Sunday, January 25, 2009

Web passwords

How to make "Web passwords" made easy

Learn how to create secure passwords for all your online activities – without making your brain hurt.


A while back I visited my brother. He's always happy to talk tech with me and on this occasion he was delighted to show me his latest handheld computing toy. He presented it to me with obvious relish and watched as I started it up. It opened to a password screen. Within one second – on my first attempt, mind you – I cracked his password and was into the device.

"How'd you do that?" asked my clearly disconcerted brother.

"I chose the most obvious password you would choose...and it worked."

As far as I know, my brother no longer uses his daughter's name as a password. I hope you don't, either.

Open sesame

So, how crackable are your passwords? As easy as my brother's? Or do you cunningly resort to using your daughter's – or mother's, sister's, brother's, father's, partner's, pet's, favourite sports star's – name reversed or with a number on the end? That's not so cunning, I'm afraid. Anyone who knows you is already halfway to cracking your password. Anyone who has a password cracking tool – easily locatable on the Internet – won't have any problems getting into your system.

Brute-force password cracking programs, which are used both by crackers and by system administrators wishing to test the strength of employees' passwords, can crack most passwords within a couple of days.

Take, for example, the experience of one large technology company which used @Stake's LC3 password auditing tool to test its password security. Within 10 minutes, 18 percent of the company's passwords had been cracked. Within 48 hours, that figure rose to 90 percent. And this was at a company where employees were required to choose passwords of nine characters or more containing mixed case and including numbers or symbols.

How do you think your password would fare?

The password dilemma

The trouble with passwords is they need to be cryptic enough they're not easily cracked and yet memorable enough our poor human brains can keep them stored safely.

In companies where users are required to change their passwords on a regular basis, most users resort to one of two tactics. The first is to write the password down and keep it somewhere handy but out of sight. The second is to rotate the same few passwords month after month. Both methods are highly insecure.

Unfortunately, with the growth of the Internet, password protection has become an increasingly big issue. Having your computer online makes it more accessible to intruders. At the same time, you probably find yourself having to come up with more and more passwords: One for your PC; one for your Internet Service Provider; one for logging in to your work computer remotely; one for your favorite instant messaging program; one for each shopping site you visit; one for each online banking service you use; one for your brokerage account; innumerable ones for Web sites which require password access. It's not uncommon for computer users to have several dozen logins or passwords.

That makes trying to find a solution which recognizes both human limits and security needs no easy task.

Good passwords

So what constitutes a good password? Here are some tests you should apply to all your passwords:

  • It should be memorable. If you have to write it down, it's of no use.
  • It shouldn't be easily guessable.
  • It should be at least six characters long. Shorter passwords are far more easily cracked. Some sites limit passwords to four characters. That's okay if the site's purpose is trivial, but be wary of storing any sensitive information on such a site.
  • It should contain a combination of uppercase and lowercase letters, numbers and punctuation marks.
  • It should be unique. Don't use the same password for multiple purposes. In particular, don't mix work and pleasure passwords.

A practical solution

If you read through that list of good password requirements and think "My brain hurts", never fear. There's a way to meet all those requirements without taxing your synapses too much.

How? By using a password creation technique recommended by the US government's National Infrastructure Protection Center. It's easy to do:

  1. Choose a phrase you will remember.
  2. Choose a date you will remember.
  3. Interlace the date with the first letters in the phrase.

For instance, if your phrase is I wanna be your lover, baby and your date is 25/1/60, interlacing the date and first part of the phrase will give you:

I2w5a1n6n0

Add another level of security by including punctuation. For instance, we could grab the item of punctuation from the selected phrase and place it at the end of the password:

I2w5a1n6n0,

To ratchet up the security another notch, modify the password for each site or service you use by adding a distinguishing letter or number for that site. For instance, you might choose to include the third letter – capitalised – of a site's domain name in the password, and make that letter the third last character in the password.

For example, if your password is I2w5a1n6n0, and you want to modify it for use at Hotmail and for your Internet Service Provider, Bigpond, you'd end up with the following two passwords:

Hotmail: I2w5a1n6nT0,

Bigpond: I2w5a1n6nG0,

Even though the password itself isn't easy to remember, it's very easily reconstructed. That's the beauty of this method, and you can apply it to all your passwords: Internet passwords, computer log-ons, encryption passwords.

Just remember: Never reveal your phrase and date choice to anyone else.

Change is good

To take your password security one final step, change your password regularly.

How often is 'regularly'? Most good passwords of this size can probably be cracked within a couple of months, given enough computing power. So you should change your password before those two months expire. Do so more frequently if you feel particularly vulnerable, and do so immediately if you do anything to compromise your chosen phrase and date.

To change it, simply come up with a new memorable phrase and date combo.

Password no-nos

When choosing a password, never:

  • Use a word found in a dictionary (even a foreign language or technical dictionary).
  • Use a dictionary word followed by two numbers.
  • Use a word which contains any sequence of four or more letters which can be found in a dictionary.
  • Use any dictionary word or sequence reversed.
  • Use the names of people (family members, friends, celebrities, and so on), places, pets.
  • Write it down and store it near your computer.
  • Share it with anyone else.
  • Use the same password for more than one account.
  • Use the same password for an extended period of time.
  • Use the default password provided by a site or computer manufacturer.

No comments:

Post a Comment