AARNet / Digital-Skills-GitBook

The Living Book of Digital Skills - a GitBook project - https://aarnet.gitbook.io/digital-skills-gitbook-1/
Other
23 stars 49 forks source link

Discussion of safety of online password generators #133

Closed sarasrking closed 2 years ago

sarasrking commented 2 years ago

Related to issue #130 - This issue is for the discussion of safety of online password generators, perhaps instead recommending a tool that only the local computer can access, rather than a web-based password generator. This comes from feedback given privately.

JennaMalkin commented 2 years ago

This is also related to https://github.com/AARNet/Digital-Skills-GitBook/pull/127 , which introduced the recommendation of online password generators. Perhaps Diceware https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases should be recommended as a stronger alternative?

vk5tu commented 2 years ago

Many password managers come with a suitable password generator. Set it to produce a password of at least 14 characters (ref: ACSC Information Security Manual, item ISM-0421).

It is best if the random passwords include A-Z a-z 0-9 and punctuation, but the allowable punctuation tends to vary by website. Many password generators will give an indication of the 'strength' of the password, obviously make the length long enough so that is 'strong' or more.

Using a password manager to generate passwords is recommended. Reputable password managers include Lastpass, 1Password, Bitwarden, KeepassXC. There are also password generators within web browsers: Firefox, Chrome and Edge. These browsers all generate and store good passwords, but they do not share a common password store.

When using a password manager there is no reason not to have a very long random password. One with so many random bits that the password never needs to be changed because of advances in cryptography.

Windows, MacOS and Linux have built-in "secrets" storage. MacOS's Keychain Access app will generate passwords. Linux's command line pwgen will generate passwords.

Assessing a passwords strength is complex. The best paper is Wheeler, "zxcvbn: Low-Budget Password Strength Estimation" at USENIX Security Symposium 2016. Generally password managers assessments use an algorithm similar to the one in this paper, and include: the length of the password; the complexity of the password; the creation date of the password; and a 'distance' of the passwords from other passwords in the database, including old passwords.

A warning about websites' "security questions". These are also exposed in hacks of websites. This might give enough information to be used in a 'social engineering' attack. For example, someone calling a bank and successfully validating your identity using this information.

It's best to fill the response to that "security question" from the with some random characters, and then store those answers in the "encrypted notes" alongside your password in the password manager.

A warning about websites' storing phone numbers. These are also valuable information, as the number can be assigned to a handset controlled by a criminal, and then that used by systems which text your phone for authentication to pass 2FA. It's better to use a strong 2FA such as FIDO's U2F or WebAuthn found in hardware tokens. Using a TOTP 2FA app is better than providing a phone number.

Reach out to me at work if you need some pages written.

sarasrking commented 2 years ago

@vk5tu This information is really helpful! It would be great if you would like to contribute it to the book. It would be helpful if you could expand on some of the acronyms and add them to the glossary as well. If you'd like to contribute, please tag the original author @blair-kelly for review. Thanks so much for all of this really useful information.

JennaMalkin commented 2 years ago

Apparently you can get the code to online password generators in the webpage's source code. We also need to provide advice on how to make a good master password for your password manager.

vk5tu commented 2 years ago

We also need to provide advice on how to make a good master password for your password manager.

Looking for Australian Government guidance on main passwords of password databases…

The information within the password database — access to all the websites used by a person — is roughly a Protective security policy framework classification of PROTECTED, namely release of the content causes "Damage to… individuals". Perhaps some password databases only contain information which causes them be marked SENSITIVE; release of the information causing "Limited damage to… individuals". See PSPF Chapter 8 section B.1.

For the qualities of a password which secures SENSITIVE or PROTECTED information we then look to the ACSC's Information security manual:

The ISM begins by recommending a second-form of authentication to secure this material:

single-factor authentication is no longer considered suitable for protecting sensitive or classified data.

The ISM then reluctantly allows 1FA where no 2FA is possible, with ISM-0417 "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented"

The ISM gives this recommendation for passwords for both SENSITIVE and PROTECTED information, with ISM-0421: "Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters".

The ISM then places these criteria on passphrases:

I think the above form the set of recommendations for a main password for a password database which can be supported by reference to official Australian Government security guidelines. We could refer readers to the ISM for more information.

As an aside, let's call it "main password" rather than "master password", to make the document more inclusive. For trends in this area see Casey Tonkin, "Linux, Twitter look to remove 'blacklist/whitelist' from code", Information Age, Australian Computer Society, 2020-07-08.

vk5tu commented 2 years ago

I wanted to separate out my view from the official Australian Government recommendations, so a second comment.

My basic view is that passwords are no longer fit for purpose.

We should have moved away from passwords by now, but that was messed up by the sites like Google, Facebook and others all competing to 'own' your account. You can use any those to be an authentication provider. But none of them will accept authentication provision by a competitor.

So we have ended up in a highly unsatisfactory situation.

Some minor points:

Password databases should not be thought of as holding passwords. Think of them as holding long unique keys which allow access to each website. So use the password generator of the password manager to generate a long random key/password, then store that key/password into the database. If you have an existing password, when you move to a password manager then change the password to be a long and random key, that ensures that the password is not used on another website.