using secure passwords

Even though passwords are very 2005ish and not considered the main defense line as they once were, they still are usefull and using them well should still be known. I have over 200 passwords which could be a nightmare to maintain but I have tamed them to the point where I am able to keep them secure and easy to use.

Everybody has a different way of doing this. Here is mine.

  1. assign a level of security based on a risk to benefit analysis

    • An incidental site gets false personal information (name, address, etc) and a super insecure password that would be easy to guess/hack but extremely easy to remember. If it is compromised then I would have no problem throwing my account away and starting from scratch.

    • A site that involves my professional image but no financial details. This gets a medium secure password and I will give them my name and my email address if it isn't displayed anywhere. Otherwise they get a fake throw-away address and a psuedo-nym. Nothing else is real if I don't think it is needed. I want people to be able to contact me but there is no reason for them to know what city I live in.

    • Any site that involves personal/financial information This kind of site gets a super secure password and all my private information. eCommerce sites and online banks need to be able to connect with me as soon as possible and they need my social security number for the reporting they need to do or to access my credit card. However, I will use as long a password and as many characters as the site allows.

    • Sometimes the hardest part of a medium or super-secure site is figuring out where the limits are. Not every site states explicitly what they would accept and will give you errors like "can't use that character", "not long enough", "too long".

  2. Use a password safe for medium-secure and super-secure passwords

    Not only is it convenient to use, but I noticed that I use the super secure option more often when I am using a password safe. I assume this is because it makes secure passwords easy to use.

    I recommend 'keeppass' at Source Forge. It is easy to use, it creates secure passwords, and it stores them securely.

  3. Keep a written copy somewhere. I mean somewhere that is secure, isn't on your computer, and doesn't need any special hardware or software to access. Also remember to include the passwords like your computer login.

  4. Keep some of them with you at all times. I have a USB device with my passwords close by. That way when I am on the road there are some sites I can get to at a library. Some people keep a list in their wallets next to their credit cards.

When you need to remember a password ...

Sometimes we don't have a password safe available so we need to be able to write a password that is 1) easy to remember 2) difficult to guess and 3) not in any word list.

One way to make the password easy to remember is to use passphrase or a group of words and then mangle them the way a kid on a chat room does. "Technically" that way of writing is called elite-speak, leet, 31337 or 1337. I've found phrases like this get stuck in my head like the lyrics of a bad song. Once you get used to the scheme you've come up with it is easy to mangle in your head.

  • take a small group of words
    This is an example

  • capitalize the first letter of each word, leavep the rest lower case, and remove any spaces and punctuation.
    ThisIsAnExample

  • change the letters l, e, s, g, t, to the numbers 1, 3, 5, 6, 7, 0
    Thi5I5AnExamp13

  • change the letters i, x, v, to the symbols !, *, ^
    Th!5I5AnE*amp13

In the example we now have a 15 character mix of upper case, lower case, numeric, and symbols. The brute-force attact is now much more difficult. Try to get a phrase that will be at least 14 characters long and includes at least one character that will be substituted for a number and one that will be substituted for a symbol.

common attacks

There are three attacks that I would call common: brute forcing, social engineering, and dictionary attacks. These attacks are common enough that you should worry about whether your passwords are vulnerable to one of them.

A brute force attack is one where they try each and every possible character. Doing this can be very time consuming so hackers try to speed things up by making assumptions about passwords. You are greatly increasing the time needed to brute force something by using longer passwords and as many different kinds of characters possible. If only have 1 character passwords the characters are always 'a-z' then it will take 26 guesses. Using three characters would increase the guesses necessary to 17576. If you add uppercase letters the number of guesses is now 140608. This is why many suggest long and complex passwords.

Social Engineering creates an insecurity no matter now technically secure your password is. In social engineering someone will call you and will try to get your social security number or password to an ecommerce site. Maybe they'll try to convince you that they are from your credit card company, and "for security purposes" they ask you to confirm your 9 digit social security number. Not only is using one's social security number this way unsafe, but it is illegal. If they need to verify you then the last four digits of the SSN is enough. The only way you can be secure here is to use common sense and be careful who you give your password to.

A Dictionary attack is where they have a list of possible words and try each of them as a password. Don't think you are safe because a word is not in the dictionary on your desk. There are many specialized word lists and hackers may combine them depending on what they know about you. If you mention in your myspace page that you are into dogs then they might add a list of common dog names to the dictionary.

I have seen lists that include both the top names (first and last) in a specific country according to the census. I've even seen some with pet names and common misspellings.

Another common technique I've seen used is to put a couple of numbers at the end of a password. But I've seen guessing programs that do just that- add numbers at the end of the password.

medium vs super secure passwords

I suggest the use of 31337 for medium passwords. However, hackers can get word lists for. So the password is difficult to break, but not impossible.

When I decide to use the super secure password, I always use the random password generator in KeepPass. It is based on mouse movements over a graph of supposedly random noise. Just be sure to move your mouse constantly when you are using this option.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I went to tons of links

I went to tons of links before this, what was I thinking?

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Image links from G2 are formatted for use with Lightbox2

More information about formatting options