|
I know, I know - - it’s a pain to memorize a random password, much less to use a different password for each application. (A leading software support company (SurfSecret) reports that the number one reason users call them is because of lost or forgotten passwords.) Unfortunately, this “password fatigue” is a necessary symptom of our networked, virtual world. Balance this against the loss you might experience if you are hacked, though, and you can see that the effort might well outweigh the inconvenience.
Almost anyone can hack a computer password used by the uninitiated by simply guessing or through the use of “social engineering” (these account for 80% of hacks): Always avoid the following common mistakes:
- Don’t use repeat characters (111, 123, abc, qwerty, etc.)
- NEVER use password, admin, administrator, rememberme or PCuser
- NEVER use your name, initials, family names, pet names, addresses or other personal information (and ABSOLUTELY NEVER use your social security number!)
- Don’t use only dictionary words (a hacker using “rainbow tables” can hack such words in seconds)
- Don’t use the same password for different sites (someone who knows or guesses your Facebook password could access your bank account
- Don’t allow your computer to automatically log on at boot-up to any automatic, chat or browser sign-ins
- Don’t use the same password for all of your different computers (e.g. desktop, office, laptop)
- Try not to use the automatic (“Do You Want Firefox To Remember This Password?”) for your website sign-in option on various websites; keep sign-ins under your own control
- Don’t access password protected accounts over open Wi-Fi networks unless you see that the site is secured via https:// in the address bar
- Don’t enter any account information or passwords in any web page you may access via an e-mail link. If you must, go directly to the address for that website and sign in from there
- You should know that in January, 2010, an examination of 32 million passwords stolen by a hacker in December, 2009 from RockYou, a company that makes software for users of social networking sites like FaceBook and MySpace showed the 32 most most common passwords, all of which were published for hackers to see. 30% of the passwords examined were 6 characters or less; 50% were easily guessable names, slang or consecutive digits. They are as follows:
|
1. 123456
|
17. michael
|
|
2. 12345
|
18. ashley
|
|
3. 123456789
|
19. 654321
|
|
4. password
|
20. qwerty
|
|
5. iloveyou
|
21. iloveu
|
|
6. princess
|
22. michelle
|
|
7. rockyou
|
23. 111111
|
|
8. 1234567
|
24. 0
|
|
9. 12345678
|
25. tigger
|
|
10. abc123
|
26. password1
|
|
11. nicole
|
27. sunshine
|
|
12. daniel
|
28. chocolate
|
|
13. babygirl
|
29. anthony
|
|
14. monkey
|
30. angel
|
|
15. jessica
|
31. FRIENDS
|
|
16. lovely
|
32. soccer
|
|
Same for the Duo Security study in 2010, which analyzed some 400,000 passwords. In addition, they found that 99.45% of the passwords were strictly alphanumeric (all letters, no numbers, no special symbols) and 61% were all lowercase (no varying caps and lowercase). These things make passwords harder to crack.
Ideally, in order to be reasonably safe, a password should be cryptographically strong and longer than 10 characters. This is now necessary because of the vast improvements in computational power and more sophisticated and duplicitous password-cracking software and techniques readily available to hackers. Password strength is measured using a concept from information theory known as information entropy or bit strength. This is expressed as the length in bits of the number of possible password combinations given its length and complexity. For example, a password with a strength of 10 bits (e.g. “ab123”) has 1024 possibilities, which is relatively weak. Microsoft offers a free password strength checker at the following LINK.
There are lots of sites advising you about how to create memorable and unhackable passwords (and some software that’ll actually do it for you, e.g. “Random Password Generator”), but I like the following idea best: First, create a mnemonic password out of a passphrase. For example: ICNRMP0203. What does it mean: “I Can Never Remember My Password 0203”. (Or use a quote of first line of your favorite novel.) To make it more difficult, switch between upper and lower case, as in iCnrMp0203, which will increase the difficulty. Or even more difficult, use the second letter in each word of the phrase. Obviously you can make one even shorter: MDiG03 (“My Desk is Green 03”). But take this advice: Use a combination of numbers and letters and different cases, it makes the password harder to crack. Maybe you can change the numbers if you need multiple passwords (i.e. 19, then 28, then 37, etc.). Or add a few characters at the front so you’ll know which site it goes with. You shouldn’t use the same password for everything, but it’s hard to keep track of many different ones: You SHOULD write them all down somewhere - I keep a list of mine (now well over 50) on a spreadsheet showing not only the account and password, but also the date and website information, but it’s not in the same room as my computer.
If you feel that you have so many passwords that you abolutely must use software to keep track of them, or have the need to sync the information between more than one computer and perhaps an iPhone, there is both free and paid software readily available for this purpose. See, e.g. Callpod’s Keeper.
A second clever way to devise a password is known as the SFSP (Simple Formula for Strong Passwords) developed by the SANS Institute. This involves basically taking an easy to remember password, sticking your birth date or some other meaningful number in the middle of it surrounded by special characters. For example: If your dog is a beagle and the number is your golf club membership number, it could look like this “~+beag2655le~+”.
[Corporate passwords store passwords using encryption with a one-way hash function that, unlike symmetrical data encryption, cannot be reversed to reveal the clear text even with so-called brute force attacks. But this may be a little much for residential users.]
[Talking about encrypted files, some people like to use what’s known as “keyfile” passwords. These passwords take the first 1,024 characters of a file (any file, it could even be an MP3 music file) and use that as a password. Sounds good at first, but the longer you keep and use that file, the more chance that it could be slightly changed, or add/delete headers or the like, making it useless. If you’re going to use this type of password, make sure you keep it in multiple places!]
All of this may be insufficient to protect a business: For security, businesses should rely on more robust authentication: Encryption, smart cards, tokens, biometrics and the like can be quite common in the enterprise.
The Future: Aware of the increasing complexity of strong passwords and the number of different ones required by the average user, DARPA is developing software that determines, just by the way you type, that you are entitled to use the computer. Richard Guidorizzi, the DARPA Program Manager, calls an individual’s distinct behavioral computer characteristics, their “cognitive fingerprint.” Currently proposed software is based on “mouse dynamics,” which uses each person’s idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen (the path - i.e. straight line, convex or concave arc; or the presence or absence of “jitter”) and “keystroke dynamics” (how long a user holds down a given key and moves from one key to another), but it isn’t certain whether these behavioral characteristics will ultimately prevail.
Where to keep them: However, even the security for the best password is compromised if you put it on a Post-It Note on your monitor, or tape it under your keyboard or some other obvious place. If it’s a good password or passphrase, you should remember it! Moreover, you should plan ahead, so that if you should become incapacitated (through accident, death or disease), your spouse of heirs can access your computer data. Leave the list in a secure location known only to a trusted party. Or use a service such as Legacy Locker, which promises to grant access to friends of loved ones in the event of loss, death or disability. The free trial account let’s you protect up to three assets.
Third, it would be a good idea to change your password periodically. Not that most of us actually do. (If you use the passphrase method described above, you can just change the passphrase itself, leaving the other information the same.) Still, every six months or so is the recommended period, hopefully not less than than once year. Your bank and other secure sites may insist on this anyway. Remember: Treat your password like your toothbrush: Don't let anybody else use it, and get a new one every six months.
Finally, while password security is important, viruses and malware that can compromise your computer are much more important. A keystroke logger, for example (see Security), can hijack your computer, by keeping track of all of the passwords you enter through your keyboard, then use that information against you. To protect yourself against these types of intrusions, it’s essential to keep your anti-virus and anti-malware programs up to date.
|
