Tips For Better Password Security
In the last few months I have had a few people tell me that their web based email accounts or other web based services had been hacked into. Their accounts taken over by crooks or criminals and in one case (my aunt) her H&R Block credit account liquidated. When I asked about their passwords they admitted that it was an easy password to guess. Often times we don't think about security until it's too late. With web based systems, cloud computing, and other mash ups I think it's about time we revisit the idea of a strong password.
How do hackers get my password?
More often than not, hackers gain access to your accounts because the password you selected was far to easy to guess. By "guess" I mean it's probably a dictionary word or a variation of a dictionary word. Hackers don't just sit behind a keyboard and type random words from a dictionary into your login page. No, they use complex tools that run automated attacks against a websites login function until they get lucky. Having an easy to guess password, one that can be found in a dictionary is like handing the hacker keys to your accounts.
Another method of cracking a password is through "social engineering". This is where the hacker attempts to use or manipulate data that put out for public display. Like social websites, instant messengers and email. They may try to manipulate people into divulging confidential information or use the information to guess passwords, or security questions. In a time where many people use social sites to stay connected, we need to be cautious that the person on our friends list is really our friend.
What's Makes A Password Bad?
Unfortunately the list of things that make a password bad is pretty long. I wont create a long list here. If your interested GeodSoft has a pretty comprehensive list and I am sure there are plenty other sites out there with their own lists. Here are a few of my basic rules.
- Don't use personal info, account names, or any information that could be found on a social site, or address book. No phone numbers, names of spouse, children, or pets. Streets you lived on as a child, birth dates, or social security numbers.
- Don't use a word that is in the dictionary. This includes other languages. Not even words that have letters replaced with symbols or digits. For example: P@s5w0rd is way to easy to guess.
- Don't use a word in reverse or swap the first and last letters.
- Don't append or prepend a number to the dictionary word.
- Don't think your slick by doubling up on letters in a word too. "wwoorrdd" is still an easy guess.
- Lastly, a bad password is one that you will forget. So if it's not memorable, then it's all pointless.
Creating Memorable Passwords
Creating a memorable password is easy, creating one that is difficult to guess but still memorable take a bit more work but it's still pretty easy if you use some techniques to help you remember.
The best passwords are at least eight characters in length, contain upper and lowercase letters, numbers, and a special character. With this in mind lets construct a password that is both memorable and difficult to guess.
One method I use is to think of a phrase or a quote that is memorable to me. For example my football coach used to always say to us defensive players. "You have to stick it to them and drive, drive, drive!" I can still hear his voice ringing in my ear. Using this phrase I might construct a password like "Uh2stic&D,D,D!"
Repurpose With Layers
Because creating a good password takes a bit of thought, I like to repurpose the same password on several sites. Normally this is not a good idea, but let me explain.
I think of the sites I use in terms of layers. There are some sites that I don't use often or sign up for and then forget about. Then there are sites that I use often, they may contain personal information, but not connected to any sensitive info. Then there are sites like banks, email, and other services that store or use my sensitive information as part of the service like paypal, or a credit reporting site.
Because creating a strong password is only good if you can remember it. I create three levels of passwords. One for the fly by night sites that I visit and sign up for. This one might be easy to remember and type quickly It may not be the safest password, but I probably don't care if someone wants to hack into IconBuffet account. It's also not uncomon for these outer layer sites to restrict passwords to only letters and numbers, as special characters might create programming challenges that the creators don't feel is important enough to fix. For these Outer layer sites I might use "yh2st1ck" as my password. It's easy enough to remember but unique enough to challenge a would be hacker.
A second layer password that is more difficult yet. I might use this for social sites, or sites that may contain personal information or access to my friends and contacts that could be used in a social engineering attack. For a second layer password I might use "UH2s&dDD!"
And lastly, the highest layer needs a really strong password for banks, email accounts, or other systems that use sensitive information. This might be the strong password I mentioned earlier like "Uh2stic&D,D,D!"
To reiterate my point. My reasons for recommending this technique are to make all your passwords memorable so that you don't write them down on a scrap piece of paper or put them into a password file on your computer. It's also better to have three passwords that are safer and more secure than one to ten passwords that are easy to guess.
Tools For Generating & Testing Memorable Passwords
If your finding it difficult to create a memorable password or not sure the password you picked is as safe as you think it is, there are tools out there to help you.
Password Assistant – Macintosh utility built into the OS
The memorable random password generator
Password Security Meter
Microsoft Password Checker
Macintosh Password Assistant
My personal favorite utility is the password assistant. It's built into the OS, and thanks to the gurus at Code Poetry, they have created a simple utility to call the password assistant without having to access the accounts preference pane. Here is a screenshot of the utility and a sample of the suggested password. It also gives you a visual meter of your passwords quality.
What I really like about this utility is it's ability to can give you useful feedback when your password is too weak. For example here is the word "rocking" with the typical number replacement on the letters "o" and "i" As you can see the Password Assistant instantly recognizes this as a dictionary word and alerts you in the Tips field allowing you to modify your password to something a bit more secure.
Tags: General · Inspiration · usability
1 comments so far ↓
Leave a Comment