Passwords can be safe
- Details
- Last Updated: Wednesday, 26 February 2025 14:39
Pass words are dumb but essential.
They can be pretty safe, but unless generated from random characters of sufficient length and complexity they can be easy to crack. Your password needs to be like looking for a needle in a haystack.
This raises the question of How Big is your Haystack. Visit https://www.grc.com/haystack.htm to find out! And while there take a look at SQRL.
Basically if you can remember it is probably not very good. The best option is to use something like last pass where it generates very secure passwords for every site you visit when needed. All you have to do is remember the one that lets you access the last pass system.
Ideally a password should never contain any word in a dictionary and be long enough to prevent cracking by ensuring that the time a fast set of computers take to test every combination is longer than your lifespan. Using a combination of Upper and Lower case letters, numbers, plus punctuation, something near to 13 digits should do it for now. E.g Biycriipnvg_21 would take 16,500 years for the best array of computers to resolve. Its easy to remember as well. Why? Its just the first letters of the first sentence of the previous paragraph with an underscore & current year appended.
Two Factor Authentication.
Recommended by many, it does provide protection should your password be discovered, but what they don't tell you is it can be an absolute lock-out to your own stuff. Google has a brilliant service called Find my Phone. Loose your phone and Google will show it on a map, allow you to make it ring loudly, even when in silent mode, or lock it from making calls and to even wipe it completely.
However, with two factor enabled, you can't log in to Google to invoke the find phone feature until you find the phone to read the second factor! Quite useless, so beware.
One of the most secure methods of login is with an independent device, such as key fob. Banks often use this, but if lost a phone call with some security questions can usually resolve that. Try calling Google though and see what happens.
A sort of two factor method that is extremely secure are public and private key pairs. These numbers are mind boglingly long, almost a whole page of random text, that can only be confirmed by the recipient by decoding some stuff with the public version. The private version is used to sign a random long string of garbage that the remote site creates and sends you. You send it back and the site decrypts it with the public part of the pair. The public part is just that - public that everyone can know. But only you with the private one can create stuff that the public one can decode. Even more secure, your private one is also encrypted with your own pass phrase that only you know - a password if you liike. The point is that it never leaves your own computer and no-one else can use it!
This is close to the principle that SQRL uses, but a new pair is created for each web site you visit by using that sites domain name. Thus they don't need to be stored anywhere. SQRL can regenerate them on the fly from the domain name and your master key. The remote server, however, does need to retain your public key and it does this instead of a hashed password. When SQRL reconnects to a website it returns a random string which SQRL encrypts and sends back. The site decrypts it with the public part and if its the same as it sent you then you must be who you claim to be! No One else anywhere can ever do this. The keys used are only ever valid for that one website and yourself and therefore can never be spoofed.