Password Strategy and KeePass Password Management

by March 30, 2010 03/30/10

If you’d like a better perspective on how  dependent  we are on digital services, imagine your bank account being looted, locked out of your email, and your Facebook page vandalized.

While we in the preparedness community like to focus on the beans, bullets, and bullion for someday, information security affects the now.

An AR and a stockpile of Mountain House may give you peace of mind, but until your online services and personal data are secured with strong passwords, you should feel exposed. It is by no means the only aspect of information security to be aware of, but for most regular people, it is the weakest link.

Fortunately, this is one of the threats that is  free and extremely  easy to neutralize. First I will explain the “why” behind passwords, and then the “how.” By the end, you should have an easier time managing passwords and have a way to secure your sensitive documents.

Theory of Password Strength

So what does password strength actually mean? Simply put, it means minimizing the probability of guessing the password without knowing it. The three factors that play a role in this are character set, length, and entropy.

Character set means the possibilities for each position in the password; a numeric password has 10 possibilities (0-9), a lower-case letter password has 26 possibilities (a-z), and a password consisting of all the ASCII characters has 94 possibilities per spot.

Password length exponentially increases the possible passwords in that space. For example, a single character password would have 94 possibilities (941 options).   A two character password has 8836 possibilities (942), and an eight character password would have 6,095,689,385,410,820 possibilities (948). Obviously, longer is better, especially if you are using mixed case characters, symbols and numbers.

Lastly, entropy is one of the most important factors. Entropy is just a fancy word for randomness, or how easy it is to predict the next letter based on the previous. For example, if the first five characters were “11111″, there’s a higher probability of the sixth being “1″ rather than “Q”.

This is why password advice is to always have a random password, at least eight characters long, using numbers, letters, and symbols.

How Passwords Are Broken

In a realistic threat assessment, you’re much more likely to have your password stolen as you type it by a piece of malware installed by funny screensaver you downloaded. Also, the number of guesses per second is severely limited on online services that limit the number of guesses and add computer-stopping CAPTCHA’s after a handful of failed attempts.

For now I’ll focus on how passwords are broken in the worst case. This means the attacker has a copy of the password hash or encrypted data on their own machine and the password never changes; for example, a government agency has a copy of your encrypted “photos” and are trying to gain access.

Modern password cracking tools don’t incrementally go through and try each option. They start with pre-compiled lists of English words, phrases, and commonly used passwords. In addition, there are other kinds of intelligent statistical methods that shorten time-to-crack, but assuming you followed the rules above, it will be forced to resort to brute-force guessing.

The next factor in how long it takes to crack is how much parallel computation power can the attacker muster. While modern CPU’s are very fast, it is actually Graphical Processing Units traditionally found in video cards that are the real power-houses of password cracking. The short reason is that regular CPU’s are very good at computing serial calculations (where the input of the next depends on the results from the last calculation) and that GPU’s are good at hundreds of  simultaneous, independent calculations. Guessing passwords falls in the latter category.

Using off-the-shelf hardware is so good, US Customs have bought 20 PlayStation 3′s to replace their existing Dell password-cracking cluster. An off-the-shelf Nvidia GeForce GTX 285 gaming graphics card ,which only  costs $400, can make an estimated 580 million guesses per second per card. Government and corporate budgets can afford hundreds of these for a cluster.

To estimate your password strength, divide your password’s possibilities (unique characters used to the power of the password’s length) by the best guess of how many passwords can be guessed per second. Our 8-character password would last 12.1 days against 10 GTX 285′s, 6 against 20 cards, etc.

KeePass Password Management

MainScreenKeePass is an application used to store passwords in an encrypted file, with versions available for Windows, Linux, Mac, iPhone, Blackberry and the Android platform. The format that these applications store the passwords in (.kdb) is a single file containing a database of all your login credentials.

By protecting all of your passwords with a single master password, you get two advantages. The first is that you can u case the in-built password generator to protect all of your accounts with a unique,  ridiculous  strong password. The way most systems (should) handle passwords are agnostics about length and character set. This means your password can often be a 64-character, full-ASCII set protected password that you never have to remember. If one password is compromised on an online forum, your bank password is still secure.

The second advantage is you’ve reduced the exposure from dozens of systems which all need to be protected to a single point of failure. Now you can focus on remembering an extremely strong password and securing that single file.  Your KeePass database can be protected by an unlimited length password, and so I recommend Robert Hensing’s advice which is to use a pass-phrase.

Use an entire sentence which contains punctuation and numbers, but is memorable to you; avoid well known phrases or song lyrics (as those would likely be checked by password guessers), but something unique like “My first dog, Fluffy, died when he was 12 years old.” This is a 52 character password with mixed case letters, numbers, and symbols; while it does not have perfect entropy, it’d be damn hard to crack by anyone but the most determined and knowledgeable attacker.

By having it password protected, you could reasonably email the database to yourself or copy it to a thumb-drive and keep it at another location to keep it secured. It technically exposes you to a higher risk of getting cracked, but hard-drives die, computers are stolen, and houses burn down. I’d rather take the chance the Black  Helicopters  decrypt my SSL message to GMail than not back it up and lose access to all my systems.

Besides, a real-world attacker can always use rubber-hose cryptanalysis.

Attaching and Encrypting Files

AddEntryScreenThe other major (and underrated) feature in KeePass is the ability to include other files “attached” inside your database. On an entry, you can attach any type of file, including ZIP, to an entry that will keep it encrypted an inside of the KDB file.

Without having to install or deal with more complicated file encryption schemes, this is a dead-simple to way to keep a limited number of files fairly secure.

Final Notes

Attackers come in all forms, and  whether  you’re keeping your secret plans safe from the New World Order, or just keeping your savings account safe from thieves, the principals of good information security remain the same. Passwords are not the sexiest of topics, but they are the keys to your online life.

Taking a few minutes to put your logins in order will, at worst, keep you from having to recover your password, and at best, save you from a serious financial or privacy blow.

Editor’s Note: Andrew Stuckey has degree in Information Systems from the Wisconsin School of Business and is developing CitizenArmory.com, an online marketplace for firearms transactions. Please join us in welcoming him as a guest writer on ITS Tactical.


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


Bryan Black
Bryan Black

You got us there brother, we've been trying to find a workaround for quite awhile now. It's definitely a concern.

If you've got any suggestions don't hesitate to post 'em up.

Thanks for your support,

Bryan

cpf240
cpf240

Great article and comments. One small problem... your site sends a copy of a new members login name and password in clear text via e-mail when an account is created. Sure, one could create an account using a temporary password, and then login and change it. I just found it humorous when I signed up today after reading this article.

Andrew Stuckey
Andrew Stuckey

Glad you liked the article. I also use Dropbox in conjunction with it too; I actually considered putting it in the article, but I figured it was long enough as it is. I felt a little queasy putting my passwords on it at first, but it's just too damned convenient and trust the encryption implementation enough.

I used to think the copy-and-paste feature was an advantage too, but unfortunately most modern keyloggers copy out clipboard text too, so I'm not sure how robust of protection that is.

As far as Van Eck is concerned, I'm skeptical about how practical of an attack that is. In theory, maybe you might be able to tell something like screen color, but to say you can pick up 12 point font on an low-power LCD screen from another room, I don't know. There are demonstrated attacks against eavesdropping on wired and wireless keyboard connections, even via power outlets, that seem more useful. You get to a point though where you realize the limitation of any security system and just say "good enough".

My friends often use the the l33t method too; it might add a marginal amount of time to the decryption process, but many of the larger rainbow tables includes l337 variations of most words. You'd probably be better off adding another character or expanding the set.

Thanks for the additional info!

b.
b.

I've recently started using LastPass because of its browser integration. From what I've read on Lifehacker , it operates in much the same way as KeePass, but the user can access their information via browser extension, no matter where they are. To deal with unsecure wireless networks, one can create one-time passwords that will be discarded after their use.

I enjoyed the write-up & look forward to your continued contributions.

b.
b.

I've recently started using LastPass because of its browser integration. From what I've read on Lifehacker , it operates in much the same way as KeePass, but the user can access their information via browser extension, no matter where they are. To deal with unsecure wireless networks, one can create one-time passwords that will be discarded after their use. I enjoyed the write-up & look forward to your continued contributions.

Pig Monkey
Pig Monkey

If you've already decided that you trust the computer in question enough to login to your Amazon account, or your Gmail account, or whatever it is, what is to prevent you from plugging in your USB drive, firing up the portable version of your password manager that you have on there, and getting the needed password? I fail to see the downside...

Pig Monkey
Pig Monkey

Good stuff! KeePass(x) + Dropbox makes an excellent password management system.

One of the main security benefits to KeePass wasn't mentioned in the article. As the author mentioned, "you’re much more likely to have your password stolen as you type it by a piece of malware installed by funny screensaver you downloaded." With KeePass, you can hit one button and have the password for the chosen account copied to your clipboard (the clipboard is then cleared after a set interval of time). You never have to actually type the protected passwords, so keyloggers become irrelevant (except for your master passphrase -- but even that problem can be addressed by using a key file in conjunction with your passphrase).

Never typing your passwords, along with KeePass's behavior of automatically masking passwords with asterisks, gives you a certain measure of security against Van Eck phreaking (as well as the guy sitting at the table behind you in the wireless cafe).

This also factors in to "rubber hose" cryptanalysis. Most of my passwords are randomly generated and copied/pasted when used. You couldn't beat the passwords out of me, because I honestly don't know them. I do know my passphrases, so those could be beat out of me with a rubber hose -- although I have an odd habit of memorizing not characters, but key placement. I couldn't verbally tell you one of my passphrases: I would have to type it (on a western, QWERTY keyboard).

If you use a sentence for a passphrase, 1337-ifying it is a good idea. In the article's example, "My first dog, Fluffy, died when he was 12 years old." would turn into something like "my f1rst d0g f1|_|ffy, di3d wh3n h3 w@s 12 y3@rs 0ld." The effectiveness of that is arguable, but the idea is that you are avoiding common words, making your passphrase more secure against a dictionary attack. Some folks would advise taking out the spaces between words as well. That is certainly advisable if all that you're dealing with is a basic shift cipher, but I don't think there's much of a point with modern electronic encryption.

Another option for generating your passphrase is Diceware. There is more randomness in such a system, but the resulting passphrase might be harder for some people to remember.

Pig Monkey
Pig Monkey

Good stuff! KeePass(x) + Dropbox makes an excellent password management system. One of the main security benefits to KeePass wasn't mentioned in the article. As the author mentioned, "you’re much more likely to have your password stolen as you type it by a piece of malware installed by funny screensaver you downloaded." With KeePass, you can hit one button and have the password for the chosen account copied to your clipboard (the clipboard is then cleared after a set interval of time). You never have to actually type the protected passwords, so keyloggers become irrelevant (except for your master passphrase -- but even that problem can be addressed by using a key file in conjunction with your passphrase). Never typing your passwords, along with KeePass's behavior of automatically masking passwords with asterisks, gives you a certain measure of security against Van Eck phreaking (as well as the guy sitting at the table behind you in the wireless cafe). This also factors in to "rubber hose" cryptanalysis. Most of my passwords are randomly generated and copied/pasted when used. You couldn't beat the passwords out of me, because I honestly don't know them. I do know my passphrases, so those could be beat out of me with a rubber hose -- although I have an odd habit of memorizing not characters, but key placement. I couldn't verbally tell you one of my passphrases: I would have to type it (on a western, QWERTY keyboard). If you use a sentence for a passphrase, 1337-ifying it is a good idea. In the article's example, "My first dog, Fluffy, died when he was 12 years old." would turn into something like "my f1rst d0g f1|_|ffy, di3d wh3n h3 w@s 12 y3@rs 0ld." The effectiveness of that is arguable, but the idea is that you are avoiding common words, making your passphrase more secure against a dictionary attack. Some folks would advise taking out the spaces between words as well. That is certainly advisable if all that you're dealing with is a basic shift cipher, but I don't think there's much of a point with modern electronic encryption. Another option for generating your passphrase is Diceware. There is more randomness in such a system, but the resulting passphrase might be harder for some people to remember.

Thompson
Thompson

Good info. Thanks again for another well written useful article. Now just gotta wait to get the plank owners t shirt.

Norman White
Norman White

EXCELLENT article.

As an InfoSec professional, I deal with stuff like this every day. You'd be surprised how many people out there make their passwords simple like their wifes name, kids names, phone numbers, etc.

From a corporate standpoint, in e-terms, the biggest threat is the user. People need to realize this and think before they make their password fluffy1982.

Norman White
Norman White

EXCELLENT article. As an InfoSec professional, I deal with stuff like this every day. You'd be surprised how many people out there make their passwords simple like their wifes name, kids names, phone numbers, etc. From a corporate standpoint, in e-terms, the biggest threat is the user. People need to realize this and think before they make their password fluffy1982.

Johnny Abacus
Johnny Abacus

A few notes:

1. There are significant downsides to using a password manager: what happens when you are away from your computer?

Of course, there are all sorts of security hazards involved in using other peoples' computers, but for most non-financial accounts, I doubt the risk is so high as to prevent most people from logging in (or wanting to).

2. Pass-phrases are great - I try to use them as much as possible. There is no benefit from overdoing it, though; specifically, there is no point in making your password more complex than the underlying cypher - generally 128 bits these days.

A 27 character only-lower-case-and-spaces pass-phrase is sufficient to reach this threshold.

Johnny Abacus
Johnny Abacus

A few notes: 1. There are significant downsides to using a password manager: what happens when you are away from your computer? Of course, there are all sorts of security hazards involved in using other peoples' computers, but for most non-financial accounts, I doubt the risk is so high as to prevent most people from logging in (or wanting to). 2. Pass-phrases are great - I try to use them as much as possible. There is no benefit from overdoing it, though; specifically, there is no point in making your password more complex than the underlying cypher - generally 128 bits these days. A 27 character only-lower-case-and-spaces pass-phrase is sufficient to reach this threshold.

Bryan Black
Bryan Black

You got us there brother, we've been trying to find a workaround for quite awhile now. It's definitely a concern. If you've got any suggestions don't hesitate to post 'em up. Thanks for your support, Bryan

Muhahahahaz
Muhahahahaz

He probably doesn't know there's a portable version. People are always looking to find the downside to something new, or for something they're simply too lazy to try.

But the fact is, KeePass is amazing! :D

Muhahahahaz
Muhahahahaz

He probably doesn't know there's a portable version. People are always looking to find the downside to something new, or for something they're simply too lazy to try. But the fact is, KeePass is amazing! :D

Andrew Stuckey
Andrew Stuckey

Glad you liked the article. I also use Dropbox in conjunction with it too; I actually considered putting it in the article, but I figured it was long enough as it is. I felt a little queasy putting my passwords on it at first, but it's just too damned convenient and trust the encryption implementation enough. I used to think the copy-and-paste feature was an advantage too, but unfortunately most modern keyloggers copy out clipboard text too, so I'm not sure how robust of protection that is. As far as Van Eck is concerned, I'm skeptical about how practical of an attack that is. In theory, maybe you might be able to tell something like screen color, but to say you can pick up 12 point font on an low-power LCD screen from another room, I don't know. There are demonstrated attacks against eavesdropping on wired and wireless keyboard connections, even via power outlets, that seem more useful. You get to a point though where you realize the limitation of any security system and just say "good enough". My friends often use the the l33t method too; it might add a marginal amount of time to the decryption process, but many of the larger rainbow tables includes l337 variations of most words. You'd probably be better off adding another character or expanding the set. Thanks for the additional info!

The Latest
Squawk Box

ITS Guy Fawkes Morale Patch - Inspired by our original ITS Guy Fawkes design and numerous requests, we’ve created a patch to “remember, remember, the fifth of November.” November the Fifth marks a day of celebrating in Britain by burning effigies of Guy Fawkes and remembering the Gunpowder Treason & Plot. The history surrounding the plot, which created a day of infamy, is an interesting one with many lessons learned. Click here to learn more about the history behind this patch.

2 hours ago
Leave a Comment