Wednesday, April 9, 2014

What Your Post-Heartbleed Passwords Should Be

In the next few days more people than ever will struggle to invent new passwords in a short time. How should you do it?
The good news: More and more browsers and operating systems can generate long, random passwords. They would be tough to remember but you don't have to remember them. The browser or OS stores them.
The bad news: You're trusting the security of that browser or OS. OpenSSL was also supposed to be impeccably secure. Then just this week it wasn't.
Aside from the possibly justified paranoia is a convenience issue. Most of us use multiple devices and occasionally log into important accounts from family or friends' devices. This makes it tough to depend on "Cloud" synchronization of stored passwords.
The best, most realistic of the commonly advised password tactics is to convert a memorable phrase or sentence to a password. Use the first letter of each word as your password. “May the force be with you” would become “Mtfbwy”.
Cool. I mean, OK, you wouldn’t want to use that one, but you get the basic idea. Choose a phrase meaningful to you and you alone. 
There are several drawbacks. This well-publicized idea is already popular. That presumably means that acronyms of all the common pop-culture catch phrases are entering the lists of popular passwords that hackers and cracking software try first. Normally acronyms are all letters and thus less secure than an any-character string of the same length.
Different phrases can begin with the same letters, producing the same acronym. Some letters are more likely to begin words than others, and hacking software could potentially exploit this.
Now here's my suggestion, and I use it myself. Turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy-to-remember phrase.
I used to use simple, stupid passwords. After one of my accounts was hacked, the site assigned me a temporary password. It was a random string of characters. I was going to change it until I realized that I didn’t need to do so. I could remember a random password.
The mind is good at seeing patterns in random data. This is how we remember phone numbers and Social Security numbers. It also works for random-character passwords like RPM8t4ka. I just now got that one from random.org, a site that generates all the randomness anyone could want for free. Though the random.org password is authentically random, the human eye and mind instantly spot patterns. In this case the first three letters happen to be all capital, and the last three are lower-case. The number 8 is twice 4.
You can easily translate a random password to a nonsense phrase. RPM8t4ka might become “revolutions per minute, 8 track for Kathy.” I don’t know what that means but I do know that it’s fairly easy to remember. The sole point of the phrase is as a mnemonic for the password RPM8t4ka.
A password, a passphrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good, even if everyone in the solar system were to adopt this scheme.
Want a different password for every site? One trick is append part of the site's name to the standard password. For Facebook, take the first two letters (Fa) and add them to the boilerplate password, getting RPM8t4kaFa. Just don't do that exactly and make up your own rule.
(This tip is adapted from my upcoming book, Rock Breaks Scissors. It's due out from Little, Brown this June 3rd.)