This mini-tutorial is not designed to enable a level of security that will protect you from state agents, highly skilled individuals or targeted attacks. But rather is intended as a basic introduction to the concepts of password creation and management and how they effect on line security that *should* (no guarantees) protect you from the unskilled attacker using automated attack software; i.e. the script kiddies.
With the advent of easily accessible distributed (cloud) computing a lot of the old rules for password creation have been rendered obsolete. There have been a couple of documented cases recently of people renting time on clusters and using them to crack passwords. A lot of security researchers also believe that in the near future malware will also be used to create distributed systems that will be put to similar uses; with the advantage (for the bad guy) that it is much harder to trace a malware distributed network than it is to trace a credit card transaction (even a fraudulent one) for time rented on a cluster.
From my reading it is still currently impossible to crack a properly crafted 14 character password if the algorithm that is used to encrypt it is strong and has no flaws in it. (Note: 20+ characters is best, and easy to remember with the rules for padded passwords cited below.)
Unfortunately, the places where we use passwords most often (i.e. websites) often use poor security protocols to protect our carefully crafted passwords. Just look at all of the sites that have been in the news recently for having had their users passwords compromised.
Which is why you should always use a different password for every site; I cannot emphasize enough how important this is. Although off topic of this mini-tutorial, please realize that once a site like Linked-In is cracked this opens a doorway in to your digital life; even for the unskilled attacker. Information across multiple websites can be used to build a profile of you that can give even the unskilled attacker a great deal of insight in to your on line activities. And if you use the same password for social media and email that you use for your bank account then you are taking huge, and unnecessary, risks. But all of those passwords is a lot of stuff to remember.
So I have come up with an easy and secure way to manage a lot of very complicated passwords which I would like to share.
1) Download and install TrueCrypt. (This beyond the scope of this mini-tutorial and there is great deal of documentation on the web for TrueCrypt. Please read the documentation carefully, an improperly managed TrueCrypt volume can be opened rather easily in several ways. Also note that there can potentially be issues with your TrueCrypt password becoming available through exploitation of your RAM in certain cases.)
2) Use GParted to create a small unused partition on your hard drive; 50MB should be more than enough. (Once again, this beyond the scope of this mini-tutorial and there is great deal of documentation on the web for how to use GParted.)
3) Use TrueCrypt to encrypt that partition.
4) Use the rules for creating padded passwords to create your TrueCrypt password with at least 14 characters, preferably 20+ characters. (Rules for padded password creation = grc.com/haystack.htm)
5) Mount the encrypted volume as a drive. On that drive create a new instance of your favorite spreadsheet and record all of your passwords in it.
6) Leave that encrypted drive dismounted when not in use. To get to your passwords just decrypt and mount the drive.
This setup has many advantages:
1) It is very secure and extremely hard (but not impossible) to crack.
2) You only have to remember one password. Technically two on many *nix systems: 1) The TrueCrypt password to decrypt the volume, 2) Your admin (sudo, root, etc) password to mount the volume.
3) It is easily accessible from anywhere on your local system since it is on its own partition and not contained inside any particular OS. This means if you dual boot *nix and windows (or like me, boot 7 *nix and windows) you can easily access your password spreadsheet from anywhere on your system.
4) Since it is on a separate partition if one of your OS suffers a corruption you will not lose your password spreadsheet if you lose all of the data in that OS. The exception to this is if you suffer a catastrophic disk failure (or if you accidentally reformat the drive); which is just one reason why you should always have your entire system backed up somewhere other than your local hard drive.
5) It allows you to create passwords of any length and complexity without fear of forgetting them. Example; One of the secure mail services that I use auto generates public keys for my e mail. They use your log in password to encrypt your key. They accept up to 60 characters. So I made my passwords 60 characters of padded out random gibberish with no worries that I would forget it because it is recorded in a secure spread sheet.
6) The easiest way to use these long, complicated passwords is to copy and paste them in to the log in panel of the websites that you visit. This has an added advantage: If your local system is compromised with a key logger some time *after* you type up your password spreadsheet then the only keystrokes that the attacker will record is your TrueCrypt / admin password and mouse / touchpad clicks; which, while bad enough, means that at least they wont also have your banking account password. (Unfortunately this is not a 100% guarantee that an attacker will not be able to retrieve your on line passwords from the spreadsheet on a compromised system; but theyll at least have to work a whole harder to get it.)
Please be aware that this is not intended to be the end all / be all of password / on line security and will not *by itself* protect you from having your indentifying information stolen. This is just one important tool of many available in order to elevate yourself above the low hanging fruit. (In other words make it so that youre not one of the easiest pickings so that the script kiddies move on to easier targets. If you can make them waste enough time then you become a poor return on investment.)
A few other tips:
1) Never conduct business transactions on any terminal other than your own. Dont use a friends terminal, and for Gods sake dont use a public terminal!
2) Learn to secure your router.
3) Learn to harden your favorite OS / distro.
4) Always use a VPN when conducting business transaction; especially over a wireless router. If setting up a VPN is beyond your skill set then there are services where you can subscribe to a remote secure proxy that are just as good as a VPN (for beginners any way).
5) Learn to harden your browser.
Personally, I created an extremely hardened virtual machine just for banking and bill paying. The security is locked down way, way too tight to be practical for every day web surfing. Without a lot of hard work to change a lot of stuff it will only work with my banking web site and the dozen or so sites that I use to pay my bills. This setup also has a lot of advantages, but is a more advanced topic for another day.Happy and safe computeratin!