This is the first entry in new category called Personal Security. This category is focused on security for the everyday average person. Basically these are things I try to beat into my parents’ heads, my friends on facebook, my friends in real life, my cats… Anyway, all you security twits, bugger off! It’s not for you, and I’ll beat all the dead horses I want to.
Passwords are often the only thing between an attacker and your sensitive information. As such, they should be treated with extreme care. In this article we’ll discuss what passwords are, what your passwords should consist of, and how to properly secure your passwords. I say passwords, not password, because you should not use the same password for everything.
Think about all the passwords you have, ATM PINS, email accounts, online banking, online shopping sites, your work log in, etc. We use passwords everyday, and many of us use so many passwords it can be hard to keep track of them all. Maybe juggling all these codes was left you wondering why. What’s the point? Who cares if someone accesses your empty bank account? Does anyone really care about getting into your personal email account? More often than not, an attack on your personal information won’t be due to you personally being targeted, but rather part of some larger attack. If you think your bank account doesn’t matter, think of the headache it will be trying to repair the damage to your credit and trying to recover from the ID theft. We all need to take a stand to strengthen our security, both for our own personal benefit, as well as our employer and our country. Everything you do helps strengthen all of us. Psst. That was the cue to lower the giant flag behind me. What do you mean it’s a union job?!
There is no getting around it, in today’s world, passwords are a part of life and weak passwords are almost as useless as no password at all. Let’s discuss what makes a password weak or strong, and how you should create and manage your passwords.
Most people pick passwords based on personal information so that it is easy for them to remember. This can also make it easy for an attacker to guess. A prime example of this is your ATM PIN. Is yours your birthday? Anniversary? Kid’s birthday? How about a four letter word? It turns out, most PINs are a date. This is bad because instead of each digit being a possible 0-9, we know the first digit is 0-1, the second is 0-9, the third is 0-3, and the fourth is 0-9. That is significantly weaker. In fact, if you simply reverse the order, you have increased the difficulty to guess it. Maybe you’ve chosen the numbers from your address. Think how easy it is to get this information about someone. What about your passwords that allow for more than a 4 digit number like your email? Is it a dictionary word? Dictionary words are typically used in attempts to guess passwords rather than try to guess every possible password. Changing letters to numbers like th1s isn’t all to helpful either. It’s better, but not ideal.
There are plenty of schools of thought on how to make secure passwords and I’ll give you a couple to help get you started. Obviously, long random characters are fantastic, but not that practical due to difficulty in remembering. Using a pass phrase, that is a sentence instead of a single word, is a great way to create strong passwords. Length is you friend against brute force cracking. Another excellent option is to develop for yourself a common encryption algorithm that you will use to create your passwords. I know that can sound scary but it’s not really. You’ll end up using the same algorithm for most if not all of your passwords. For example, if you’re looking to build a password for a website, you can start by taking every other letter in the site and setting one upper and the next lower. You can shift every third one of those left on your keyboard. You can always seed a password or phrase into the mix and include special characters. I have personally implemented this method for several years and it works well. The only drawback is if you are logging into a system that forces a password change occasionally. What I do in those cases is let the next expiring one set the new algorithm then as I log into other systems using my old algorithm I change them. That’ll keep you needing to remember a couple codes, but that’s better than a bunch of random passwords.
Excellent article. One thing I might add is to reinforce the idea that folks shouldn’t reuse passwords. If you use an email provider on the web, Facebook, or other website that allows you to log in without encrypting the traffic between you and their server, this could spell disaster if your password for that service is shared with other accounts. Here’s how:
Let’s say I’m a sneaky bad guy. I spend time in hotels/airports/Starbucks and anywhere else there is unsecured (unencrypted) wireless, just sniffing the traffic that’s going between your laptop and the Wireless Access Point you are using to get on the Internet to go to, say, Facebook. I watch you log on to Facebook, and I get the username and the password that you send to Facebook because it’s not encrypted. Or I watch you log into GMail, and get your username and password the same way. What matters is I now know your account information.
Another major concern is that by using the same password for all of your accounts on all of the various services you log into on the Internet, you are trusting each service equally. Do you think that your Neighborhood Association’s website should be trusted with the same amount of responsibility to keep your password safely stored as your bank? I hope not, but if you use the same password for both of them, it means that they are.
Some services are not well secured, and that means that if bad guys managed to hack into a weaker site that has the same password you use for everything else, everything else is just as vulnerable for you as the site that just got hacked. Bad ju ju.
If you use one password to log into everything, and I capture it, I can use it to log into everything you do. Never use the same password to log into two or more systems.
-Jason