Passwords. They are the most common access control mechanism in use today. They’ve been around for centuries as a means to restrict access. They allow only those that know the correct combination of signs, symbols or whispered word to access some special resource or content. They are everywhere, from your brick and mortar ATM pin, to almost every website on the internet. And, they are a high risk pain in the Kester. Why is that, exactly?
Passwords by their very nature are risky. They rely on the keeping secrets to be effective. The problem with secrets is that a secret is only a secret until more than one person knows it. In order to keep them secret, there are certain – apparently conflicting – rules that must be followed in their design.
- They need to be short enough that we can type them in accurately.
- They need to be long enough to present a challenge when someone tries to use them without authorization.
- They need to be simple enough that we can remember them.
- They need to be complex enough that they cannot be easily guessed.
- They need to be unique, because there are so many places that we use them.
- They need to be unassociated with the place or subject that we are protecting them against.
- They need to be unrelated to the person that created them.
- They need to remain memorable, or they will be forgotten.
Since the password is the key to the vault, restrictions on using the wrong key should be put in place to prevent someone from just typing in every possible key combination. That means that if you use the wrong password more than say, three times, some type of lockout should take place. This delays the ability to “brute force” a password, extending the time from a few hours to a number of days or weeks. An alert should be generated to the registered owner’s email as well as to the administrator of the resource that is being protected so that they can change the password or temporarily suspend the account.
By making passwords long, the time it takes to break into the account is also extended. Notice that it is not prevented. Like a lock on your door, a password is a deterrent measure, designed to buy some time, make some noise, and slow down an intruder. A lock is not actually designed to keep someone out of your home, just to make it more difficult to get in. They could always just break a window!
Passwords that are easy to remember tend to be simple, everyday words. A password that is the same as the username is very easy to remember, since it re-uses something that you have to type in already to gain access. It is also very easy to guess. The word “password” is a poor choice as well, and it is a poor choice chosen by many. Throwing a zero in place of the O doesn’t really help.
So why do passwords need to be “unique”, and what does that really mean, anyway? Well, think about it. Who are hackers? They are computer savvy individuals that seem to be fairly knowledgeable in computer use and misuse. They are curious by nature, and seem to be able to make magic happen around passwords and access controls. Magic is usually the art of deception and manipulation. If I have a website, and you login to it using a username and password, chances are I can see what you used as your username and password combination. If you have used that same combination elsewhere, I can search for your username in Google or other resources. If I find your name or username on another site, I can try to re-use your password. If the key fits, the vault is open. Now not all admins are out to get you. This same trick can be used by an attacker that breaches a website. If they can get at or figure out your password on one site due to poor design or security measures (having no or simple encryption, stored in clear text at some point, etc) they can use that password wherever you have used it. Email, website, home PC, bank account, whatever.
Passwords should not be related to the place you are visiting. Don’t login to Disney’s site using a password of “Walter” or “Mickey”. The password is intended to make accessing your account difficult. These associations make it easy to remember, but really don’t do anything to protect your assets. Sometimes, as we grow comfortable with a website, we will begin to trust it, even though we have a crappy password. We then go into the Disney Store and buy a set of mickey mouse ears, because the ones we bought when we visited 10 years ago have gotten kind of ratty (LOL). We enter credit card information. BINGO! Some hackers will break into these “unimportant” accounts for that kind of information, or just to see if they can learn more about you. If they can get your phone number, pets’ names, kids’ names, wife’s name, address, etc, they can add those to the list of things to try on other sites, or provide clues about you to aid in profile building.
So, what should you do to protect passwords and accounts, then?
- Use a password once. Don’t re-use it on multiple sites.
- If you can, use a random password generator, or a one-time password tool, like the RSA token.
- Don’t share your passwords. Even with family members or people that you trust.
- Make your passwords AT LEAST 6 characters long, longer is better!
- Don’t just use dictionary words. Make up your own spelling.
- Use letter/number substitution and inclusion. Replace H with |-| or ]-[, E with 3, I with 1, for with 4, use commas, exclamation marks and periods.
- Build your password using passphrases.
What are passphrases? A passphrase is simply a sequence of words. A passphrase is generally longer than a password for added security. Use an entire sentence for your password. “To be or not to be” is harder to break than “scotch”. First, they tend to be much longer—20 characters or more is typical, my example is 18, counting spaces —making some kinds of brute force attacks impractical. Second, if well chosen, they will not be found in any phrase or quote dictionary, so such dictionary attacks will be almost impossible. My example here would fail, as it is a common Shaksperian quote. Third, they can be structured to be more easily memorable than passwords without being written down, reducing the risk of hardcopy theft.
- Better than a passphrase is the passphrase acronym. This is probably the strongest method that I know of that maintains the “keep it simple and memorable” rules discussed earlier. The password “To be or not to be, that is the question” can be transformed into “2borNOT2b-tistq?” The first letter of each substantial word is “tbornottbtitq”. That is a pretty fair password on its own. But it lacks capitalisation and the use of numbers and symbols, which would increase its complexity. so we make it 2 instead of to, and capitalize something. “2borNOT2btitq” Better. Next we separate the structure with a dash and add the question mark as a memory tweak.
So, all of that exercise to create one crummy password for one site? I visit a bazzillion websites! I can’t just re-use them? Ever? I strongly recommend against it, but don’t always eat my own dog food. I have a set of about 4 passwords that I re-use regularly. I only use these passwords on sites that I don’t care about, enter little to no accurate information on, or in fact I use misleading information on them to determine when they are breached. Anywhere that I have entered sensitive information, or that I intend to return to and to keep access restricted on, I tend to use a strong, unique password. If you do this, you will need to manage your passwords.
How do you manage your passwords? I use a database that is strongly encrypted, and also protected by, you guessed it, a passphrase. That way, I only have to remember ONE password and can gain access to all of my other passwords, usernames and website listings that each belongs to. This program remains under my control, so I don’t worry about someone else getting access to it. The encryption is strong enough and the passphrase obscure enough that even if they have local access to my computer, they are going to need a long time to crack the code. I assume that by then I will have changed my passwords, as that is something that I do on a regular schedule.
There are programs out there on the Internet that can store your passwords for you, encrypted and password protected. Yes, there is an app for that! Here are some resources that I trust and recommend. Trusting them is very important. Good luck with your new passphrases. Don’t write them down!
- Perfect Password Generator: https://www.grc.com/passwords.htm
- Random Passphrase Generator: http://www.fourmilab.ch/javascrypt/pass_phrase.html
- Passphrase FAQ: http://www.iusmentis.com/security/passphrasefaq/practical/#Howlongshouldthepassphrasebe
- Diceware Passphrases: http://world.std.com/~reinhold/diceware.html
- Password Safe (FREE): http://passwordsafe.sourceforge.net/
- BlackBerry Password Keeper: http://docs.blackberry.com/en/admin/deliverables/16648/Protecting_stored_passwords_on_a_BB_device_842440_11.jsp
- iPhone Keeper Data Vault: http://itunes.apple.com/us/app/keeper-password-data-vault/id287170072?mt=8
- Password Vault: http://www.lavasoftware.com/PasswordVault_-_Password_and_Textclip_Manager_For_Windows,_MacOS_and_Linux.html
- Enterprise Password Vault: http://www.cyber-ark.de/digital-vault-products/pim-suite/enterprise-password-vault/index.asp