Strong Master Passwords

Toward Better Master Passwords

• Toward Better Master Passwords - AgileBits Blog
  • This may sound like heresy even though it is sound security advice: When you change your master password, write it down on a slip of paper and put it in your wallet. Once you no longer need to refer to it, you can destroy the piece of paper.
    • Write Down Your Password - Schneier on Security

      We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

    • Password Do’s and Don’ts - Krebs on Security

      I tend to agree with noted security experts Bruce Schneier, when he advises users not to worry about writing down passwords. Just make sure you don’t store the information in plain sight.

  • A walk through of a password creation system
    • The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system
    • Use spaces to make things easier for you
    • Don’t tell the the truth
    • Don’t make sense
    • Avoid predictable phrases
    • Avoid secrets or things that are personally meaningful
    • Obvious punctuation is obvious
  • Diceware
    • Using four or five words should be sufficient against the plausible attacks over the next few years given observed speed of password crackers
    • Diceware passwords now need six random words to thwart hackers - Ars Technica
    • Diceware Passphrase Lookup and Generator (Diceware word list)
    • Diceware Passphrase Lookup and Generator (Beale word list)
    • Diceware Secure Passphrase and Password Generator
    • diceware iOS apps
    • diceware Android apps
  • In Conclusion
    • We are working toward better passwords, not perfect ones. You should take only as much advice from this [article] as you are comfortable with and no more. Remembering and typing in your master password should not become a chore.
    • If you do change your master password, practice with it regularly so that you don’t forget it. Don’t be afraid to write it down on a piece of paper for a while if you keep it in a safe place.
    • The kinds of master passwords that you need depend on who may try to break it. Even though a typical criminal may have access to sophisticated cracking tools, it is unlikely that they will dedicate hours – much less days, weeks, years or decades – to your particular data.
• How do I choose a good Master Password? - 1Password Support
• Friends don’t let friends reuse passwords - AgileBits Blog
• The only secure password is the one you can’t remember - Troy Hunt
• Passphrases That You Can Memorize — But That Even the NSA Can’t Guess - The Intercept

Podcasts

• The Most Important App You Will Ever Download - Chalene Johnson (41m:04s)
  • podcast_link
  • podcast_transcript
• On the Wire - Jessy Irwin (25m:04s)

Further Reading

• Better Master Passwords: The geek edition - AgileBits Blog
• On hashcat and strong Master Passwords as your best protection - AgileBits Blog
• Strong Security Requires Strong Passwords - AgileBits Blog
• The secret to online safety: Lies, random characters, and a password manager - Ars Technica
• From password to 1234, why we still fail the online security test - The Conversation
• How long would it take to crack your password? - Sophos
• Will Your Passwords Pass the Test? - Trend Micro
• Password Strength - Wikipedia

Password Strength Tests

listed in order of decreasing utility

• zxcvbn: realistic password strength estimation - DropBox Tech Blog
• LastPass Security Challenge
• Telepathwords: Preventing weak passwords by reading your mind - Microsoft
• Create strong passwords - Microsoft dead link
• Check your password—is it strong? - Microsoft dead link
• How Strong is Your Password? - Intel dead link
• Secure Password Check - Kaspersky Lab
• How Secure is My Password - SpeedyPassword
• How secure is your password? - My1Login
• Password Checker Online - Online Domain Tools
• Test Your Pas$w0rd!
• Password Strength Test - Rumkin․com
• Password Strength Meter
• The Password Meter
• Yet Another Password Meter

Research

• zxcvbn: realistic password strength estimation - DropBox Tech Blog
• Password Haystack “Search Space” Calculator - GRC․com
• Linguistic properties of multi-word passphrases - Computer Laboratory, University of Cambridge (PDF)
• “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? - Elcomsoft (PDF)
• On The Security of Password Manager Database Formats - Computer Science Department, University of California, Irvine (PDF)
• The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers - University of California, Berkeley (PDF)

PDF downloads

• all PDFs (multiple .pdf files)
  • all PDFs (single .zip file)