Basics of password security


Posted by julian.a


At Fusionbox we take security very seriously. Security is a complex and multi-faceted problem. Ultimately, though, your security is only as strong as its weakest link, and often the weakest link in the security chain is your password.

In the early days, the internet was relatively benign. Password security wasn't a significant concern because you actually knew everyone on the internet! But things have obviously changed. Botnets and sophisticated automated systems are now common. It no longer takes a human being's conscious attention to hack someone, just the action of an impersonal program running on any of a thousand machines, constantly looking for vulnerabilities. So now, password security is very, very important (at least until 2 factor authentication becomes a requirement everywhere).

With that in mind, here are some basic rules for good password hygiene:

Don't reuse passwords

The most common, and biggest mistake people make with passwords is to reuse the same password on many different sites. If you do this you're relying on each site to keep you password safe from attackers. Given the recent spate of security breaches (including breaches at sites like LinkedIn, Dropbox, and Yahoo), that's a bad idea. As a statistical matter if you use the same password on every site your password is going to be compromised. Once the data is out there, brute force attacks have a very high success rate getting all but the highest quality passwords, even if they're properly salted and hashed. f1uf4y82 isn't going to hold up to scrutiny. Also, did you notice how the breaches from the links above all happened 2+ years ago? That's because it took that long for the sites to realize they'd been breached and tell the public. I would definitely be willing to wager that a few other major sites out there have had their password databases leaked and we don't know about it yet. If you reuse passwords, it's quite likely that your password is out there right now. Now might be a good time to go change the password on your bank account; you can come back and read the rest of this blog post when you've done that. (You may use mouseware for secure password generation)

Use strong passwords

The fundamental problem is that simple easy to type and remember passwords are usually low quality passwords. Modern computers are fast. Brute force testing of millions of passwords is easy, and if your password is one of the first billion or so a brute force script is likely to try out, your password isn't secure. This means that passwords like fluffy or fluffy82 provide almost no security at all. If you haven't been hacked with a password like that, it's because no one has bothered to try. Passwords like fluf4y82 are a little better, but will still fall quickly in the case of a LinkedIn style database breach.

A really secure password has a lot more randomness than fluf4y82. One way to generate truly secure passwords is to use a large character set and generate a bunch of random characters. Something like 9<4d+3S_'v*XG{D+]GDS might result. Passwords like that one would likely stop even a concerted attack from the NSA. Actually, for some purposes, I recommend using passwords just like that (see more below), but for passwords that you're actually going to memorize and type, this is just too much work. Fortunately, there are a few alternatives. One approach (popular at Fusionbox) is to string together common words (inspired by this xkcd). The resulting passwords are a little long to type, but are very easy to remember, and very secure. At fusionbox we've long been using Mouseware to generate these 'xkcd-style' passwords, and I can recommend it whole heartedly (the really security conscious out there may want to download the source code read it, and run it offline). If you want to see a fun alternative I've been working on, you can check out my markov chain based passphrase generator here.

With a properly strong password, you'll likely be secure even in the case of a database breach. You still shouldn't reuse passwords - it's hard to guess when the state of the art for hash functions will change. It's best to assume that passwords that are secure today won't be secure forever and keeping passwords separate is one of the best things you can do to ensure long term security.

Use a password manager

Ok, ideally you'd use a unique strong password for every site, memorize them all, and you'd be set. In practice though, you're not going to do that. The next best thing is to use a password manager. Yes, you're a little more vulnerable in that if anyone gets access to your password manager you're in trouble, but for the most part you're concerned about attacks on the internet as a whole, not on your personal computer where you store your passwords. Using a password manager you can generate a new unique, strong password for every site. You should definitely choose a password manager that encrypts your passwords (especially if using cloud password storage), and use a really strong master password for that of course! Using a password manager is one of the best security tradeoffs you can make. While it does reduce your security a little, if it enables you to use unique strong passwords you're coming out way ahead.


So I hope the above proves useful to some readers. Password security really is a more important issue that people realize, and it's only going to get more important with time. The automated attacks we're seeing right now are still fairly unsophisticated, and we should expect them to get better over time. Eventually real password security is going to be essential for everyone, and now's as good a time to start as any!

Fusionbox provides Python Security Auditing of existing code. Developing secure Python applications is our specialty. Please contact us if you'd like a review of your application's security.

Return to Articles & Guides