Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.
The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.
Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.
Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.
I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:
1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.
2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.
There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.
3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.