Watch Those Passwords: Keys to Cryptographically Secure Passwords
Articles like this recent LifeHacker post point out that the recent flash of big-business password leaks not only indicates smarter hackers, but also more ammunition for the hackers since getting their hands on those passwords gives them valuable intell about what patterns most people follow in making their passwords. In other words, the XKCD methods aren’t good enough anymore. To stay more secure, you’ve got to think about two things: password generation, and password storage.
1 Password Generation
Just about any password that comes from your head these days is going to be vulnerable to tricks of the hacker trade as they swap numbers and letters, look for word constituents, and identify phrase patterns. Tools like LastPass and most other password storage programs give you the option to generate secure passwords that are cryptographically secure. A great opensource utility is pwgen, available through Source Forge or most Linux repositories. Depending on the parameters you give it you can define how long (`pwgen 12` for 12-chars), how complex (`pwgen -s 12` for 12-characters secure), and how human-memorable (just normal `pwgen 12` for reasonably memorable) to make the password.
Of course, they are almost impossible for us to remember without concerted effort, too; hence issue #2.
2 Password Storage
Password storage becomes vital as we smartly use different passwords between services (i.e. don’t let your bank password and your Facebook password be the same). Again, LastPass is the defacto ruler here.
I use a different method than LastPass for a couple reasons. First, I’m uncomfortable being part of the crowd, even if it is objectively the best solution; strategically LastPass and all its users become the biggest target out there, making them inherently more vulnerable. Secondly, my work flow allows for another solution that fits better.
3 My Solution
My personal solution is to keep my [pwgen-made] passwords in an encrypted text (org-mode) file, as per this smart suggestion here. This means I can easily reuse my passwords with copy-paste efficiency in most places, and don’t have to worry about them floating in the cloud somewhere (however encrypted). Like LastPass, I just have one major password to access that file, and after that it’s a short matter to find my target through the hundreds of passwords I have there.