication where possible. Two-factor authentication, also known as two-step authentication, requires not just your password (one factor) when you log in but another factor too—generally a code that’s sent to your mobile phone as a text message, generated by a mobile app, or displayed on a device called a secure token. That way, someone who knows your password but can’t access the second factor would be unable to log in to your account. It’s a small inconvenience in exchange for significantly improved security.

· Write down your 1Password master password. Wait, what? Seriously? Yes, seriously. I suggest you write down your master password—and keep it in a safe, private place—for two reasons. First, it protects you in case you forget your password. The likelihood of forgetting will decrease over time, but during the first few days it’s a significant concern. Second, it could enable a spouse, employer, or other trusted person to access your passwords in an emergency. (So, don’t forget to tell that person where your password is and what to do with it if the need should arise!)

Don’t:

· Reuse passwords. As I mentioned earlier, making each password unique limits the potential damage if one of your passwords should be guessed or stolen.

· Post passwords in plain view. Get rid of your sticky notes and cheat sheets—you don’t need them anymore! In fact, the only passwords you should have to write down at all are your master password and any others that must be entered without the help of 1Password (such as your computer’s login password).

· Keep using old, weak passwords. Once you have 1Password up and running, change any passwords you previously created that are too short or simple to resist cracking. I explain how to do this in Update Old Passwords.

· Worry about relying on 1Password. It can be scary at first to let 1Password create and store long, complex, random passwords for you without tracking them separately, especially if you were in the habit of writing them all down or storing them in a text file or spreadsheet. But I assure you that your passwords are far safer in 1Password. Over the years, I’ve used 1Password to create hundreds of random passwords that I never even glanced at, and I’ve never lost one.