STRONG PASSPHRASES FOR PRIVACY AND SECURITY

Crossposted from Choose Privacy Week

I’m sorry to be the one to tell you this, but your password sucks. I know you use the same one for everything, and it probably contains some personally identifiable information – your dad’s birthday, your pet’s name, the year of your anniversary. Even if you think you’ve got a good password strategy, if it contains any kind of pattern – a famous quote, a song lyric – it can very easily be cracked. Consider how much access that password — the one you’re using for everything – gives to your private life. Whether you’re worried about exploits from criminal hackers or rogue government intelligence agencies, weak passwords put your private data at risk.

It’s not your fault you have such a terrible password – we’ve been taught a lot of bad rules about making passwords. This xkcd comic sums it up well; in fact, this comic spawned something that’s often called the “xkcd method” of creating strong passphrases – using five or six random words for a passphrase, resulting in something both strong and easy to remember. One of the simplest ways to come up with an xkcd-style passphrase is with dice and the Diceware word list, which Micah Lee of The Intercept recently wrote about. In brief, you role a die 5 times and choose the Diceware word represented by that number. Repeat this process 4 or 5 times total and you’ve got a high-entropy, easy to remember passphrase of random words.

You can use the method Micah wrote about to create a passphrase for a password manager like KeePassX. Using an in-browser password manager is placing a lot of trust in “the cloud”, which is really just an ethereal-sounding way of saying “a server that you do not control”. KeePassX lets you create an encrypted password database that is stored locally on your computer. It’s also free and open source software (FOSS), which allows the user to examine or modify the source code, making it much more difficult for, say, a government agency to place a backdoor in that software. If there is a backdoor, it’s not just being used by the intelligence agencies – you can guarantee that other people will find it and use it to exploit your private data (for more on FOSS and privacy, watch Jacob Appelbaum’s keynote from LibrePlanet 2014). Using a strong passphrase to log in to KeePassX, you can store more xckd-style passphrases in the database, or use the passphrase generator built into the software.

Another method for storing strong passphrases is with the Yubikey a small piece of hardware that fits in your USB drive and can also function as a two-factor authentication device. I use Yubikeys in static password mode which allows me to store two high-entropy passphrases. You press the button on the Yubikey when you need to retrieve your password – an additional measure of protection against exploitation, since passwords can be stolen by keyloggers. I use a prefix with the passphrases I store on a Yubikey – I type in the prefix, then I tap the Yubikey for the remainder of the passphrase. This way, if someone steals my Yubikey, they still don’t have my whole passphrase. If you are using Yubikey with a passphrase that you don’t memorize, be sure to back it up (you should back up the passphrases that you DO memorize, too – your memory is fickle, I promise). If you’re a GNU/Linux user, you can store the passphrase in an encrypted LUKS volume. You can also write the passphrase on a piece of paper and store it somewhere safe.

You’ll get used to this passphrase strategy pretty quickly once you’ve set it up. When you’re comfortable using it, consider how you could teach it to patrons in computer classes or technology help sessions. You may want to use or modify my course slides for a basic online privacy class, or incorporate passphrase strategies in existing computer instruction courses. Our patrons already look to us for help in learning to use their computers; this passphrase strategy is just one of many ways we can help our patrons take back some control of their online privacy and security.