Wednesday, July 13, 2011

Pass The Word About Passwords

Its been my experience, over the last 25 years, that most people fail to exercise some basic safe computing principles in employing passwords.  I cannot stress enough how important it is to have strong passwords in today's computing environment.  As Internet and web technologies evolve so do the attempts to steal your personal information.

Throw out everything you thought you knew about passwords and start all over again. Hopefully, you've heard the term "strong passwords" before I typed it in the paragraph above, but maybe you aren't sure what that really means.  I'll explain, but first let me give you a brief rundown of what most people do when creating passwords.  Then, ask yourself if you are one of these people.  If you are, I hope to instill some new knowledge about passwords within you.

This is traditional criteria people have used in the past:
  1. Short passwords
  2. All lower case
  3. The same one for every account
  4. Write them on paper, tape them to keyboards or monitors
  5. Speak the password out loud in the company of strangers
  6. Use words found in the dictionary
  7. Use pet names, addresses, family member names
You are probably thinking your passwords have served you well. Why then is the above criteria no good? The bad guys have a number of tricks they use to discover passwords, and they use computers to do the work. They typically start with using what is known as a "dictionary" attack. The software they employ runs through a list of words found in dictionaries. If they discovered anything about your identity they would likely start "brute force" attacks that would employ guessing addresses, names, etc. to crack your password. Passwords that use the above listed criteria are easily discoverable. And, if you have a bad habit of sounding out your password as you type, I'd button up if I were you. Anyone listening to you may have your password. It's dangerous to use the same password for all accounts because if that password is compromised you gave the hacker access to every account you have. It is no longer safe to keep your passwords on paper physically or in a Word document on your computer.

If you are thinking it is going to be a lot of work to change all of your passwords it very well may be. It is not all that unusual to have 80 or more accounts to manage. It's easy to amass them over the years. The important thing is that you change your passwords in order to make them stronger. As a rule, I only change a password when I have evidence to suggest it has been compromised, or I think it is too weak.

Often, people are given the advice to change passwords regularly. Not once have I heard a good argument for this needless practice. It doesn't make sense to change a password for the sake of changing it. Changing all your passwords on a routine basis would create a lot of unnecessary work. You probably don't change the locks on your house unless there is evidence of a break-in, so why would you do that with your passwords? Besides, what if you change your password today, and tomorrow it is hacked? That being said, I vet my passwords annually to confirm I have no repeats, and to ensure they are still considered strong. Keep in mind that strengthening passwords is part of an evolutionary process. As the hacking abilities increase in sophistication so too must we follow suit by creating stronger passwords.

So, let's take a look at creating strong passwords and how to manage them. The sum of the list below is stronger than its individual parts. Use the following tricks together to get the best possible passwords.

Long passwords: The longer the better, simply because it will take more time to discover the password.  Eight characters used to be considered the minimum, but that is now considered inadequate because password cracking gets more advanced as time goes on. I recommend eighteen character passwords. 

Pad your passwords: Find a unique, yet memorable way to add length to your passwords.  Padding adds a simple sequence of symbols that you insert in the beginning, middle, and/or end of your passwords to make them longer and more complex.

Mix upper case letters, lower case letters, symbols, and numbers:  Random sequences are considered to increase the strength as well.

Use different passwords for every account: Without exception! One compromised password affects one account only; not all accounts.

Use a password manager: Password managers will help you keep track of all your passwords.  They encrypt all of your passwords to secure them.  You create one master password you'll commit to memory.  You can insert login credentials into secure websites. Some integrate with web browsers making this more seamless.  You can sync between devices.  You can update your list easily when you create or change account information.  Be sure to use a password manager that encrypts your data locally if you use one that allows you to store your password database online.  KeePass is a free password application that is a good start.  1Password is a very robust application that is available for Mac and Windows users and is reasonably priced.  LastPass is another option and offers to host your passwords in the cloud, touting anytime, anywhere  availability.

The point oh: You can never be too careful with passwords; they are the keys to your digital kingdom.  You don't leave your doors unlocked so don't leave your digital life unlocked. Practice smart password creation and control.  This is not something you should put off until later, it might be the difference between protecting your identity and having it stolen.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.