Password Resolutions for 2009

Our passwords give us access to a number of very valuable resources.  They control access to our bank accounts, photos of our families, email correspondence, and all kinds of other information.  As valuable as all this information is, it is amazing how little effort most people put into making sure they have good passwords.  Here are six password resolutions for 2009 to help protect your data with more secure passwords.

thief-main

1. Resolve to use different passwords on each website.

There are a few ways to do this.  The most secure is to use a completely different randomly generated password on each site.  If you use a password management program like 1Passwd this isn’t too difficult.  Another option is to create a scheme that allows you to modify your password slightly based on each site.  For example, if you use a base password of $5*9twoop, you could use $5*9twoop6 for Amazon.com, $5*9twoop5 for Yahoo.com and $5*9twoop3 for wsj.com.   The last number is just the number of characters in the domain name that comes before the .com of each site.

This doesn’t make for the most secure passwords, but if some website is hacked or someone gets one of your passwords they won’t automatically have all of your password for every site.

2. Resolve to use longer passwords.

There are two types of brute force approaches to cracking passwords.  One is to try every possible combination of letters in sequence.  For example, trying every three letter password would look like: aaa, aab, aac, aad, etc.  Another  common approach is to use a dictionary and just try common words that might be used as a password.  Unless you are using a dictionary word, an eight character password is going to be much more difficult to break than a six character one.  I’ve started using passwords that are over 10 characters long.  We will talk about passphrases in a minute as a way to accomplish this.

3. Resolve to keep password lists encrypted.

If you use a different password for every site, you will probably need to keep a record of them somewhere–particularly if you use completely random passwords and not some scheme like we mentioned in point one.  If you use password management software, it may support automatic encryption.  If you just keep them in a text file, you will need to investigate other encryption methods.

4. Resolve to use random symbols in passwords.

Passwords that have symbols (like *#&@!) are much more difficult to break using a brute force attack.  Along the same lines you should make sure you can use both capital and lower case letters.

5. Resolve to use passphrases.

Passwords like The^funny@clown! are much more secure than a password like clown99 or Cl()wn simply because they are longer.  With a phrase, you get a memorable password while increasing the length considerably.

6. Resolve to password protect your computer.

If the average computer is stolen, simply turning it on will get you access to everything on the hard drive.  At the very least, you laptop should prompt you for a password when you boot it and when it comes out of sleep mode.  This doesn’t protect the hard drive like encrypting all of your data, but if a thief is after your hardware (not your data) they will probably just reinstall the OS to sell the machine.  If they immediately have access to all your data, you significantly increase your chances of them poking around a bit to see if they can find any valuable information before selling it.

Comments

  1. tom says

    I remember a few years ago where they came out with a study that a good percentage like 20% of people were willing to give away their password for like technical support without fully knowing if the person who will help them is legitimate.

    Fast forward now, at my job in a call centre, I have received calls from internal customers calling about a problem with their system and without hesitation they are giving me their passwords and what not.

    It goes to show you how people can be careless with such sensitive information.

  2. Mike Nash says

    Another important point is security challenge questions – never answer them truthfully when creating an account. Use another response. For example, your credit card has challenge question of what year you graduated from High School – that is way to easy for someone else to know. Instead use a password as described above.

    Suggest you use a program like RoboForm to keep track of those hairy passwords.

  3. nightclaw says

    ##
    $5*9twoop6 for Amazon.com, $5*9twoop5 for Yahoo.com
    ##

    instead of using numbers you could use the full url for extra length and it’s much more easy to remember.
    e.g. $5*9twoo_amazon.com and $5*9twoo_yahoo.com

  4. nightclaw says

    @Mark – although this is obviously true i think it’s a fair trade-off between usability and safety.

    One point i miss in the post: always use https when it’s available, a good password is worth nothing if it’s transmitted in plain text.

    gmail users can also use the emailadress+random-part@gmail.com option to add extra login-unguessableness when using their email address as login

  5. Matt Selbie says

    Nice article that highlights the growing need for usable security products on the internet. Nevertheless some of the solutions you and your readers propose are seriously flawed.
    Longer or more complicated password strings are not the solution, as they confound the memory even more AND can be keystrokelogged.
    We know from lots of research that people prefer pictures to words and from our own research at Vidoop, that by far the majority of US adults on-line are very frustrated with remembering and organizing passwords. So we developed a visual login that eliminates passwords and yet is effective against the prevalent forms of hacking. Its free, usable, secure and works on multiple computers. It remembers passwords and fills in forms so you dont have to, which means there DOES NOT have to be a trade off between usability and security.
    Shameless plug but, check out the frisbee catching tortoise video at http://www.vidoop.com

  6. Omarra Byrd says

    I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:

    http://www.theroboformreport.com

    There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!

  7. Daniel Flounders says

    There is no ‘perfect solution’ regarding password creation.
    Some of the above is good, however, one big problem is that websites have different restrictions on the type of characters and length, which often break the ideas above.

    For example, most sites require passwords of a minimum 6-8 characters to a maximum of 12-16.
    Some sites won’t allow special characters i.e. !@?$, etc.

    I have around 4-5 different passwords which use a combination of numbers, lower and uppercase letters, special characters at beginning and end, and importantly, NON dictionary words – something I don’t think you covered.

    Dictionary words should be avoided as these are the most commonly used passwords and the obvious ones for brute force scripts to break.

    However, dictionary words can easily be broken up using numbers i.e, password becomes p4ssw0rd

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>