Recent Tweets

Categories

Choosing Secure Passwords

It’s hard to get through a day on the internet without encountering dozens of requests for your username and password. With more and more of our work and leisure time spent online, most people find that remembering a unique password for each account they have is an impossible task. It’s made harder when sites have strange rules about how you must form your passwords. Some sites prohibit special characters like &, %, #, and @ in passwords. Other sites require them. Some sites have maximum length limits on passwords that are shorter than the minimum length required by other sites. What is the modern, internet-savvy user supposed to do?

Web security experts from Mozilla, the folks who bring you the FIrefox browser, tell me it’s certainly not what most of us do now…

  • Are there little yellow notes stuck to the side of your monitor with usernames and passwords scribbled on them?
  • Do you have at least one computer or online account where the password is “password”?
  • Do you use your pet’s name as a password, and tell yourself you’re making it more secure by adding “123″ to the end?
  • Do you have accounts on dozens of websites and log into all of them with one of three favorite, easy-to-remember passwords?
  • Did you last change the password for your bank account shortly after the turn of the century? Before?


If you’ve secretly answered “yes, but…” to any of these, don’t worry. We won’t tell anyone, and in this guide we’ll show you how to create and manage strong, secure passwords without breaking a sweat. We’ll also show you how to memorize only one password and still have a unique password for every site you visit.

You’ll sleep better at night knowing you’re safer from identity theft, and with the tricks you’ll learn here you can help your friends and relatives be safer online as well.

Passwords Are Compromises

Any password is a compromise between a secure (long, random and unique) string of characters and an easy to remember word or phrase. As we need more and more passwords to get through the day, we all tend to push the compromise in the direction of easy to remember more than we should. A bit later, we’ll show you a technique creating passwords that will keep your’s memorable without making them easy to guess. We’ll also show you ways to let your computer manage all your passwords so you don’t have to remember them.

Threats to Your Passwords

The threats to your passwords fall into three major categories:

Social Engineering: The more an identity thief knows about you, the less secure passwords associated with your everyday life become. Don’t assume that the names of your children, pets or friends make secure passwords. They aren’t. Similarly, if you keep passwords written down in a “secret place”, anyone watching your day-to-day activity will quickly learn where they’re hidden.

Brute Force Attacks: If your passwords are insecure, an identity thief needs little more than your username to mount an attack against your accounts. Cracking software that uses lists of dictionary words in combination with common password configuration information quickly opens accounts with passwords such as “Jennifer3″ and “Bobcat123″. A security audit of a university computer system found that 20% of the accounts could be accessed using only a list of the 20 most popular female names followed by a single numeric digit.

Breaching Insecure Systems: If the administrators of a website use poor security practices, such as storing passwords unencrypted, identity thieves that manage to breach system security can steal the entire list of passwords and usernames. That’s a huge security problem for you if you’ve used the same password on other sites, particularly ones with access to your bank account or other sensitive information.

The lessons are clear:

  • Use as secure a password as possible
  • Change your passwords periodically
  • Try not to reuse passwords between sites

If that last rule is impossible to follow, then be sure that sites holding sensitive information don’t use shared passwords.

What Not To Use In Your Password

There are some things you should not use when you’re creating a password. All of the following are chosen as passwords so frequently that password cracking software has been developed to take advantage of their inherent weaknesses:

  • Your name, or the name of your spouse, parent, child, or pet
  • The name of a friend (real or imaginary), your boss or a coworker
  • The name of popular fantasy characters or words like “wizard”, “guru”, “gandalf”, etc.
  • The name of the operating system you’re using, or the hostname of your computer
  • Your phone number, license plate number or any part of your social security number
  • Birth dates or other easily obtained information about you, your family or your friends
  • A proper noun (the name of a particular person, place or thing)
  • A dictionary word, either English or foreign
  • Passwords of all the same letter
  • Simple patterns on the keyboard, like “qwerty”
  • Any of the above followed or prepended by a single digit or a sequence of ordered digits (like 123)
  • Any of the above spelled backwards

An Internet user named Nero,
Set his on-line bank password to “Hero”,
After lunch he came back,
To a password attack,
And a bank account balance of zero.

…and one more thing to remember. You should never use a password that has been used as an example in an article about how to create good passwords. That includes this series of posts. Once a password has been published, it’s no longer secure.

In Part 2 of this series we’ll show you how to create secure, easy-to-remember passwords using techniques that have been reviewed by the security team at Mozilla.

Choosing Secure Passwords by Richard A. Milewski is licensed under a Attribution-ShareAlike CC BY-SA.
Based on a work at http://richard.milewski.org/passwords.

Post to Twitter Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Comments are closed.