Jan 23

Creating and Storing Strong Passwords (Fall 2007)

Technology Tuesday Comments Off

Why can’t I just use one password, anyway?

We all have TONS of passwords to remember. Email accounts, shopping accounts, banking accounts, other user accounts. But, security experts agree and common sense really tells us that using one password for everything is not terribly secure. If that one password gets “got” then your entire online life has been compromised. It is easy to go with something you know you won’t forget. But, using a family
member’s name, pet name, birthdate or easy sequence like 12345 is not terribly secure, especially for very sensitive information like grades, financial statements and other money-related activities.

So, I need strong passwords and different passwords?

That is the recommendation from security experts. A STRONG password is one that is not easy to guess. And you need different passwords for all of your accounts. Some tips to keep in mind when creating a strong password. (from the Microsoft site referenced in Resources)

  • Make it lengthy.
    Each character that you add to your password increases the protection
    that it provides many times over. Your passwords should be 8 or more
    characters in length; 14 characters or longer is ideal.
  • Combine letters, numbers, and symbols.
    The greater variety of characters that you have in your password, the
    harder it is to guess. A 15-character password composed only of random
    letters and numbers is about 33,000 times stronger than an 8-character
    password composed of characters from the entire keyboard.
  • An ideal password combines both length and different types of symbols.
  • Use the entire keyboard,
    not just the most common characters. Your password will be much
    stronger if you choose from all the symbols on the keyboard, including
    punctuation marks not on the upper row of the keyboard, and any symbols
    unique to your language.
  • Use words and phrases that are easy for you to remember, but difficult for others to guess.

Some common methods used to create passwords are easy to guess by criminals.

  • Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard
  • Avoid using only look-alike substitutions of numbers or symbols.
    Criminals will not be fooled by common look-alike replacements, such as
    to replace an ‘i’ with a ‘1′ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or
    “P@ssw0rd”. But these substitutions can be effective when combined with
    other measures, such as length, misspellings, or variations in case, to
    improve the strength of your password.
  • Avoid your login name.
    Any part of your name, birthday, social security number, or similar
    information for your loved ones constitutes a bad password choice. This
    is one of the first things criminals will try.
  • Avoid dictionary words in any language. …This includes all sorts of profanity and any word you would not say in front of your children.
  • Use more than one password everywhere.
    If any one of the computers or online systems using this password is
    compromised, all of your other information protected by that password
    should be considered compromised as well. It is critical to use
    different passwords for different systems.
  • Avoid using online storage of passwords.

Eeeks! I’m convinced. But, how do I generate a STRONG password?

You can create your own. Here’s a short example using the rules above:
Use the sentence: Trix are for kids
Password could be: TrExR4k1dz

You
can make use of a common start to every password and then use a code of
some type for creating unique passwords for every site. This is a great
way to go for a smaller number of passwords to remember.

For example, start with: 1234. Then, for logging into your Yahoo account, create a password that is 1234YhO
For your bank, you could use 1234FRsTTn. And, so forth.

You
can also use a password generator program to help create these strings.
There are several free ones available. You can get a standalone program
or an extension for the Firefox browser.

PasswordMaker (standalone program and extensions): http://passwordmaker.org/
QuickPass (Mac standalone program): http://www.sourcebricks.com/page/quickpass.html

Secure Password Generator (Firefox extension): https://addons.mozilla.org/en-US/firefox/addon/135
Magic Password Generator (Firefox extension): https://addons.mozilla.org/en-US/firefox/addon/874

How in the !**#$@ am I supposed to remember all of those passwords?

Well,
that can be a problem. This is where a password manager comes in handy.
These are often called password “keychains”. Apple includes a
program called Keychain with its operating system that can do this
activity for you. There are others for Mac and Windows as well. The
basic principle is a database that keeps your login data organized.
This can be unlocked or accessed by a MASTER PASSWORD. So, you remember
one password and the keychain does the rest.

The two most frequently recommended are:

KeePass: (http://keepass.info/) KeePass is a free/open-source password manager or safe which helps
you to manage your passwords in a secure way. You can put all your
passwords in one database, which is locked with one master key or a
key-disk. So you only have to remember one single master password or
insert the key-disk to unlock the whole database. The databases are
encrypted using the best and most secure encryption algorithms
currently known”

KeePass secures a database
of your username/password information. When that database is unlocked
by your master password, you can use it to have the rest of your login
data easily accessible. It also has a separate toolbar available that
will integrate with IE and autofill data and send back
username/passwords from IE.

RoboForm (http://www.roboform.com/) Freeware (10 logins) and Pro (unlimited logins, free updates, toll-free technical support. – $30) From their website:

  • Memorizes your passwords and Logs You In automatically.
  • Fills long registration and checkout forms with one click.
  • Encrypts your passwords to achieve complete security.
  • Generates random passwords that hackers cannot guess.
  • Fights Phishing by filling passwords only on matching web sites.
  • Defeats Keyloggers by not using keyboard to type passwords.
  • Backs up your passwords, Copies them between computers.
  • Synchronizes passwords between computers using GoodSync.
  • Searches for keywords in your passwords, notes and Internet.

Take RoboForm with you on USB disk . NOTE: You can use RoboForm2Go
with less than 10 passwords for free or buy it for $40. You can also
buy a RoboForm2Go Key ($10) that is a USB key that works with the
software.

RoboForm works in a similar manner to KeePass but it
is a little more polished and integrated with IE and Firefox via
extensions and toolbars.

Other Resources

Billeo From their website: “Whether you’re paying bills, shopping online
or need help managing passwords, Billeo combines three great tools into
one convenient package to make your online life easier and more
secure.”
http://www.billeo.com

You can get really serious and use a fingerprint login manager:
http://www.fingerauth.com/

Helpful Resources

Password Strength & Password Security – Microsoft Security
http://www.microsoft.com/protect/yourself/password/create.mspx

Choose (and Remember) Great passwords – Lifehacker
http://tinyurl.com/ppdpy

KeePass – http://www.keepass.info

RoboForm – http://www.roboform.com