Online Training: Password Security
Choosing a secure password is the first step in making an online account more secure. But what makes a secure password? And whats hould you do if you want to secure more than one account?
In our first video we focus on these questions. We explain to you how hackers attack passwords and why you should generate passwords randomly. We explain how three basic types of password managers (regular- and online password managers as well as state-less password managers) work and how to use KeePassXC. We also show you how to use a dice to create a strong password. If you use a password manager, one is all you need.
On the rest of this page you find a collection of more detailed resources for further reading and learning. You can find the sources mentioned in the video sorted by time at the bottom of this page.
Questions and Answers
About randomly generated passwords on Apple devices stored in the iCloud
Short Answer: If you have only recent iOS and MacOS Devices, your device was not compromisedby malware (hacked), and followed our password length advice here, then your passwords in iCloud are reasonably secure. As far as I can tell, Apple itself does not have access to your passwords.
Update/Notice (2019/09/27): There have been recent news reports about the checkm8 vulnerability in all iPhones from 4s up to the iPhone X. While the Secure Enclave (see below) itself does not seem to be affected, it could in fact make passwords stored on affected devices less secure against physical access. We will update this page as soon as we have more information
Long Answer: I want to answer this question in three separate parts:
- How secure are passwords generated by the Keychain App?
- How secure are keychain passwords stored on your device?
- How secure are keychain passwords stored in the iCloud?
1. How secure are passwords generated by the Keychain App?
How secure a password is that was generated by the Keychain App depends on two things: the strength of the password pattern (e.g.\ the setting memorable), and the random process that created the password.
I don't know the details about how Apple implemented the creation of random passwords. Others  have reverse engineered the Keychain App and found a reference to program code (SFPWAPasswordSuggest) that is neither public nor publicly documented. Since this program code is not publicly available I could not verify if it creates passwords in a secure way.
I am however not aware of any reports that those passwords are unsafe or predictable. We have seen problems with predictable random numbers for embedded devices  in the past, though, but I am not aware of any reports considering devices running iOS or Mac OS. If you follow our advice on the length of randomly selected passwords and choose the random or Letters & Numbers setting, the passwords generated by the Keychain App should be reasonably secure.
2. How secure are Keychain passwords stored on your device?
This depends on the type of device you are using and the type of access your adversaries have to your device.
If your adversary has physical access to your device, then the contents on your device -- including your passwords -- are only protected by the disk encryption of your device, if you have activated it.
For devices that contain a Secure Enclave Coprocessor, disk encryption is protected by an integrated security chip. iOS devices use such a processor beginning with iOS 11 and the iPhone 5s and iPad Air 2. Selected MacOS devices have such a processor since 2017. You can look up if your device has such a processor in a document provided by apple . This chip offers better security than a password alone. There has been at least one case where the protection against password-guessing that the Secure Enclave provides has been bypassed, though, see the Apple vs. FBI case .
If your adversary has installed malware on your device, then you can not consider your passwords to be secure. There have been vulnerabilities in the past on how malware can steal the contents of your Keychain, see e.g.\the KeychainStealer or KeySteal proof-of-concepts for Mac OS and Mac OS X that have been published in the recent years. There also has been an elaborate hacking campaign against iOS devices in the past [8,9,10], thoughI do not know whether passwords were stolen in this campaign or not.
Note that this is not limited to the Keychain App but applies to every password manager. If your device has been compromised I would suggest to treat passwords stored in any password manager on your device as having been compromised.
3. How secure are keychain passwords stored in the iCloud?
With respect to the iCloud keychain: in 2016 Ivan Krstić reported  on the way the iCloud keychain works and attempts to keep passwords secret. Apple in fact did spend a lot of effort to keep iCloud secrets secure, and to cite renownedProf. Matthew Green from the John Hopkins University:
"Instead of building a system that allows the company to recover your secret information, Apple has devoted enormous resources to locking themselves out. Only customers can access their own information. In other words, Apple has decided that the only way they can hold this information is if they don’t even trust themselves with it." 
This at least holds for Apple's documentation on how they implemented the iCloud Keychain. We first have to trust Apple's word on that. On top of that, there could also be subtle errors in the way Apple's mechanism works. As far as I know, there has never been a formal and mathematical proof that the mechanism is secure. In 2017 Alex Radocea found a few critical flaws, now fixed, that put iCloud Keychain entries at risk. While Alex Radocea argues that an attack that abuses these flaws would be complex (sorry, I only have a German source forthat: ), I consider it to be perfectly feasible for Apple employees or state-level adversaries. One of the attack methods would have required the use of a forged TLS certificate. But there have been forged TLS certificates in the past, e.g. for the domain google.com , so this attack method would not have been impossible. Apple fixed the flaws Alex Radocea found, but I am still not aware of a formal proof of security for Apple's design.
 Apple Inc.
iOS Security. iOS 12.3
Online at: www.apple.com/business/docs/site/iOS_Security_Guide.pdf
Crypto Officer Role Guide for FIPS 140-2 Compliance for SEP Secure Key Store
Online at: support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT208678/APPLEFIPS_GUIDE_CO_SEP.pdf
 Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
In Proc. 21st USENIX Security Symposium. 2012.
Online at: factorable.net/weakkeys12.extended.pdf
 Ivan Krstić
Talk: Behind the Scenes with iOS Security
At Black Hat 2016.
Online at: www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
 Matthew Green
Is Apple’s Cloud Key Vault a crypto backdoor?
Online at: blog.cryptographyengineering.com/2016/08/13/is-apples-cloud-key-vault-crypto/
 Alex Radocea
Talk: Intercepting iCloud Keychain
At Black Hat 2017.
 Leo Becker.
iCloud-Schlüsselbund: Schwachstelle ermöglichte Fremdzugriff auf Passwörter
Heise Mac & I. 2017.
Online at: www.heise.de/mac-and-i/meldung/iCloud-Schluesselbund-Schwachstelle-ermoeglichte-Fremdzugriff-auf-Passwoerter-3793462.html
 Seth Schoen and Eva Galperin.
Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate
Electronic Frontier Foundation.
Online at: www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google
 Anders Bergh.
Online at: github.com/anders/pwgen
 Ian Beer, Google Project Zero.
A very deep dive into iOS Exploit chains found in the wild.
August 29, 2019.
Online at: googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
 Ian Beer, Google Project Zero.
August 29, 2019.
Online at: googleprojectzero.blogspot.com/2019/08/implant-teardown.html
 Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John
Scott-Railton, and Ron Deibert.
Missing Link -- Tibetan Groups Targeted with 1-Click Mobile Exploits
September 24, 2019.
Online at: citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/
 Ellen Nakashima.
FBI paid professional hackers one-time fee to crack San Bernardino iPhone.
April 12, 2016.
Online at: www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html
"Is there a password manager, which you can recommend and if so, why?"
I can not recommend a particular password manager product. My general suggestion would be to use an open source password manager that is actively developed and receives regular security updates. If you decide to use a password manager that is not open source, I would suggest to choose one that has received a security audit by an independent company in the past.
"I would like to try Keepass. Could you recommend a step-by-step guide?"
I unfortunately can not recommend a particular step-by-step guide for KeePass.
About KeePass and multiple devices
Full Question: "I would like to use Keepass on my laptop (Win10) and on my phone (Android9). Is there a particular setup which you would suggest?"
I can not (yet) give you a full recommendation. But I am working on a separate document to discuss the problem of using a password manager on multiple devices.
About online password managers
Full question: "A friend of mine suggested the online password manager Lastpass due to its high usability. Do you have an opinion on online password managers in general or Lastpass in particular?"
We discuss online password managers in more detail in our video about password security (see Video at the top of the page).
About further resources
"Where do I get to know information about new videos by you?"
You may subscribe to our newsletter or visit our Helpdesk website. Bot areavailable at the page you are viewing right now helpdesk.rsf.org.
Sources in the Video
All Sources used in the video with timestamp
00:00:49: www.facebook.com (some page)
00:00:51: www.posteo.de (address book)
00:01:13: tool: ncrack.org
00:01:16: tool: OpenBSD Server logs (private server) with replaced IP Addresses
00:02:06: Our own statistics based on data taken from haveibeenpwned.com as follows:
Using the API we requested breaches.json on 2019/07/02. We processed this file by
- ignoring entries that did not contain "Passwords" in "Dat" fieldaClasses"
- counting the number of breaches (by the "BreachDate" field) for each year
The animation was generated using R with the ggplot2/gganimate packages.
- this graphic only counts the number of breaches that haveibeenpwned has collected, and is thus a lower limit on the actual number of breaches
- Breaches for previous years are added once they are known to haveibeenpwned, so the number of breaches for previous years is likely to increase in the future.
00:02:25: some index at raidforums
00:02:29: some paste at pastebin.com
00:04:08: tool: john (john the ripper)
00:04:11: tool: hashcat
00:04:24: Briland Hitaj, Giuseppe Ateniese Stevens, Paolo Gasti, Fernando Perez-Cruz
PassGAN: A Deep Learning Approach for Password Guessing
In Proc. of SecML’18.
00:04:26: Matt Weir, Sudhir Aggarwal, Breno de Medeiros, Bill Glodek.
Password Cracking Using Probabilistic Context-Free Grammars.
In Proc. of IEEE Symposium on Security and Privacy. 2009.
00:04:31: Joseph Bonneau.
The science of guessing: analyzing an anonymized corpus of 70 million passwords.
In Proc. of IEEE Symposium on Security and Privacy. 2012.
Demo for the paper:
Blase Ur et al.
Design and Evaluation of a Data-Driver Password Meter.
In Proc. of CHI'17.
00:04:39: Maximilian Golla, Markus Dürmuth.
On the Accuracy of Password Strength Meters.
In Proc. of CCS'18.
Demo for the paper:
Daniel Lowe Wheeler.
zxcvbn: Low-Budget Password Strength Estimation.
In Proc. of USENIX Security 2016.
00:04:43: Design and Evaluation of a Data-Driver Password Meter
00:04:44: zxcvbn: Low-Budget Password Strength Estimation
00:05:02: Kurt Thomas et al.
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials.
In Proc. of CCS'17.
00:06:22: tool: shasum (terminal session recorded with asciinema)
00:06:25: tool: KeePassXC
00:09:26: Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John C Mitchell.
Stronger Password Authentication Using Browser Extensions.
In Proc. of USENIX Security 2005.
00:09:30: J. Alex Halderman, Brent Waters, Edward W. Felten.
A Convenient Method for Securely Managing Passwords
In Proc. of WWW' 05.