
Edward Snowden’s Advice for an Unhackable Password - unreal37
http://time.com/3815620/edward-snowden-password-john-oliver/
======
sthreet
The way I do it is going to be insecure the moment I lose one password, but it
is easier for me to remember than these things. I have a phrase that is at
least 8 characters long and then I add something specific for the service. The
initial phrase includes a number and capital, for example "ExampleP1ss" and I
really should have a symbol somewhere in it except I haven't signed up for
anything that requires a symbol. Examples of things specific to this would be
"hacknews", "hackernews", "hackerNews", "ycominator", "hackercombinator", ...
How (in)secure is this?

I also have it written down because I figure if someone has access to my
personal computer physically, and they want my passwords they can probably
install some keylogger or something else I don't understand, and this way I'll
never forget my password. I also have a list of services that I am signed up
for so I don't forget to change my reddit password because I haven't used
reddit in the last three weeks after something like heartbleed happens. What I
will not do is store my passwords in my browser, that seems like an awful
idea. Especially because some things automatically sync across browsers.

~~~
Phlarp
>What I will not do is store my passwords in my browser, that seems like an
awful idea. Especially because some things automatically sync across browsers.

The serious browser extensions that do this use encryption for syncing, you
are correct that centralizing them all in a browser extension is a negative
for security, but the upside of having random and different passwords for each
site or service _far_ outweighs the risks posed by centralization or browser
storage.

The odds that one or more sites you use end up leaking your plaintext
passwords is far more likely than Lastpass being hacked, even the odds of
someone identifying your self described insecure pattern from a series of
these leaks is far more likely than getting burned by an extension.

I had my apprehensions before starting to use a password manager, but after
six months I consider it absolutely essential and urge everyone else to use
LastPass or a similar addon. The benefits massively outweigh the risks.

~~~
lewisl9029
Any idea why browsers haven't implemented their own native password generation
functionality yet?

If nothing else, having this functionality built into popular browsers would
increase public awareness of better password practices by at least an order of
magnitude.

~~~
forgotpasswd3x
There's an option you can enable in chrome://flags to enable a password
generator. I don't believe the user gets any control over the password's
complexity right now, but it looks like it's something that the Chrome team is
at least considering.

I'm not aware of anything similar being built into Firefox.

------
pervycreeper
Unfortunately, many sites enforce arbitrary restrictions on admissible
passwords (e.g. between 8-13 characters, at least one digit, one lower case,
and one uppercase). This makes the whole proposition much harder. I wonder if
there is some purpose behind this (make things a little harder for the small-
timers, but open the doors for the big guys).

~~~
Zikes
Banking sites seem to be notorious for this. The worst offenders will simply
truncate the password, too, leaving you to believe you're using a much more
secure password than you actually are.

~~~
veritas3241
This is absolutely the case with USAA. No warning whatsoever was given that
they truncated my password which led to me being locked out when it autofilled
from LastPass. I contacted them but all they've offered to do is "forward it
to our security team".

------
tnb234
I still think the best possible practice is to use a password manager. I've
been using one for a couple years I haven't ran into any issues so far. My
passwords are long, complex,with symbols and unique. I use the phrase trick
for the master password.

~~~
throwawaymsft
Importantly, your password manager file can stay on your device, not in a
network-connected database that can be hacked, downloaded, and brute forced.
Having millions of targets in one place is tempting, your personal files
aren't.

~~~
undersuit
I use Keepass, I store the databases on Dropbox, I memorize the passphrases,
and I store their private keys on a thumbdrive.

I do worry about someone analyzing each and every change to the database for
some kind of information leak, but I also change the compound key every 6
months which should help.

------
bitL
One of my university professors used lyrics from folk songs to create
passwords. Usually he took first characters of each word and created a long
password out of them. He changed the song every week - I saw him often singing
without a sound when he was about to login ;-)

~~~
iamthepieman
One of my professors recommended passphrases of the same type. I still
remember the example he used 15 years later.

"ILikeToPluckStringerdInstrumentsWithAPlectrum"

------
glenstein
Not sure I understand the advantages of passphrases that string together
common words and names. Presumably a password cracker could look for long
strings of common words, too.

Snowden emphasizes using words that aren't in the dictionary, but proper names
of historical figures are in certain e-dictionaries (my android keyboard's
auto-complete dictionary for instance includes Margaret and Thatcher).

------
sp332
That protects against people guessing your password, (or cracking after a DB
dump), but that assumes they have to guess. Demand that sites encrypt your
passwords. [http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
ehmmm
They don't have a search feature!

I always >sigh< when I have to resort to external web search and limit the
search to that domain which usually gives in poor results.

( Just noticed they have added a note about that. )

~~~
vollmond
Given they know about it, they should just add a custom Google search widget
to the sidebar.

------
elchief
Write your passwords down on a piece of paper and put that piece of paper in
your wallet. If you lose your wallet, well you just lost your credit card and
maybe social security card too, so changing passwords ain't so bad.

Use incorrect answers for secret questions (wallet too).

~~~
ckuehl
I think for most moderately-technically-inclined people, a decent password
manager is going to be much more secure (and in many cases, more convenient).

If you steal my credit card, I'll just call my bank and cancel it (and I'm not
liable for any charges you made, anyway). But if you break into my email (or
even something like my Facebook, which might have weaker security), it might
be really hard to recover from that.

------
pc2g4d
I think an important point Snowden makes is that the words used in the
passphrase should be unlikely to be in a dictionary. In other words, the
phrase should be one to which a language model[1] would assign low
probability, as there are hugely many of such phrases, whereas higher
probability phrases are less numerous.

[1]
[http://en.wikipedia.org/wiki/Language_model](http://en.wikipedia.org/wiki/Language_model)

------
patcon
For good master passwords: Randomly select 12 words from a book (be honest
with the randoms, don't be choosy), and then doodle a picture where each word
has a memorable element. Draw it a few times. Put one copy away for safe
keeping. Work through the image whenever recalling your password, and once it
becomes muscle memory, make a point of imagining it as typing it every once in
awhile, to make sure you don't turn it completely instinctual :)

------
glandium
I've tried to use non ascii characters in passwords. Specifically, I've tried
using japanese phrases as passwords/passphrases. Most software reject them. Or
when they accept to register them, they would fail to recognize it on login.
Sigh.

------
sarciszewski
My rule of thumb is to go for 128 bits of entropy:

    
    
        * If they allow all printable ASCII chars, that means
          128 / lg(94) = about 20 characters
        * If they only allow alphanumeric,
          128 / lg(62) = about 22 characters
    

If the site doesn't let me use a password > 20 characters, I don't sign up.

I also use a password manager, so all my passwords are randomly generated.

My master password? 64 characters of line noise I memorized years ago. ;)

Also:

[https://defuse.ca/password-policy-hall-of-
shame.htm](https://defuse.ca/password-policy-hall-of-shame.htm)

~~~
borgia
>I also use a password manager, so all my passwords are randomly generated.

Any recommendations?

Key points being security and cross platform accessibility.

~~~
sp332
I've been using LastPass, it's been pretty solid. It's not the most polished
thing in the world but it works well.

~~~
sp332
And InfoSec Taylor Swift uses it.
[https://twitter.com/SwiftOnSecurity/status/58655626893814169...](https://twitter.com/SwiftOnSecurity/status/586556268938141697)

------
vvoyer
[http://correcthorsebatterystaple.net/](http://correcthorsebatterystaple.net/)

------
rip747
[https://xkcd.com/936/](https://xkcd.com/936/)

~~~
anonbanker
Note that bruce schneirer said not to do it, so people don't.

nobody's proved it wrong, but BS said not to, so people avoid it.

~~~
Dylan16807
People are really bad at estimating password security, which is why he advised
against it as a trick. You're right that he shouldn't have advised against it
on a basic entropy level... except that 44 bits is not enough.

Using words is okay, but you have to impress on people two critical things.

1\. random words. not sentences. use a program or dice.

2\. Each word is only as good as two random characters. 8 words is as good as
16 characters, no more.

People try to get 'clever' and it never works out well.

