Chapter 8: Passwords

All of the systems and tools in this book use passwords as a method to correctly identify authorised users and secure against unauthorised access. Strong passwords are a key line of defence at all levels of information security.

However, bear in mind that passwords to online accounts are mainly a defence against non-state hackers (who are also able to obtain increasingly sophisticated commercial password cracking programs).  There may be backdoor access at a state level to your online accounts, ultimately rendering a password irrelevant. That is one good reason to encrypt your emails – you may have an incredibly strong Hotmail password, but it doesn’t stop intelligence agencies forcing Hotmail to handover all of your emails anyway (or more likely, covertly intercepting and collecting them without permission). If your emails are encrypted, all Hotmail can hand over is a pile of (thus far) uncrackable code.

So, whilst strong passwords are always a good idea, passwords that protect your system (eg hard disk encryption) and your encryption programs are far more important than passwords to online accounts.


  • Forgetting and losing passwords
  • Overriding passwords by backdoor access (online accounts)
  • Hacking (relatively unsophisticated password hacking)
  • Password cracking (sophisticated)
  • Key logger
  • Being coerced into revealing a password

InfoSec action:

  • Learn how to create strong passwords
  • Use KeePassX password manager (if you trust your system). KeePassX is an open source password manager that can generate and store usernames and passwords in an encrypted, local database, protected by your master password. It is available for Linux, Mac and Windows.
  • Store the most important passwords in your head only
  • Use hidden volumes for important encrypted files

Password cracking: understanding the risk

If your system is insecure, password cracking in a targeted attack is simple. An adversary could physically or remotely insert a key logger into your system, to record every keystroke. This would mean that an adversary captures every thing you type, including your passwords. This is not a hugely sophisticated attack and yet totally invalidates other security measures. Therefore, it really is important to secure your system in the very first instance, as described primarily in chapters one and two.

However, if your system is secured and your adversary does/can not use key logging tools, an attacker may try to crack the passwords that protect your system, software and accounts (and this may be either in a large scale hack of thousands of users, or in a targeted attack against an individual).
Password cracking programs are used by authorities across the world, but sophisticated versions are also available as commercial products. A password cracker can automatically test at least eight million passwords per second and may run for days, on many machines simultaneously. For a high-profile target, a password cracker could run on multiple machines, for months.

Password crackers try the most common passwords first. A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). A cracking program would typically start with a dictionary of about 1,000 common passwords, such as "letmein," "temp," "123456," and so on, and then test them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!," and so on. It is thought that about a quarter of all passwords can be cracked with just these 100,000 combinations.

Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalisations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.

The attacker can feed any personal information available about the password creator into the password crackers. A good password cracker will test names and addresses from the address book (post codes are common appendages), meaningful dates, and any other personal information it has.

A particularly comprehensive attack can be launched if your hardware is insecure (the root of all problems!). An attacker can index a target’s hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved your password in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it and aid the process of cracking your password.

How to create a strong password

A strong password is one that the cracking process described will miss.

Password manager

One option is to use open source password management software such as KeePassX to generate a random, long, alphanumeric password (with symbols too, if they are permitted for the particular password), and then save it in your own encrypted password database. If you trust the other layers of your system, this is a fairly robust option.

Furthermore, this is a good way to store multiple complicated passwords for multiple accounts, with KeePassX also having entry fields for URLs, account names and comments for each password stored, so you can securely store all the information you need.  The random passwords generated are unmemorable, which fulfils a security function in itself. However, KeePassX allows you to easily copy and paste passwords from the database, so you don’t even have to type them.

There is some debate as to how good such programs are at effectively randomising, but the human brain is pretty awful at randomising too, so it remains one of the best options we currently have.

You will need to create a master password for KeePassX, which must be very strong. You should aim to store this password only in your own head.

Schneier scheme

You should use manually created passwords to encrypt your whole system, any encrypted USB stick or highly important file (e.g. source documents), and your password manager. These important passwords should be stored in your human memory only, and therefore need to be memorable.

Of course, to minimalise any damage should a password be compromised, you should avoid re-using passwords.

To manually create a password, we recommend the ‘Schneier scheme’, a method advocated by Bruce Schneier, the internationally renowned cryptographer and security expert.

Schneier advises taking a memorable sentence and initialising, symbolising, and numbering the words to turn it into a password.

For example, "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Choose your own sentence - something personal, but not obviously related to you through public data.

Here are some examples:

  • WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
  • Wow...doestcst = Wow, does that couch smell terrible.
  • Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
  • uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

(Of course, do not use any of the above examples – now that they have been used, they are invalid as strong password options).

Being coerced into revealing a password

Let’s hope that you are never in this situation. However, let’s say a malicious group or agency has intercepted you, carrying an encrypted USB stick (with your most important files, or source documents), and they are prepared to go to extreme lengths to obtain the password in order to decrypt. What do you do?

In these instances, it may be helpful to have a hidden volume on your USB drive. A hidden volume is not visible to anyone and does not appear to take any space on a drive. As such, it can be overwritten easily. However, it means that the visible encrypted volume can act as a decoy, and provide you with plausible deniability. In the visible encrypted volume, you can store files that could reasonably warrant security and encryption, and this volume has its own password. However, the hidden encrypted volume sits undetected beneath the visible volume, and has a separate password.

You can create a hidden encrypted volume with VeraCrypt (see chapter 4). This method may help protect the information from interception, but not from loss – it can be easily destroyed or overwritten so you should always back up important files.

(Much of this chapter is adapted from Bruce Schneier’s blog, . We thank Mr Schneier for allowing us to use his work).

Next page   ➜