How-To:GenerateStrongPassword

From Nxt Wiki
Jump to: navigation, search
Other languages:
Deutsch • ‎English • ‎español • ‎français • ‎italiano • ‎português do Brasil • ‎русский • ‎українська • ‎中文(简体)‎

1 How long should my password be?

Ideally 30+ characters, with a mixture of uppercase and lowercase letters, digits and special symbols.

Longer passwords are stronger. Less readable passwords with more varied character composition are also stronger. The harder it is to describe your password, the stronger it is. You can increase readability by making some tradeoffs.

2 30 characters??!? Isn't that too much?

For most applications, yeah. But Nxt works differently.

In most other applications, an attacker can only try to break into one account at a time. A smart attacker will not try passwords randomly. They will run through a prepared list of passwords and resulting hashes (that list is called a rainbow table), hoping to find the one password that can access your account.

As technology improves and processing power increases, attackers can prepare larger and larger rainbow tables. The key to creating a safe password is to stay ahead of the processing curve, to avoid being simple enough to be included in rainbow tables and so escape easy discovery.

Most applications are such that an attacker can go after only one account at a time. Your bank, e-mail, and online shopping accounts are like this. For such applications, a password of 15 varied characters that don't form readable words or patterns is currently very safe, well beyond what attackers can feasibly include in their rainbow tables.

Nxt works differently. In order to have the convenience of accessing your account through just a single passphrase, without a login name or wallet file, it also allows an attacker to try ALL accounts at the same time and greatly increases their chances of success. With everyone's account balance in the prize pot, the rewards become much higher, so there's compelling reason for them to focus a lot more resources on extending rainbow tables. It also means that someone else creating a new account, or trying to log into an existing account but mistyping their password, also behaves like an "attack"!.

Attackers haven't had much time to do this yet, so 15 highly varied characters are still safe. But technology and attacker attention and the number of Nxt users will continue to grow, and 15 characters may not remain safe for long. Another consequence of the convenience is that passphrases can't be changed. If you don't want to constantly keep ahead of the curve by creating new accounts with stronger passphrases and moving your funds to them, a passphrase of 30+ characters is strongly recommended.

3 How do I make a very strong password?

Easy. Download Google's Awesome Password Generator : http://code.google.com/p/awesome-password-generator/. For NXT, pick a password that is 50 characters in length. Seriously. Write it down and type it in manually as ten blocks of five characters. Don't use the clipboard or cut and paste.

With NXT, your biggest enemy is a keylogging virus. If you've got a large amount of NXT, don't trust antivirus software. If possible, isolate your NXT dealings onto a spare old computer you have sanitized with a new install of your operating system, and don't surf the internet with it after you've sterilized it.

4 How do I make a strong, yet easy to remember, password?

Unreadable passphrases are inconvenient! But we can trade length for readability and still maintain password strength. And we can use personal experiences and knowledge to keep passphrases understandable for ourselves, yet varied for anyone trying to break in.

Here's an example of how to develop a strong passphrase. We'll improve it over multiple steps.

1. I'm using my daughter's birthday party as the idea for my passphrase. It starts as

Tammy'sbirthdayparty

2. A decent start. It's got an uppercase letter and a special character. But it's made up of mostly English words and not long enough. Let's improve it

Tammy's18thbirthdayBIGparty

3. more varied now. We still need more length. What was memorable about the party?

Tammy's18thbirthdayBIGpartyDroppedpresentinpool

47 characters, this is a good password! It's readable, but we've compensated with length.

4. If I want to be extra safe, I could try to think a little beyond the party

Tammy's18thbirthdayBIGpartyDroppedpresentinpoolCollegesoon:(3yearsislong

5. and/or replace common words with specific facts that only I know

Tammy's18thbirthdayBIGpartyDroppedknittedshibesweaterinpool

You shouldn't rely on memory alone for the password. Memory is quick to access, but also fallible. It's a good idea to write your password down and hide it in a safe place where only you can find.

5 Other Methods

The above is just an example, there are other ways to generate strong, yet readable passwords. It's important to choose a balance of security and ease of remembering/typing that you're comfortable with.

  • Diceware - Generate passwords by rolling dice! No computer programs are involved, so you don't have to worry about a hacked program stealing your generated password.

6 Quick Tips

6.1 Do

  • Nxt supports spaces in passphrases. Use them to make your passphrase more readable.

6.2 Don't

  • Avoid using phrases that you may have seen elsewhere, like "going to the moon". People who construct rainbow tables write programs to find and collect groups of words from all around the Internet, so despite their length, such phrases become no more effective than a single word.
Here's a fine example of why you shouldn't do this.
  • Avoid seemingly random passwords that you can actually describe. For instance, qazwsxedcrfvtgb isn't random; if you're using a regular QWERTY keyboard, take a look at your keystrokes when you type that out. If you can easily describe it, you should assume that someone trying to break in has thought of the idea and will try it.

7 Use password managers

Password managers store your login information for all the websites you use and help you log into them automatically. They can generate unique random passwords for every site, so you don't have to use the same password on more than one site. They encrypt your password database with one master password – the master password is the only one you have to remember. Here are a couple of recommendation:

  • KeePass Password Safe Popular and free password manager, but it doesn't have auto backup option. Make sure you manually backup the encrypted database and keep the backup udated once you make changes to the your file.
  • Lastpass. Firefox/Chrome/IE plugin password manager. All your changes (and history of changes) are backed up on lastpass server. This might seem dangerous at first, but all the encryptions are done locally on your computer. The lasttpass server only sees the encrypted blob. Aside from having one very strong master password, you can also enable 2 factor authentication on lastpass.

See LastPass explained by Steve Gibson

8 Oh no, my password is too weak! What should I do?

The first thing to do is Don't Panic! If you haven't lost any nxt yet, then you're still safe for the next few minutes, while you calmly create a new password. Think about what kind of passphrase you'd like, and what kind of tradeoffs it'll involve: Something easier to remember but long? Something super safe but hard to type? Then pick one of the options above that will create that kind of passphrases.

Nxt doesn't allow passphrases to be changed, so you'll have to create a new account and move your existing nxt into it. First, login with your new passphrase. This will automatically create a new account associated with it. Note your new account number, and copy it down somewhere.

Before you transfer your nxt, you want to be absolutely sure that you've got the right account number. So login again to your new account with your new passphrase, and check that you see the same account number you wrote down earlier. Now that you're sure, you can safely transfer your nxt to your new account.

9 Advanced Considerations

In order to understand what phrases will likely be included in rainbow tables, we'll need to understand how an attacker thinks when they're constructing the table.

(This is where technical discussion and math should go. Maybe this section isn't necessary?)