Saturday, February 26, 2011

Good Passwords and Keeping them Safe

Increasingly I'm finding problems with people's passwords.

Very commonly they don't know what they are because the computer always puts it in for them.  Of course that normally means that it's easy to get the computer to tell me what they are!

Worse than that, though, is that they CAN remember because they always use the same one.

This is a very BAD idea!

So let's have a look at some of the issues...
Use a GOOD Password

It's tempting to use a password that's easy to remember like 'john', 'rover' or '550321' (your name, your pet's name or your date of birth) but that information is ridiculously easy for a determined hacker to obtain.

So don't use Your partner, child, or pet’s name, possibly followed by a 0 or 1, 123 or 1234 or 123456, “password”, Your town or college, football team name, Date of birth – yours, your partner’s or your child’s, “god”, “letmein”, “money”, “love” - statistically speaking that covers probably over 20% of passwords in use!

If I set YOUR computer to finding a typical password of 8 characters, trying every combination, it would probably find it in around 30 hours.  Of course, if I used 10 computers to do this (and that's not a problem to do), it'd only take 3 hours!  This is assuming you're only using lower case letters.  Put in upper case and numbers and special characters then the time is now being measured in centuries!

So here are some things to do...

Substitute numbers for letters that look similar, eg. number 0 for letter o, 4 for A, etc.  Even better substitute special characters like '$' for 's', @ for 0.  Make up your own substitutions that make sense to you!

Use capital letters as well as lower case.

Think of something significant to you, maybe a place or an event but NOT a person's name and then make the substitutions.

Here's an example.  A place I visited when young was arberlow, but let's make it a bit longer and use "arberlow stones".  Note that already there's a special character, the space.

Now for some substitutions, how about, "Arb3rl0w St@ne$".  Now that IS a strong password!

You can check out password strength at passwordmeter.com

Use a Different Password for each login

This should be obvious but if a hacker can get at one password then you don't really want them to get at all of them!  It can be surprisingly easy for hackers to get at some passwords and the easiest way is for them simply to ask you!  You've probably seen those emails which say something like your account has been compromised and you need to fill in a form with all your details in order to reactivate it.  Obviously you would NEVER respond to such a request, would you?  They are ALWAYS scams and are just someone asking you to give them control of your account!

And don't think that the password to your e-mail box isn’t important because there's nothing sensitive!  Have you ever lost a password and applied for a new one, say from your bank?  The method is that they send you a new password by email so if I can get at your email, I may be able to get your bank to reset the password and email it so then I can get at your bank account.  Scary!

How to Remember all those Passwords

OK, so you're now using lots of secure passwords but now can't remember which works with what!  It's a problem and you COULD write them down in a special note book, provided you're sure no-one can get at it, hoever a better approach may be to use a piece of software known as a password vault.  A couple of free such products are AnyPassword and KeePass.

With this software you store the passwords (and user names and other things) but you can only get at it if you remember the master password to open the safe.  The passwords are stored using high quality data encryption so even if you lose the database, without the master password (which should be a good one!) it's useless.