Monday, May 4, 2015

How do I create a strong password?

In my previous posting, I recommended that you change the default administrator user name and password used to access the configuration settings on your wireless router. These are frequently set by the router manufacturer to be admin/admin. All the hackers are aware of that fact and know that most of us probably don't know enough to change our credentials to something unique and hard to crack.

When you change the user name, make it something innocuous and unguessable. When you set a new password, make it long. Very, very long. Don't use dictionary words or dates or local sports team names. Don't use the name of your dog or your daughter's birthday—that information is readily accessible on your Facebook or Flickr page and a dozen other places. And do not reuse a password that you're using elsewhere.

A number of people's lives and finances have been ruined by password reuse. If you're using the same password for your Apple ID account, email account, online banking site, and more, then you're in deep doo-doo if just one of those accounts gets hacked. For an example of a huge loss endured following a password crack, read about the epic hack against Mat Honan of Wired magazine here.

OK, so what is a strong password? For one thing, it's no shorter than 14 characters (according to the Georgia Tech Research Institute). I wholeheartedly agree. Typically, a strong password is both long and complex—meaning it is a combination of upper- and lower-case letters, numbers and special characters (symbols, such as #, &, !, etc.). These are all good things to have in your password; in fact, the more random characters you use, the better.

Even Edward Snowden will tell you (in one of his April 5th interviews with John Oliver), that we need to stop thinking in terms of passwords, and start thinking about pass phrases instead. The longer the phrase, the better.

Know this: any password is crackable, given enough time and computing power. The goal is to make your password too hard to crack within a reasonable amount of time. A strong 14-character password can take centuries to crack. Those are the kind I like to use.

One great method for creating a password is described in the 3-minute video referenced in this article by security company Sophos: How to choose a strong password. Watch the video. I can't stress this enough. Got three minutes? Watch the video.

If you want to know more about how the bad guys crack passwords, see Bruce Shneier's blog posting about Choosing Secure Passwords. There are also plenty of web sites that provide a password strength checker. Just be sure not to test with a current or future password on those sites. For example: How secure is my password? Also, Microsoft has one at their Safety & Security Centre.

In the security industry, we all agree that password authentication is a fairly weak form of authentication, primarily because humans are the ones making up the passwords, and we've got too many passwords to remember. They say that passwords are going away and will be replaced by biometrics and other stronger forms of authentication. But not today. For now, we're still stuck with passwords for most of our online authentication.

In the meantime, for sites that hold sensitive or personally identifiable information (PII) it's a good idea to implement unique user names and strong passwords; and, if the site offers multi-factor authentication, take advantage of it. Got a Gmail account? Use Google's two-step verification. Most online banks offer this now, as well. Take advantage.

In a nutshell, make sure your passwords are unique and strong (i.e., long and complex); don't save passwords in a clear text file (in other words, unencrypted) stored on your PC; and don't write down your passwords or otherwise store them in an unsecured location.

Also, do not share your password with anyone. Anywhere. Anytime. Ever. No one, not even technical support staff, should ever ask you for your password. Would you hand your front door keys to a stranger? Treat your passwords the same way.

1 comment:

  1. I was driving my teen and her friends last year and from their conversation it became apparent that if they have passcodes on their phones, it didn't stop them from sharing the passcodes with their friends. They all seemed to know each others' passcodes. I probably mortified my daughter by launching into a lecture about password security, starting with a very real example that happened between two of her friends back in first grade. Girl V was a precocious mean girl who turned the other girls against Girl E. Somewhere along the way E had given V her WebKinz password, and V went into E's account and used up all her Kinz Cash. OK, small theft of totally virtual resources, but it shows you can't start teaching kids too young about password security. The best saying I've heard yet: treat your password (or passphrase) like your toothbrush - never share it with anyone and don't use the same one for too long.

    ReplyDelete