We've discussed how using passphrases as passwords can boost your security, but if you've chosen a phrase used in every-day speech, you're not doing yourself—or your data—any favors. According to a new Cambridge study, a common phrase, like, say, "outofthepark," is only marginally more secure than a dictionary word, and anyone looking to crack your password already knows to try common phrases along with common words. If you prefer passphrases, here's how to make them more secure.

Why Common Passphrases Aren't As Secure As You Think

The reason that many password systems won't allow you to choose dictionary words as you passwords—or at least require you to add numbers, capitals, or special characters to those words—is because the first thing a hacker will do to try and guess a password is try every word in the dictionary to see if they can get in. Even swapping out "i" for "1" or "e" for "3" often isn't enough—the fact that those tricks have been around for as long as they have means that those common substitutions are easily added to your dictionary list and included with the brute force attack. The goal of encouraging passphrases instead is to create credentials that are entirely nonsensical to a password cracking utility, but memorable to the human who needs to access a given system every day. Photo by Francis Storr.

The trouble though is that so many people, when they embrace passphrases, use common phrases from books, popular movies, memorable quotes, sports teams, or other proper nouns that are easily guessed. A group of researchers from Cambridge University recently published a study (PDF link) where they found that using a dictionary of these common phrases allowed them to crack open about 8,000 passphrases in Amazon's old PayPhrase system. They conclude that passphrases as a password system ultimately provide less then 30 bits of security, which they note is too weak to withstand most online attacks. Ars Technica explains what this means in plain terms:

The "30 bits of security" means the chances of a single guess cracking a four-word passphrase would be one in 2^30. What's more, the two-word phrases cracked in the study provided just 2^20.8 (or 20,656/0.0113) bits of security. Another way of expressing the same finding is that a dictionary of slightly less than 21,000 phrases is enough to guess the login credentials that slightly more than 1 percent of people in the real world will use.

Admittedly, 1 percent of phrases is a very small number, but it's still cause for concern, and drives home the point: any security system, even if it's well built and sufficiently complex, can easily fall prey to user-introduced patterns. In the end, the user—and their password—is almost always the weakest link.

How to Improve Your Passphrases

This doesn't mean that all hope is lost for passphrases, or that you should give up on them and go back to standard strong passwords. Honestly, if you can combine the two, you should—the strength of a strong password with letters, numbers, varying case, and special characters is improved significantly when strung together as a phrase. The key is to pick a phrase that's easy for you to remember, but not, for example, your favorite sports team, or the name of your city and state strung together, or the make and model of your car. Yes, it diminishes the ease of memorization, but it vastly improves your security.

The study explicitly points out that "multi-word phrases, if chosen naively according to natural language tendencies, are not as effective at mitigated guessing attacks as alternate choices, such as choosing 2 random words or choosing a personal name at random." So, in order to boost your passphrase security, you need to pick words that matter to you, but don't matter to anyone else. For example, "NissanAltima" may not be a dictionary word, but it's a proper noun that's easily guessed. Instead, you might try "My03AltimaIsBlue."

When we discussed The XKCD passphrase generator, we pointed out another more secure method worth repeating. If you want to use your favorite lyric from a song, grab the first couple of characters from the words in your favorite line, instead of stringing the whole lyric together. We proposed that a Jackson 5 lover might extract a password from the lyrics "Oh baby give me one more chance to show you that I love you" and come up with "obgmomctsytily," which is significantly more secure.

The XKCD Password Generator itself is a robust tool to generate passwords, mostly because the words it strings together are random—they have no meaning behind them, and would be difficult to break in a dictionary attack, and even harder if you mix case and special characters. You could also take it up a notch and use the shift-to-right method for your passwords, which really makes them unintelligible.

Finally, once you've done all of this, and built a great passphrase that's difficult to crack and hard to break, do yourself a favor and plug it into a password management system like LastPass, KeePass, or 1Password, so you can use different strong passphrases for every service you use, and one memorable one to get into your password vault.

Title image by XKCD.

It seems like every day there's news that a new site or service has been hacked. The intruders make off with usernames and passwords, and even if they're encrypted the service forces users to change them. This week it was DreamHost, and last week it was Zappos.

We're big fans of LastPass, a cross-platform password manager that helps you create and manage secure, unique passwords for every site, but the point of failure is obvious: What happens if someone gets your master password? Here's how you can beef up LastPass by turning a USB flash drive into a key you have to plug in to your computer before you can access your passwords. This way, the next time a service you use has been hacked—even if it's LastPass—you won't worry.

If you're not already using LastPass to generate, maintain, and manage different and unique strong passwords for every site and service you use on the web, it's time to get started. The beauty of LastPass is that it's available for Mac, Windows, Linux, and even mobile devices, and you can choose and remember one strong password and then use that password to manage and access all of your other logins and services on the web. Still, LastPass keeps all of your passwords in the cloud, and while they're as secure as they possibly could be, if someone gets a hold of your LastPass password, you're pretty much screwed, right? Not if you have a spare USB drive with Sesame, a utility that turns your USB key into an actual key needed to unlock your LastPass vault. Once installed and set up, you'll need both your LastPass master password and your key plugged into your Mac, Windows, or Linux PC in order to unlock your vault and access your saved passwords.

Step One: Get LastPass and Set It Up

The first thing you'll need is LastPass, and a Premium Account. It's $12/year, but that's a small price to pay for password security. LastPass is our favorite any-browser, any-OS password solution, and if you haven't tried it yet, The How-To Geek has a great guide to getting started with it, and we have a more advanced guide to mastering your passwords and increasing your personal security with it.

Step Two: Grab a USB Flash Drive and Install Sesame

The next thing you'll need is a USB flash drive. Building on the principle that most secure password is the one you can't remember, your second authentication factor will be a device, not a passkey or code. LastPass offers a tool called Sesame that can turn any USB drive into a second authentication method to use when you need access to your LastPass vault. This way, even if someone obtains your LastPass password, it's useless without the USB drive, and vice versa.

You already know how to secure your personal belongings, like your wallet or keys, so a USB flash drive like the LaCie key-shaped USB drives that fit right on your keychain shouldn't be a problem to keep safe and secure.

Once you have Sesame downloaded and extracted to your USB drive, here's how to set it up:

1. Run the Sesame utility on your USB drive, and log in with your LastPass credentials.
2. Sesame will email you an activation code, required to enable two-factor authentication on your account.
3. Click the link in your activation email to activate Sesame. (Note: The activation code is only good for 10 minutes.)
4. After you've activated Sesame, you'll have to log in with both a Sesame passkey and your LastPass credentials whenever you want to access your password vault (more on this in the next section.)

Step Three: Use Your Key to Access Your Password Vault

Going forward, you'll need your USB drive any time you want to access your Lastpass vault, like when a service or site you have an account with gets hacked and you need to change the password, or you reset a password for one of those services.

To access your LastPass vault once you have Sesame enabled, you have two options.

• Option One:
  1. Visit LastPass in your browser, and log in with your LastPass credentials.
  2. When you're prompted for a Sesame one-time token, pop in your USB key and run Sesame to generate your token and copy it to the clipboard.
  3. Paste the token into the authentication screen, and click OK to access your password vault.
• Option Two:
  1. Insert your USB key and run Sesame.
  2. Check the box for "Launch Browser," and click the "Generate One Time Password" button.
  3. Sesame will generate your token, open your browser and go to LastPass, and pass the token for you. Type in your master password, and click OK to access your vault.

Don't worry, if you lose your Sesame USB key, the key is useless without your LastPass email address and master password. You can always visit your LastPass vault, click the link in the authentication screen to tell LastPass that you no longer have your Sesame device, and confirm via email that you want to deactivate Sesame. Then, you can grab another USB key, reinstall Sesame, re-activate it, and be on your way.

Step Four: Audit Your Passwords and Strengthen Security

Now that your LastPass vault is well protected with two-factor authentication, it's time to tune up the passwords that LastPass is protecting. After all, LastPass won't do you much good if your Amazon password is "password" or if your Google account password is "123456." We've discussed how you can use LastPass to audit and update your passwords, and even how you can make those passwords more secure and easy to use. If you're taking steps to make your LastPass account as hack-proof as possible, you may as well go the extra mile and make your individual passwords as strong as possible as well.

As we mentioned, Sesame is a great tool to make sure that even if LastPass gets hacked, or someone gets a hold of your LastPass master password, they don't have carte-blanche to log in to your LastPass account and grab your credentials to everything else on the web. It doesn't, however, automatically add a second authentication method for all of those services you use, so it's important to make sure those passwords are strong.

Photo by Juan J. Martinez.

Step Five: Consider Secondary Authentication for Other Web Services

In addition to beefing up your LastPass account, you might want to consider activating two-factor authentication for any other web services where it's available. For example, we've discussed how you can—and should—set up two-factor authentication for your Google account, and how you can do the same for your Facebook account as well. Many banks and financial institutions are coming around to offering two-factor authentication before you can get at your financial statements or move your money around, so contact your bank or investment firm to see if that added security is available to you.

Step Six: Stay Vigilent

If you've been following along, you should now have LastPass set up with two-factor authentication for your vault, you've audited your passwords and made them stronger and more difficult to crack, and you've activated multi-factor authentication on the services where it's available to you. That all doesn't mean that you can relax and forget about security—you'll still need to quickly change your passwords for any sites or services you use that get hacked, and you'll still need to use different strong passwords for each site or service you use. No password mechanism, web service, or authentication scheme is completely hack-proof. That said, this should help you breathe a little easier.

Alternatives to Your Thumb Drive Key

LastPass provides more than one way to set up two-factor authentication, so if you don't like this specific method, you have other options. For starters, you can purchase a Yubikey from Yubico for about $25, and set up Yubikey authentication on your LastPass account for the same effect. You can also use LastPass with Google Authenticator and turn your smartphone into the "key" that—along with your master password—unlocks your LastPass vault. If you're not interested in paying for a LastPass premium account, consider grid multifactor authentication for your LastPass account, a technique we've shown you that you can apply to other services.

Not even a whole week after Zappos was hacked, our favorite hosting service, DreamHost, has also had a breach. They say there's "no evidence that customer passwords were taken", but they''re pushing out password changes to everyone just to be safe. In addition, you should change any of your other passwords just to be safe—that is, if they're at all similar to your DreamHost password. Just as we did during the Zappos hack, we highly recommend you set up a password manager like LastPass, and use it to help you audit your passwords. Remember, the only secure password is the one you can't remember. Hit the link to read more.

Changing Shell/FTP Passwords due to Security Issue | DreamHost Blog via Hacker News

If you're a user of the popular Steam gaming platform, you've likely heard about the hack that potentially compromised passwords and credit card information. Although much of the damage has been done, but there are still things you can do to protect yourself. Here's a look at your options moving forward.

Change Your Passwords

Perhaps you use a good, strong, unique password on your steam account and, despite being stolen in the hack, it still remains safe and encoded. You may not be so lucky if you have a weak password. Either way, now is a good time to change it if you haven't already. When you're choosing a new password, it helps to know what the pros look for when they try to guess and methods hackers use to crack them so you can avoid falling into those traps. There are also a few good practices to follow. The most secure password is often one you don't even know. If you'd prefer something memorable, however, a multi-word password is generally considered to be among the most secure types. When you've come up with a password you like, be sure to test it so you know you didn't come up with one that's easy to guess or hack. Change it on your Steam account and you'll be in better shape.

Change Your Email Password, Too

If you're feeling a little worried, one thing worth noting is that Steam pays attention to when you access it from new computers. You have to enter a new code each time that is delivered via email, so even if your password was compromised the person trying to use it would also need access to your email account. It's best to have unique passwords for all your accounts, but if you've been using the same password this might be a good time to change. At the very least, make sure your email password doesn't match the one you use for any other service.

Monitor Your Credit and Debit Cards

It is still unclear whether or not any credit cards associated with Steam accounts were actually compromised, but you're going to want to keep a close eye on your statements to make sure there are no fraudulent charges. You may also want to call your bank and see what they suggest you do in this situation. They'll likely err on the side of security and suggest a replacement card with a new number. This can be a little inconvenient as it means being without your card for awhile, but if you go into one of your bank's branches you can usually get a temporary ATM card so you'll at least have easy access to your money.

Additionally, one of the best ways to protect yourself in the future is to use virtual credit cards. These virtual numbers often allow you to set specific spending limits so that if they're stolen your risk is minimized. Usually you can also specify timeframes and set them as single-use cards so you don't get any surprise charges. This is one of the best ways to protect yourself from credit card fraud when paying online, but it does require a bit of upkeep when it comes to recurring payments.