One of the most popular posts on this website about DARK FICTION is my method on How To Make The Best Password Ever.  (Go figure.) But a lot has changed since I posted that back in 2011, and I thought I would share how I’ve recently improved this method to both increase my online security and make it easier to manage.

When companies like Target get their data (actually Your data) frisked, you don’t need me to tell you that cyber-crimes are getting worse. Organized crime has discovered the value of hackers. They aren’t just kids having fun anymore, they can be the sharp-but-morally-flexible folks hired by organized crime syndicates to work together in hacker farms. And the miracle of distributed computing means hackers can network thousands of hijacked home computers (called ‘bots’) together into the most powerful computer on earth and control it from anywhere in the world using their ipad.

Sorry if I sound paranoid. Truth is, anyone who wants to steal my identity can have it. But that doesn’t mean I’m going to make it easy for people to get at my data. Until some new and better security measures come along (like this)  internet users have a responsibility to use quality passwords. If you’re using a password with less than 8 characters, or one that is nothing more than a word or name, then you are both asking for, and deserve, your data to get jacked.

Why AES-256 bit encryption can’t help you

“50 supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.”  - http://en.wikipedia.org/wiki/Brute_force_attack

Awesome, right? Not exactly. Because there’s no encryption method that will stop hackers from guessing your password using brute force attacks, especially if your password is weak. (A brute-force attack is when the computer creates and guesses passwords and tries them one at a time very quickly.) Why bother to decrypt your password when they have a super-computer-network that can guess every combination of 6 character passwords in a few days? I ran a brute-force test on my own network and hacked a half a dozen 5-character passwords in just a few minutes. There is also a new method of brute-force attack that simply tries common passwords against many different known accounts. I guarantee you there’s someone on gmail using a password of “123456″ or “password.” Running through the list of baby names is also a well-known password hacking shortcut that no amount of encryption will stop.

Awesome encryption also won’t help if the decrypted password is accessible by an unscrupulous website admin and tried on other websites. Paranoid much? Maybe, but any CSCI major out there can make an app that actually works, but is also a farm for email/password lists to try on other websites. If you’re using the same email/username/password on multiple websites, no level of encryption will protect you from this kind of hacking.

Account hacks will become more of a problem since the list of possible password characters is limited, but computing power continues to grow exponentially. So there’s really only one solution to keep your online accounts safe:

You have to make your password longer, and you need to use a different password for each website/online service you use.

My ‘Best Password Ever’ Method
1 – Make Your Password Longer

To start, you need to make your password LONGER. Eight characters is the minimum now, and if you can get closer to 16 or 20, that’s even better. The graphic below from xbcd.com shows this brilliantly.

Using several random words in sequence is a fantastic password method, and this will work well with my previous advice about using song lyrics. But instead of reducing the song lyrics to an acronym, use the full words. JumpingJackFlash, StairwayToHeaven and GabbaGabbaHey are all decently long passwords. The random word method would be more secure because that random series of words would be harder to guess, but we’ll modify the song-lyric password below and make it better.

2 – Make It Memorable

Remember that with my song-lyric method, you should sing the password as you type it in. In the graphic above, xbcd.com recommends using a visual memory trick. Both methods make use of the fact that you are accessing multiple areas of the brain to memorize your password. Whether visual or auditory, try to tie some second sense to your mental password storage, this will help you recover it with ease.

3 – Make It Unique

Keep in mind that you need a unique password for every website you use. So, simply add on a memorable identifying feature of the website you are logging into. Gmail could be StairwayToGmail or GStairwayToHeaven. Microsoft could be StairwayToMicrosoft or MStairwayToHeaven, etc.

4- Back it Up

Some websites and services have different rules regarding punctuation, numbers, password length and such. So you might run into places where this lovely password system won’t work. You either need a good memory, or a file to store the passwords in.

Password managers can help with this. After reading lots of reviews, I decided to give Lastpass a try.

Lastpass Password Manager

Lastpass runs as a browser plugin, and saves/fills in website passwords for you. This allows you to make a single password for Lastpass (the last password you’ll ever need, apparently) and let Lastpass create a long and complicated password that it can remember for you, and enter them in the appropriate field as you browse.

You’re probably wondering how sharing all your passwords with a third party like Lastpass can be MORE secure? Well, the info is encrypted on your computer before being sent to Lastpass for storage. So the company Lastpass only receives your data in encrypted form. No one at Lastpass can see your unencrypted passwords. Also, using Lastpass means you’ll only need to remember one password, (Make that master password a good one, using the tips above!) while allowing you to strengthen all your other passwords, and even change them to long-random gibberish without worrying about remembering them later. You can log into your Lastpass account from other computers if you need access to your passwords from a computer without Lastpass installed.

You can also use Lastpass as a failsafe password archive. Simply continue to enter your awesome passwords manually,  but let Lastpass run in the background, archiving your passwords in case you ever forget them. This also makes things easier if you kick the bucket, simply put your Lastpass account info in your will, and your heirs will be able to see the list of all the websites and their passwords. Lastpass tracks the last time you logged into each site and it can audit all your passwords pointing out weak ones which should be updated.

There are other password managers out there. I link to a review of password management utilities at the end of this blog post.

Multi-Factor Authentication

A SecureID key generator for multifactor authentication.

Some websites offer what is called 2-factor authentication or multi-factor authentication. This means you not only enter a password, but you also have other form(s) of proof that you are the account holder. These generally come in two forms that can be mixed and matched:

Hardware – For some enterprise banking applications (and Blizzard’s World of Warcraft, lol) you are given a fob with an LCD display that has a constantly-changing code that must be entered along with your password. There are also consumer versions that require a usb ‘dongle’ to be plugged into your computer before you can access the website. Yubikey is a very popular off-the-shelf solution, and Sesame (by lastpass) allows you to create your own dongle (this lifehacker article shows how.)

Txt/Phone/Email –  When you try to login, you are sent a one-time temporary code via email, txt or phone call to enter (along with your password) before you can login. This method is very common with consumer online banking sites, and some gaming platforms (like Steam). Some sites allow users to set this up by registering an email or phone number. Gmail allows users to set up their own 2-factor authentication by tying your phone number to your account.

This seems like a royal pain to me, but if you want real security, multifactor auth is the way to go.

Make A Better Password And Protect Your Data

There will always be a lovely dance between security and usability. You want your  data kept safe from others, but easy to access for yourself. No matter what method of password protection you use, the end goals are the same:

Make sure all your passwords are STRONG, which means 8 characters or more (ideally closer to 20.)
Use a UNIQUE password for each website.

If you really want to be Conspiracy-Theorist-Secure, then you simply don’t use computers at all, or enable multi-factor authentication and make unique 20+ character passwords for every online service and commit them to memory.

That’s too much work for me. Like I said, I’m not going to make it easy for hackers to get my data, but I’m also not going to make it hard for myself. For me, a password management program like Lastpass seems like a reasonable compromise between security and usability. Regardless of what you decide to use, passwords under 8 characters really should be outlawed at this point. Any web or network admin who allows them might just as well post them to the internet.

So screw the hackers! Strengthen your passwords today! And don’t forget to share this info with others.

 Password Resources

The Best Password Managers – PCMag Review – 28 Jan 2014
Keepass Password Manager
Lastpass Password Manager
Make Your Password Manager Even More Secure with a $25 Yubikey – Lifehacker.com – 16 Oct 2013
How to Build a (Nearly) Hack-Proof Password System with LastPass and a Thumb Drive – Lifehacker.com – 25 Jan 2012
Sesame Authentication for Lastpass


Yours Darkly,
Conrad Zero