Russ Harvey Consulting - Computer and Internet Services

Passwords

Long & Strong | Two-factor | Remembering | Generating | Software

Use unique passwords for every site you are required to log into

Protecting Your Electronic Signature

People view passwords as something imposed upon them rather than something that protects them.

Passwords Protect You

Since most sites use your email address as your user name, only the password is unique.

Passwords are Your Electronic Signature

Historically, kings and others used a wax seal to identify their documents as legitimate. This practice has evolved to the company seal often used on official documents. Today, we tend to use signatures and other forms of verification.

Your passwords serve as your electronic signature since you can't physically sign electronic documents like you do with paper cheques, receipts or contracts.

Protect Your Passwords

Every site's password needs to be as unique and needs to be protected just as diligently as the king would have protected his wax seal.

Passwords Allow Others to Act as You

Anyone having both the user name and the password can do anything you can do with those accounts and they can do it from any Internet-connected computer anywhere in the world.

They can make a purchase, change your account (or cancel it), post damaging information about you or your business — even post libelous comments about others using your electronic ID.

Increasingly, We Live Online

Increasingly, our lives are lived online: banking, purchasing goods, making donations, preparing your taxes (e-filing), writing to friends and relatives, posting updates on Facebook or to a blog.

More and more people are posting growing amounts of information on their websites, blogs, social media accounts and elsewhere. In addition, they're increasingly accessing their financial and other critical information on-line.

From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating. — Eric Schmidt

Staying Off-line Doesn't Make You Safe

If you think you're safe because you don't do these things on the Internet you're forgetting that banks, merchants and charities — even the government — are managing your information online.

You didn't think your bank's local branches had direct lines to their central computer from all across the country, did you?

Passwords Protect Your Privacy

An important technique in protecting your privacy and your documents is the proper use of passwords (and, more than ever, encryption).

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network. — ZoneAlarm Security Blog

Don't Share Passwords

A surprising number of people share passwords (often insecurely), yet don't change them afterwards. See this infographic.

When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you both your privacy and potentially in your bank account.

Password software, like LastPass, provides for family sharing in a secure manner and allows you to use complex and unique passwords without the need to remember them.

Privacy isn't About Secrets

My computer doesn't contain any secret documents. Why would I need to worry about secure passwords?

How would you feel about having every document in your computer printed out and posted on a public sidewalk? That's what you're protecting.

As well, hackers and botnets could use your computer and passwords to attack other computers and commit crimes that you could be liable for.

Everybody Wants Your Information

Sites like Google and Facebook now store more information about us than our governments do. Google NEVER forgets.

We learned about some of the methods the NSA used to try to capture that knowledge from the information released by Edward Snowden and more from WikiLeaks.

Governments worldwide use similar techniques to avoid their own privacy laws while spying on their citizens.

“We're Only Collecting Metadata”

The term “metadata” is used as though our identity is protected, but this is untrue as well as deliberately misleading.

Research has shown that using only call metadata, the government can determine what your religion is, if you purchased a gun or got an abortion, and other incredibly private details of your life. And former NSA General Counsel Stu Baker said: If you have enough metadata, you don't really need content.EFF

Metadata Can Track You

Increasingly, we can be personally identified when anonymous data is combined with other sources like credit card purchases or even public photos on Facebook using their nearly-perfect facial recognition software.

And it gets worse. Learn more about the threats to your privacy….

Identity Theft on the Increase

Identity theft is, unfortunately, a rapidly growing crime.

[2015] was truly a watershed year in terms of hacks and it's estimated that over one half of American adults had their identity compromised in some way. — ZoneAlarm Blog

You Need to Take Responsibility

Identity theft is on the increase because people don't understand the risks of the loss of privacy nor do they understand their responsibility in protecting their own identity.

If you become the victim of identity theft, you will be fighting that for many years to come (some say indefinitely, much like the whack-a-mole game).

Learn more about identity theft….

Return to top

Make Passwords Long and Strong

Make sure your passwords are difficult to guess and make sure that your passwords are not easily discoverable.

When generating passwords, make them long and strong. Generate a different password for every site or application.

Regular Password Changes Recommended

It is recommended that you change passwords regularly without reusing passwords.

Typically users have dozens (or hundreds) of passwords, making the memorization of passwords virtually impossible.

LastPass Recommended

LastPass will not only remember your passwords, but remind you to change them regularly (even generating new ones for you). All you need to remember is a single long and strong password.

Make Them Long

Passwords should be at least 10–12 characters long (I'd recommend 15–20) where the site will allow it. Many of mine are much longer.

8-Character Passwords INSECURE

Emerging technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure.

These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all. — Jeff Atwood
Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases. — Ipswitch

Make Them Strong

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. — xkcd.com
Strong passwords — consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers — play a vital role in helping prevent a breach. Even better are passphrases that include eight to 10 words that are not published (such as well-known quotations). — Trustwave 2014 Global Security Report

Brute Force Attacks

Brute force attacks refer to the process of testing one potential password after another until the password is discovered.

Using a brute force method, [a computer cluster boasting 25 AMD Radeon graphics cards] is capable of guessing every single eight-character password containing letters, numbers, and symbols in 5.5 hours. If companies use LM, an earlier password option for Windows Server, the cluster can figure out a password in six minutes. — CNET
[U]sing 1.4 GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes…in 13.6 seconds…. — 2003 EPFL study

Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.

Passwords should not be easily discovered words such as your family members' names, your pets, girlfriends, favourite sports teams, etc.

Make Them Random

You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.

  • Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
  • Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
  • Avoid starting with a capital and placing numbers and characters at the end.

Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords that can lead to them being less secure. For example, we tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.

Keyboard Sequences NOT Secure

Passwords should not be simple phrases or common combinations such as variations of password, qwerty or 123456 as these are easily guessed.

  • Avoid simple substitutions like 3 for e (flow3r) or 0 for o (passw0rd).
  • The challenges of creating complex passwords on smart phones and tablets has led to people using patterns like “7” or “Z” on the number pad. There are only so many of these combinations, making them particularly easy to check for.
  • If you can say it (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.
In one 2010 case study, the top three compromised passwords were 123456, password and 12345678. — duosecurity.com

Keyboard sequences like qwerty, or zxcvbnm appear to be complex passwords and 123456 is used by 17% of users.

This practice is known to hackers and is tested for.

Patterns Make Passwords More Vulnerable

People struggle to remember passwords so they use familiar names and patterns, often beginning with a capital and placing any numbers and symbols at the end.

  • The mathematical potential is reduced to only 10,000 passwords used by over 98 percent of people.
  • The remaining 2,342,603 (that's 99.6%) unique passwords are in use by only 0.18% of users

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.

Use a Unique Password for Each Account

Don't be lazy. Generate a fresh password for every site or account that requires one.

Avoid reusing passwords or repeated phrases in your passwords that can be used to simplify the task of determining other passwords. Once hackers catch on, ALL of your passwords are vulnerable. This practice cost one user $1000.

Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.Stanford Security Lab

Password Restrictions

Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).

The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a slash, backslash or chevron brackets) may not be allowed.

  • Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
  • Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.

Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.

Size and Character Limitations

Sites that limit passwords to eight alpha-numeric characters probably aren't bothering to encrypt stored passwords, simply storing your password in plain text so that any employee (or hacker) has immediate access to your password plus any other information the server has stored about you.

You can test this yourself by checking the “I forgot my password” option.

  • If the site emails you your password, it is stored unencrypted (and they've just sent your password to you via email in plain text!).
  • If you have to click a password reset link, then the site has encrypted your password.

These password limits show great ignorance and/or contempt for their users. Encrypting them would remove the size-limits and provide extra security and protect their users' information.

Illegal Characters

Some “illegal” characters may be restricted because they have special uses in the programming language used to process the information.

Unspecified Limitations

Have you ever tried to enter a password only to be told that the password length exceeds the site restrictions or that you've used illegal characters?

I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.

Password Strength Meters

Many sites will indicate an approximation of the strength of your password.

Third-party sites offering to check the strength of your password may be attempting to hack your accounts, but you can use it as a learning tool to see the differences between potential “test” passwords.

Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g. “admin”) and passwords that are more vulnerable to a “dictionary” attack.

“Forgot My Password” Options Too Vulnerable

Many sites now offer a “forgot my password” option.

It is often easier to guess answers to the security questions posed by the default (and easily determined) “forgot my password” recovery methods than to hack the password itself.

While your favourite sports team and similar responses are easy to remember, they are also easily guessed by what you've posted elsewhere or by people that know you.

Be Careful What You Post

Be careful when posting information about yourself and your family on public websites. You may be providing enough information to gain access on password-secured sites via the “forgot my password” recovery mechanisms.

Many of the questions used to regain control of webmail accounts include the sort of information that many users blindly post in Facebook while chatting: where you were born, your teachers, pets, anniversaries, family genealogy, etc.

One man hacked dozens of women's email accounts by using the information the women posted on Facebook to answer the typical questions asked when recovering a lost password.

Once hackers gain control of your email account, they can request password resets on most of your other accounts.

Create Your Own Security Question

Where possible, create your own security question and provide an answer that you'll know but that others are unlikely to know — even those that read your online posts and conversations.

Unfortunately, the option to create your own security question is seldom available.

You can create false answers to the available questions but this will make it more difficult for you to recover a lost password.

No Password is Completely Secure

More complex passwords are better, but not perfect:

an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables…can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per secondh-online.com

Nothing is Guaranteed Safe

In the same manner that no physical locking mechanism is 100% secure, we use the best passwords we can so that somebody else provides a better target.

Steve Gibson likens passwords to needles in a haystack. If every possible password is tried, sooner or later yours will be found. The question is: will that be too soon…or enough later?

Protecting Your Passwords

In order to maintain the security of your passwords, you should minimize the chances that your passwords are compromised by ensuring they are known only to you.

Many experts recommend changing passwords regularly, but this has been shown to cause users to use less secure passwords or similar patterns in their makeup. People have too many passwords to regularly change them all.

Situations where you'll want to immediately change your passwords include:

  • whenever you suspect they've been compromised;
  • when you give your computer to the repair shop (you can change it to a temporary password); and
  • whenever someone will no longer need access, such as a terminated or transferred employee.

There have been several useful discussions about protecting passwords on Security Now! (a security podcast available in audio but transcribed in several formats).

Restrict Computer Access

Be careful who has access to your computer. Folks asking to check their mail may leave you vulnerable.

  • Don't provide passwords to friends or family asking to use your computer.
  • Monitor your children's computer use and be wary of their friends' access to your computer.
  • Provide access using a limited access account (no administrator privileges) so they won't be able to install software or otherwise make your computer vulnerable.
  • A "guest" account set up correctly can remove access to your personal files.

Restrict potentially-dangerous activities to people you trust to maintain your computer.

  • Never let anyone using your computer install software that you aren't familiar with or are unsure of the source of, particularly if you won't be using it yourself.
  • USB thumb drives (and CDs/DVDs) can automatically install software that copies passwords or otherwise compromises your security.
  • Vulnerable websites can infect your computer, particularly when visited using a less-secure browser like Internet Explorer.

Websites telling you that you need to update the Flash or security software on your computer may be installing malware. Only use a trusted source to download software.

File Encryption

Encrypting your files provides even more protection, but ensure you have backups in case something goes wrong or you may not be able to recover your own data.

The U.S. government wants to ban encryption or place a backdoor into it. They blame either terrorists or child pornography, but the reality is that they just want access into everyone's computer.

You can learn more about encryption including using encryption in your communications.

Return to top

Two-factor Security

You've probably noticed that sites like Google are asking for your cell phone number in addition to a password as a security backup. This newest trend is a more secure process called two-factor security.

It requires the use of another device to enhance security so that the password is only one part of the protection.

There are several two-factor options for devices to protect your password.

Cell Phones

A cell phone is something that most people have and it is usually with them at all times (and they are more frequently using it to access social media and other secured sites).

Unfortunately, it appears that is isn't that hard to hijack your cellphone's SIM card, after which they have access to the very two-factor security that is supposed to protect you.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal. — NY Times

YukiKey Verification

The YubiKey is a small USB and NFC device supporting multiple authentication and cryptographic protocols.

The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.

Like the cellphone, a USB device like this can be used as a second level of security. Unless the person attempting to use the password has the device, the password will not be accepted.

USB-based

YubiKey is USB device, dependent upon a USB port as well as the software to make them work. YubiKey can be used with USB-C adapters. Note that not all adapters worked well, including the Apple USB-C Multi-adapter.

Mobile Devices

Since most mobile devices lack USB ports, this can be a problem.

YubiKey NEO USB and NFC support with Android phone.
  • The YubiKey NEO offers mobile authentication through NFC contactless technology (NDEF type 4) which is currently supported by Android.
  • Yubico is researching YubiKey support for Bluetooth. This will address iOS devices, where NFC is not currently open for third-party solutions.
  • Yubico is currently piloting a mobile client, enabling U2F crypto to be integrated directly into mobile apps.
  • When used with LastPass, the Premium ($12 per year) may be necessary with a YubiKey.
  • See YubiKey for Mobile for the latest updates.

Biometric Verification

Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable.

Ensure Biometric Data Verified Securely

Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security: you don't want to be sending your biometric data to every site you log onto.

Microsoft provides biometric verification in Windows 10 with Windows Hello, provided you have the supporting hardware.

Intel True Key allows you to sign in with your face or fingerprint (on supporting hardware) and provides optional two-factor security.

Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.

Note that the YubiKey is not a biometric device. Where you see the fingertip being used, it is simply activating the device, not authenticating.

It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.

Replacing Permanent Passwords

Another variation that isn't really a two-factor solution but which uses a similar process is discussed in How to kill the password: don't ask for one. Instead of entering a password, you enter an email address or phone number and the temporary password lands in your Inbox or on your cellphone. You'll do this each time, so no permanent password exists.

Of course, if your email account's password is insecure (or obtained using weak password-recovery options) this offers no security at all.

Return to top

Hints for Remembering Passwords

Memory Helpers

Remembering complex passwords can be made easier by using “memory helpers.”

  • You can use the first letter of a phrase that makes sense to you.
  • For better security, we want something that combines upper & lower case letters, numbers and, where possible, symbols.

For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.

Avoid phrases that are easily guessed, like frequently-quoted Bible verses or company slogans.

Other Suggestions for Making Memorable Passwords

These resources contain other methods of creating memorable passwords and have suggestions for choosing word bases. Be sure that you're using words that are hard to guess and don't use common alternative characters, patterns, etc.

Where the suggestions conflict with the advice on this page, you might want to modify or not use those methods.

Avoid Patterns in Passwords

If a pattern is evident in your passwords, then your lessen the security of the password.

  • If you use the site name or address as part of the “recognition” pattern to help you (such as google23s32), this will weaken your passwords.
  • Dates are generally not a good idea as they follow consistent patterns (some variation of MMDDYY or MMDDYYYY, etc.).
  • Avoid the common pattern of beginning with a capital and placing any numbers and symbols at the end.

However, by using patterns that are unique to you (e.g. not copied from Shakespeare or easily guessed by the nature of your site) you can have a more secure password that you can remember.

Be Careful With Lists

Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.

  • Don't keep passwords on Post-it notes stuck onto your monitor where visitors and other employees can see them.
  • However, you can disguise a single password within a list of waybills or invoices if such a list would logically be found in a similar setting (such as an office).
  • If you keep a list of passwords in a file on your computer, be sure it isn't obvious. For example, a document called “Passwords” is vulnerable (or any likely name that can be searched for).

Return to top

Generating Passwords

You want to create passwords that are long and strong that are unique for every site or application.

Most humans tend to use recognizable patterns when creating passwords.

Password Generators

Password generators are the electronic versions of the one-time coding pads you read about in the history books.

Be sure of the integrity of the site or app before depending upon it.

Random Passwords Better

Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.

The use of forced random passwords at MyBART provided an interesting look at the effectiveness of using random passwords when the site was hacked. The discussion following the article provides additional insights.

Return to top

Password Software

Password software that will help to remember your passwords and to create secure passwords for you is a much better idea.

Everybody should install and use a password manager. Without a password manager, you'll find yourself using simple-minded passwords like Password1, or memorizing one strong password and using it over and over. — PCMag.com

Password software includes software that stores passwords securely as well as software that generates passwords.

Remember, there are differing levels of security in these methods and all are subject to the vulnerability of the master password. Use only reliable and secure password software.

Browser Password Managers

Web browsers have the capability of remembering passwords for you.

  • Ideally, this should be used on a single-user computer with a secure password.
  • If there are multiple users on your computer, each person should have their own log-in identity, protected with a unique and secure password.
  • You should NEVER use this software to “remember” passwords for on-line banking and other critical sites.

Potentially Vulnerable

However, passwords stored by the browser are known to be potentially vulnerable. A study by Texas Tech Security Group in 2013 found:

  • Firefox was the most secure (if a strong Master Password is chosen).
  • Internet Explorer ranged from very unsecure to quite secure (depending upon the version).
  • Chrome was not a good choice for storing passwords.

LastPass Recommended

LastPass is a free online password generator and manager. You can use LastPass on all your devices, for free!

Regardless of the browser you're using, I'd strongly recommend moving to LastPass for password storage.

LastPass can be accessed on all your devices, even with the free edition.

I've completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass. — Steve Gibson, Security Researcher

LastPass offers to import then disable your browser's vulnerable stored passwords. Other benefits include:

  • Your sensitive data is encrypted locally before upload so even LastPass cannot get access to it.
  • LastPass will generate complex passwords so you don't have to.
  • LastPass will log you into sites automatically. It watches you log in the first time and offers to remember the process.
  • Everything is secured by one password, so make sure you use something only you can remember but is not easily hacked (you only need to remember this one password).
  • Now you can use LastPass on all your devices, for free!
  • LastPass multifactor authentication options include both premium and free options. Be sure the option you choose will work with the computers and devices you use.
  • LastPass Quick Start-up Guide FAQs.

Benefits of LastPass Premium

LastPass 4.0 Premium is on the low side for a commercial password manager price-wise, but on the high side feature-wise. — PCMag.com

Even though the free version is excellent, LastPass Premium is only $1 per month (billed at US$12 per year) and provides such extras as:

  • Shared family folder - up to 5 users
  • YubiKey & Sesame 2FA options
  • Priority tech support
  • LastPass for applications
  • Desktop fingerprint identification
  • 1GB of encrypted file storage

LastPass Browser Addons Convenient

LastPass can be downloaded for most browsers (Chrome, Firefox, Safari, Internet Explorer, Opera Microsoft Edge).

It is available for various operating systems (Mac, Windows & Linux), but a browser extension makes increased security more convenient.

The LastPass Firefox Addon is reported to have the most user-friendly options. Check your browser's website for suitable extensions.

Other Password Software

If you separate the password function from the browser using an external program, you increase your security — provided you use a secure complex password to protect it.

Sharing Passwords Between Devices

Sharing between various devices such as smart phones and tablets is tricky unless you have an online service. I recommend LastPass.

For Storing Passwords on One Device

The following password storage software uses encryption to protect your passwords on one device.

Password Safe

Password Safe is a free secure password storage utility designed by Bruce Schneier using the Blowfish algorithm for encryption.

This software keeps all your passwords secure with access protected by single password and provides several methods of adding and extracting your passwords.

KeePass

KeePass is a free (open-source) password manager or safe which helps you to manage your passwords in a secure way using AES and Twofish encryption. Versions are available for Windows and Linux.

PwdHash Not Recommended

PwdHash, by Collin Jackson (Stanford University), uses a general password to create a secure password for each site based upon a "hash" of the site domain and your chosen master password.

PwdHash has significant flaws including the fact that it generates relatively-short passwords without any non-alpha or non-numeric elements (and therefore not recommended).

For example, Alex King's PwdHash version generated the password aC5WhcM7Ny for “http://www.google.ca/” when using “Password” as the key.

If anyone guesses your master password, they'll know your password for every site.

The PwdHash Firefox Addon suffers from permissions issues.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!


www.RussHarvey.bc.ca/resources/passwords.html
Updated: November 14, 2017