In Search of Secure Passwords

Hackers. The word conjures up images of slick and elusive masterminds (albeit pretty geeky ones). With the collective knowledge of the world all at their fingertips, one might think these guys would do everything in their power to cover their tracks and protect themselves from people who are just like…them.

Well, not so with Hacking Team, the creators of spyware and malware for numerous governments across the world, including oppressive regimes in Africa and the Middle East. With a highly sensitive database filled with reams of yet-to-be-released malware samples, they secured this information with passwords like passw0rd and p4ssword. Dangerous minds at work, clearly. Any seasoned hacker would have given these “passwords” a whirl on his or her first attempt to breach the system. In fact, each year SplashDot compiles a list of the 25 most hackable passwords and “password” has held the number one or two spots since the security firm started publishing the list in 2011. From there it doesn’t take a rocket scientist to play with the variations on the word to come up with a match. Once they have that match, your information, files and ID are up for grabs like leftover doughnuts at the end of the day at Dunkin’ Donuts

Considering all that’s at stake, it’s worth your while to come up with strong passwords. You might be feeling pretty confident that you’re A-okay when it comes to passwords though – You would never dream of doing something so foolhardy – You use something waaay less obvious than 123456 or password or baseball or any of the dubious honorees holding the top 25 spots on the list of dumbest passwords um, easiest to hack passwords.

Here is the sad truth about your passwords

You are probably much more vulnerable than you think. You know when you create an account on a website and it has a password strength meter to indicate whether or not your chosen password is a tough crack? It may indicate that you have done a sufficient job at coming up with a string of at least eight characters, including some numbers and caps, but it doesn’t tell you if your password is all together insecure. What may take a computer program a million plus years to crack takes a seasoned hacker just a few weeks worth of attempts, using some knowledge of patterns and writing rules. Lifehacker.com quotes an article from ArsTechnica.com describing how penetration tester Rick Redman can easily hack most passwords saying “Passwords such as “mustacheehcatsum” (that’s “mustache” spelled forward and then backward) may give the appearance of strong security, but they’re easily cracked by isolating their patterns, then writing rules that augment the words.” For “Redman to crack (the password) “Sup3rThinkers”, he employed rules that directed his software to try not just “super” but also “Super”, “sup3r”, “Sup3r”, “super!!!” and similar modifications. It then tried each of those words in combination with “thinkers”, “Thinkers”, “think3rs”, and “Think3rs”.

So let’s say we have a web designer named Sara, born on August 10th, 1984 using the password $4ra081084WD. She may think she’s come up with a really clever password but any hacker worth his or her salt knows just what to go after to crack a password like this. Scary, but true. But wait – Don’t head for the hills and disconnect your internet just yet though, there are ways you can make your passwords harder to crack and keep your information secured. It just takes a bit of habit-breaking but it’s truly worth it in the end.

Here are some things you can do starting NOW to keep your passwords safe.

Use different passwords for each site. Instead of going on auto-pilot each time you need to create a new account, think of a new password for each one. It may be a pain, but think about it this way – if you have the same password for all your accounts and even one gets hacked, well, then you have just had all your accounts hacked.

Don’t let that password strength meter mislead you. A good password has way more than eight characters and symbols. According to security expert Bruce Schneier, he recommends the Schneier Scheme which goes something like this – Take a phrase or even a memory you have and use the first letters of each word to create a password you’ll remember but won’t be obvious to anyone else. For example – If you’re a product of 80’s music, you could use 0Ijdina80timhbsUsCc – in place of Oh, I just died in your arms tonight, it must have been something you (U) said, by the Cutting Crew, with the number 80 thrown in somewhere in the middle. Or equally as memorable but perhaps less new wave, yUmpc&ft4bfonSm0rns in honor of your favorite family tradition- yum, pancakes and (&) french toast for (4) breakfast on Sunday mornings.

Schneier also suggests using a password manager. Password managers are software that store encrypted passwords requiring one master password to access the user’s database to retrieve the rest. Some, like LastPass even have a password generator to help create unique and nonsensical passwords on the fly and then it stores them automatically in your personal database. LastPass also allows users to enable multi-factor authentication so if someone does get access to the master password, they cannot breach the database without that other factor. Here is a list of 2015’s top password managers according to PCmag.com.

Speaking of multi-factor authentication, whenever a website prompts you to add another authentication factor, you really should do so. Some websites like Gmail, PayPal and Dropbox can be enabled to require two factors to be present in order to access a site. Lifehacker.com (gotta love ‘em) quotes Google’s Matt Cutts saying “ two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone). After you enter your password, you’ll get a second code sent to your phone, and only after you enter it will you get into your account. Think of it as entering a PIN number, then getting a retina scan, like you see in every spy movie ever made. It’s a lot more secure than a password (which is very hackable), and keeps unwanted snoopers out of your online accounts.”

When it comes to security and password reset questions, here is a rule of thumb – Lie. According to security expert Roger Grimes, the most secure way to answer a security question is with an answer that has nothing to do with the question. When a website asks for your first pets name, give an answer like lightbulb. (if “lightbulb” was your first pet’s name, then you have an odd sense of what first names should be) Grimes says reset questions are actually the weakest link in online security as people simply assume that they have to answer honestly, often with information that is readily available on the internet – Think about this – if the question is “What is your mother’s maiden name?”, with a quick trip to a genealogy site or even just a standard Google search that information can become public knowledge.

In truth, there is no iron-clad way to keep your 100 percent of your passwords 100 percent safe 100 percent of the time, aside from throwing your WiFi out the window, flushing your smartphones and tablets down the toilet and hunkering down in a cabin on some remote mountain top, but that method is a bit… drastic. Follow the above tips and you should be able to sleep soundly at night knowing that your passwords are as secured as they can be.

sources:

http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now

http://lifehacker.com/5937303/your-clever-password-tricks-arent-protecting-you-from-todays-hackers

http://boingboing.net/2014/02/25/choosing-a-secure-password.html

http://www.infoworld.com/article/2616157/security/creating-strong-passwords-is-easier-than-you-think.html?page=2

http://gizmodo.com/the-25-most-popular-passwords-of-2013-god-help-us-1504852434

http://splashdata.com/press/worst-passwords-of-2014.htm

http://arstechnica.com/security/2012/08/passwords-under-assault/1/

2 thoughts on “In Search of Secure Passwords

  1. 0Ijdina80timhbsUsCc
    Oljdiya80timhbsUsCC — two errors
    I find adding the number at a _specific_ spot useful and I get there by entering the title first and then spacing over from the beginning of the password field (i.e., Ctrl<-, then a predetermined number of right arrows) OR I substitute the number for the punctuation when I'm typing.
    Note that any line that is remotely well known (e.g., anywhere in any edition of the Bible, any current or familiar song lyric, any title of a song, book, or movie) will be in a large hacking dictionary soon. With so many hacked password lists, if you can think of it and easily remember it (or the derivation rule), someone probably already revealed it.

    Like

    1. Hi Bill,
      Interesting point about the initials of song titles ending up in hacking dictionaries. I don’t think using the latest Justin Beiber Song title is a smart idea but using an older less well known title with random characters thrown in should be secure.
      Thanks for your insights, keep em coming!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s