Book of Passwords

How are your passwords?

They’re fine!... M’kay! Your personal information and your private data are precious! Do you really want unknown people to roam, copy, sell or publish them? No? Then you need a better password!
Having a easy password is often synonymous with a easy hackable password. Though you first need to be targeted to be hacked, there are bots out there on the Internets with the sole purpose of finding new targets like you. ”...and slowly and surely drew their plans against us.”
— H.G. Wells, The War of the Worlds

The best passwords

Having password(s) you can’t remember really is the best passwords! And having separate passwords for each service is a must nowadays. So how do you handle all these cryptic passwords? Invest in a ”Password manager”!! If you haven’t already acquired a ”Password manager” in some form or another, you’re probably using the same (easy) password(s) for multiple services. So if one service gets hacked, the hackers have full access to all them services.

Password Managers

There are many apps offering encrypted storage of keys, passwords, credentials, credit cards and sensitive data. Depending on your setup, needs and preferences, you should really investigate the marked for yourself. Read the feature list, other peoples reviews and make up your own mind.
Some of the best (and recommended by MacX) is Dashlane, 1password, LastPass. They all work across multiple devices, OS’s and are integrated with your browser and system for convenient use. They all offer strong encryption of data, easy login to services, generator of new passwords, access via Internet and Synchronization across devices.
Alternatively get your browser to generate and remember them. It’s convenient but not really safe, and often only stored on that computer. ...so what if the hard drive crashes? Did you remember to make a backup?

Four Random Common Words

The well known correcthorsebatterystaple method is where you stick 4 random common (lowercase) words end-to-end. This can be memorized, but is difficult for a word-list hacker-attack, as the (hacking)code can not distinguish between each word. Brute-forcing the password is often the only solution – But having passwords that only consist of a-z in lowercase makes the brute-forcing a lot easier as the number of combination only relay on 25 different characters. This is why all security consultant recommend having passwords consist of at least 8 characters long, including caps, lowercase letters, numbers and some kind of symbol. This make the ”pool” of characters for a Brute-force attack a lot larger and thereby harder to crack.

4-word-story-password

Another way to use the ”4-word-password” is to make a random ”Story” (all lowercase). This should really be extended to a longer ”story” and/or with longer words. The point being that you can remember the story/password, but a machine can not tell the different words apart. So if you are really bad at remembering long passwords, try a long ”Story”.

You can find word list many places in the Internets, but here are some of links for the ones we often use:
100 most used english words
RockYou.txt @ Kali Wordlists Repo
WireShark Wordlists
Danish worklists
If your passwords are included in any of these lists you should change them at once!

SPIN

Totally random

True randomness does not exist according to Quantum Physics, but luckily we can do just fine with some less randomness.

Tripple-Tier randomness

Creating a random string is easy, but computers tend to create predictable strings. So by changing a small (random) part to some other (random) part makes the whole part even more random. Adding the ”human touch” to this randomness make this 3-tier randomness truly unpredictable.

1) Make random string
2) Change a random letter in that string to a random letter
3) Copy string at a random time
    (go back to step 2)

Leaked/Hacked services

Have I Been Pwned .com has a long list of passwords and emails from many breached sites and services. Here you can check if you passwords/email addresses had been compromised at some point and are now in the collection of the Public word list for hackers.

You can test you password on this page

Even though this site has standard secure encryption, you might not want to send them your passwords. You should be vigilant of any site/service offering password validity and testing!
So, to prevent anyone to read your request for testing a password, you can use the ”Have I Been Pwned API”. Note that this new API (v3) requires authentication due massive prior abuse of the v2 API service.
For a single or a list of password you can use the ”range” method for a lookup:

  1. Encrypt your password using a know encryption method
  2. Submit the first part of the encrypted string for checking
    (the API will check if they got any encrypted passwords with the same encrypted first part)
  3. If your request has any ”hits”, your will receive a list of encoded passwords and how many places they have been compromised.
  4. Check if your last part of the encoded password are in the returned list.
    (if so, you should change your password at once!)

Make you own app

  1. Start Script Editor (located in your Utilities folder)
  2. Create a New Document (Cmd + N).
  3. Copy the script below and paste it into the AppleScript document.
    try set my_password to text returned of ¬ (display dialog "Enter password to test" ¬ default answer "" buttons {"Cancel", "Test"} ¬ default button 2 with hidden answer) set encoded to (do shell script "printf " & (quoted form of my_password) & " | shasum") set fst5_encoded to (characters 1 thru 5 of encoded) as text set last_encoded to (characters 6 thru 40 of encoded) as text set API_URL to "https://api.pwnedpasswords.com/range/" set result_list to paragraphs of ¬ (do shell script "curl -XGET '" & API_URL & fst5_encoded & "'") if the (count of result_list) > 0 then set was_found to false repeat with num from 1 to count of result_list if was_found is false then set list_item to (item num of result_list) as text set atid to the AppleScript's text item delimiters set the AppleScript's text item delimiters to ":" set item_split to every text item of list_item set the AppleScript's text item delimiters to atid if (item 1 of item_split) is last_encoded then set was_found to true end if end if end repeat if was_found is false then display alert ¬ "Your password was not in any list." giving up after 5 else display alert ¬ "Your password was found in " & (item 2 of item_split) & ¬ " list(s)." buttons {"Close"} ¬ default button 1 ¬ as warning end if else display dialog "Your password was not in any list." end if on error errMsg number errNum if (errNum is equal to -128) then display dialog ¬ "Nothing was done" giving up after 5 ¬ buttons {"Close"} ¬ default button 1 else display alert ¬ "Error: " & errNum & return & errMsg ¬ giving up after 10 ¬ buttons {"Close"} ¬ default button 1 ¬ as warning end if end try
  4. Click Compile (the button with the hammer) to test if all is ok. You can test-run the app by clicking the ”Play” button or Cmd + R.
  5. Select ”Save...” (Cmd + S) in the File menu, select File Format to be Application, give it a proper name (Like ”Pwned?”) and hit Save.