Passwords are everywhere, and the information they protect can be quite unnerving. A small string of characters is the gate-keeper between your personal information and a complete stranger.
They protect our social network profiles, our game accounts, banking information, computer user accounts, and our email inboxes.
I’ve explored this widespread form of authentication, and reported my findings here.
1. Passwords are underrated
People really don’t think too much about their own passwords. It’s not surprising, considering it becomes as natural as breathing for most of us.
Stop to think about potential security hazards. Is this computer safe? Is there a key-logging program capturing what I’m typing? Where is the password being sent? Is there someone between both ends that could see or decrypt this string? Could someone follow my fingers as I type in my password right now? You’d be surprised just how sneaky people can be when they want something from you.
2. The most popular password is 123456.
“Of course it is, but I don’t use it.” Okay, let’s-get-Facebook for a moment. How many people are on your friends list? How much information can they see?
See where I’m going with this? Just because you’ve secured your password, you could be sharing sensitive information with people who haven’t.
There isn’t an easy solution to this either, you’re just going to have to educate others about the importance of strong passwords. Perhaps link them to this page?
3. Easy to remember can also mean easy to guess
How many times has a site told you to avoid using your birthday, your favorite colour, etc. as your password? If your password has a strong connection to you, it could be just as easy for someone to guess.
I’m not saying you can’t use something that relates to you. By all means, choose your favorite movie – but make sure that’s not the only thing preventing someone else from guessing your password.
4. Passwords do not protect against service employees.
If an employee of the service you’re authenticating to has permission to your account for development purposes, your password will have no value to them. Even though most popular online services have strict, legal privacy policies and Non-Disclosure Agreements in effect, don’t put personal information online that you wouldn’t mind a random geek seeing.
5. Don’t use the same password twice.
It sounds ridiculous to some people, but I’m freakin’ serious. I have administered a good number of websites in my time, and admittedly seen a LOT of passwords. Just because what your typing is masked by *****s on your end, doesn’t mean it’s unreadable on the other end. Most software is designed to encrypt passwords when they are stored in a database, but this is not a requirement.
On another note, encrypted passwords can be decrypted quite easily. This is where the importance of strong passwords come in. MD5 (a technology used for one-way encryption) can be decrypted by hash-collision (comparing two strings together) amazingly fast if you password consists of a dictionary word.
So what can I do?
I have seen a few methods used for creating strong, per-service passwords but by far the easiest and most awesome method is the one below:
Step 1. Think of a word you can remember. For example purposes, I will use the word “creature”.
Step 2. Mess it up a bit. Use similar-sounding letters and numbers that look like letters. “kr3tur3″
Step 3. Use your shift key – you’d be surprised how much of a difference that can make. “Kr3Tur3″
Step 4. For each website and service you use, mess around with ways to remember that specific password. Make it difficult to guess other your services’ passwords. Eg. Facebook: “Kr3F8xBur3″, YouTube: “Kr3Yn6Tur3″ note the two characters in between the bold, so someone cannot just change FB to YT.
Mess around with different words. After a while, typing your password (no matter how complicated) will become easier. You won’t even need to write it down to remember it (unless you suffer from memory loss, in which case I apologize, use a password manager).
I recommend using both lastpass (web based, with or without yubikey for 2 factor) and portable keepass (usb stick). Together you will have really strong passwords and well protected. I mainly use lastpass but use keepass as a local backup and an alternate tool to generate strong passwords.
This is actually excellent advice, I started using LastPass this week as I noticed it had garnered a lot of attention from various sites, and it’s working great so far. It even works with my fingerprint reader!