General
Yubico
Bitwarden
GPG Tools
Donate Coffee

Securing Your Footprint

In the age of technology, hiding from every tracker is almost impossible. You're really going to be chasing your tail with this. Some people think that due to data-breaches, you must create a mass of different email addresses in case one of your email addresses get leaked in a databreach, you can just shut that email down and use another.

I'm a security guy. Been doing it 15 years, and I'm about as security conscious as they come. But there's a big difference between protecting yourself, and getting into the realm of "Big government watching me, got to wrap my house in tin foil to block the signal".

Your email address itself being leaked or breached doesn't mean anything. People get their email addresses spread all over the internet every day, even by themselves. Where it MATTERS, is how secure the email address is, and this comes down to three things:

  1. How secure is your password

  2. Are you using 2fa (two factor authentication).

  3. Which websites are you signing up for

How secure is your password

  • Don't use dictionary words. This means don't have your password be things like "ILoveChicken"

  • Don't use the same password over and over for many different websites

  • It is recommended to RANDOMLY generate your passwords. Why? Humans are horrible at creating randomness. We suck at it.

  • Store your passwords and logins in a Password Manager such as KeePassXC or Bitwarden.

  • Passphrases are the new password

What are passphrases?

If you've ever registered on a crypto website, you'll notice that one of the things you're given is a long list of words such as:

heart oar chance evening stone taxi

The above is a passphrase, and is what people are moving to more and more instead of conventional passwords such as:

p-mjt-XK:Bp_AQ2E-pz1

So why passphrases?

  1. Passphrases are easier to remember than passwords. A random collection of numbers and symbols can be difficult to keep track of, which can mean that users often make it simpler to remember them. A passphrase is usually not as hard to remember.

  2. Passphrases can difficult to crack through brute force. Many password-cracking tools work to break down 10-character passwords. Since passphrases are longer, they can be much more secure and safe from these tools.

  3. Some passwords can easily hacked by password-cracking tools and robots as well as by humans. People do not like to change passwords and tend to stick to things that they can remember, making them more easily guessed.

  4. Most major applications and OS (operating systems) allow for up to 127 characters and the use of passphrases for optimal security.

  5. A passphrase can easily satisfy complex rules and requirements for passwords, as most allow for punctuation and uppercase and lowercase letters.

Before we can compare our passphrase and password, we need to know what entropy is.

Entropy

Entropy is the measure of how unpredictable a password is.

A password or passphrase's strength is calculated by its entropy.

Math plays a role in calculating password entropy. The formula may look complicated, but the underlying concepts are easy to understand.

Password entropy is typically expressed in bits. Low scores indicate passwords that are very easy to crack. The higher you rank, the harder a hacker must work.

E=log2(RL)E = log{_2}(R^L)

  • E stands for password entropy.

  • R stands for possible characters within the password.

  • L stands for the number of characters in your password.

Increase your password's entropy with two steps:

  1. Add more character types. Include uppercase and lowercase letters, special characters, and numbers.

  2. Increase the length. Longer passwords have higher scores than shorter versions.

Aim for a score of 60 or higher. But remember: Don't make the password so long and complicated that you'll never remember it.

Comparing Entropy

Now let's compare the entropy of a few different passwords and passphrases:

MyFlowerChild3049220

49.72 bits

!My*Child3049220^

71.35 bits

If you notice, the password with the lower character count has a higher entropy, but why? We're replacing a dictionary word, with a special character, as well as adding some other random characters at the beginning and end.

Even though it doesn't look like a super long password, you still need to remember it.

Nobody in their right mind is going to memorize p - m i t .... etc But heart oar chance evening stone taxi can be remembered in a few hours of just reciting it to yourself, and it's equally as secure as a bunch of random nonsense. Let's look at the typical non-secure password ChickenPie3994 which has an entropy of 37.6 bits. It's stupid simple, and would take a bruteforce anywhere from a few days to a few weeks (depending on their hardware). Now let's take heart oar chance evening stone taxi which has an entropy of 90.4 bits and would take a bruteforce over a trillion years. Entropy is the measure of how unpredictable a password is.

PreviousNFC vs FIPSNextBitwarden

Last updated