Russ Harvey Consulting - Computer and Internet Services

Passwords

Remembering Passwords | Password Software | Generating Passwords

Protecting Your Electronic Signature

An important technique in protecting your privacy and your documents is the proper use of passwords (and possibly encryption).

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
ZoneAlarm Security Blog

Have you stopped to think what would happen if someone were to gain control of your computer?

You're thinking that your computer doesn't contain any secrets, but how would you feel about having every document in your computer printed out and posted on a public sidewalk?

Increasingly, We Live Online

Increasingly, our lives are lived online: banking, purchasing goods, making donations, preparing your taxes (e-filing), writing to friends and relatives, posting updates on Facebook or to a blog.

If you think you're safe because you don't do these things on the Internet you're forgetting that banks, merchants and charities do all these things on-line on your behalf. (You didn't think your bank's local branches had direct lines to their main branch's computer from all across the country, did you?)

Identity Theft on the Increase

You Need to Take Responsibility

Identity theft is on the increase because people don't understand the risks of personal information nor do they understand their responsibility in protecting their own identity.

If you become the victim of identity theft, you will be fighting that for many years to come (some say indefinitely, much like a whack-a-mole game). Learn more about identity theft….

Passwords Protect You

As you set up accounts on Hotmail, Yahoo!, and eBay you are asked for a user name and password. Many people view these passwords as something imposed upon them rather than something that protects them.

Passwords are Your Electronic Signature

The password serves the same purpose as your signature does on paper documents like cheques or a contract. It needs to be as unique and protected just as diligently.

Someone having both the user name and the password can do anything you can do with those accounts: make a purchase, change your account (or cancel it) and post damaging information about you or your business.

Use Complex and Unique Passwords

Don't be lazy. Generate a fresh password for every site or account that requires one. Avoid repeated phrases in your passwords that can be used to simplify the task of determining other passwords.

Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.
Stanford Security Lab

An example where this practice cost the user $1000.

Brute Force Attacks

Brute force attacks refer to the process of testing one potential password after another until the password is discovered. Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.

Shorter Passwords Less Secure than Before

[U]sing 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes…in 13.6 seconds….
2003 EPFL study

A more recent source indicates an even shorter period of grace:

Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
Ipswitch

8-Character Complex Passwords Now Insufficient

Emerging technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure:

Using a brute force method, [a computer cluster boasting 25 AMD Radeon graphics cards] is capable of guessing every single eight-character password containing letters, numbers, and symbols in 5.5 hours. If companies use LM, an earlier password option for Windows Server, the cluster can figure out a password in six minutes.
CNET

And it's worse than that if you bring in the human factor. People struggle to remember passwords so they use familiar names and patterns, often beginning with a capital and placing any numbers and symbols at the end.

  • The mathematical potential is reduced to only 10,000 passwords used by over 98 percent of people.
  • The remaining 2,342,603 (that’s 99.6%) unique passwords are in use by only 0.18% of users

Your passwords need to be much longer and more complex. You should NEVER reuse passwords for multiple sites or accounts.

No Password is Completely Secure

More complex passwords safer, but not 100% secure:

an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables…can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second
h-online.com

Nothing is Guaranteed Safe

In the same manner that no physical locking mechanism is 100% secure, we use the best we passwords we can so that somebody else provides a better target.

Steve Gibson likens passwords to needles in a haystack. If every possible password is tried, sooner or later yours will be found. The question is: will that be too soon…or enough later?

Two-Factor Security

You've probably noticed that sites like Google are asking for your cell phone number in addition to a password as a security backup. This newest trend is a more secure process called two-factor security. It requires the use of another device to enhance security where the password is only one part of the protection.

How to prevent hackers from accessing your online accounts includes instructions for turning on two-factor security.

Cell Phones

A cell phone is something that most people have and it is usually with them at all times (and they are more often using it to access social media and other secured sites).

The YubiKey is designed as an easy compliment to traditional passwords

USB Device Verification

The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.

Like the cellphone, a USB device like this can be used as a second level of security. Unless the person attempting to use the password has the device, the password will not be accepted.

Biometric Verification

Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable. Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security: you don't want to be sending your biometric data to every site you log onto.

Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.

It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.

Your Website/Blog/Facebook Account at Risk

More and more people are posting growing amounts of information on their websites, blogs, Facebook accounts and elsewhere. In addition, they're increasingly accessing their financial and other critical information on-line.

We're becoming more and more connected electronically. Sites like Google and Facebook now store more information about us than our governments do. We learned about some of the methods the NSA used to try to capture that knowledge from the information released by Edward Snowden. Governments worldwide use similar techniques to avoid their own privacy laws and spy on their citizens.

These resources are only as safe as long as the password is secure. Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable. It is very likely that sites that limit passwords to eight alpha-numeric characters aren't bothering to encrypt stored passwords, making your financial and personal information more vulnerable.

Be Careful What You Post

Be careful when posting information about yourself and your family on public websites. You may be providing enough information to gain access to your accounts.

Many of the questions used to regain control of webmail accounts include the sort of information that many users blindly post in Facebook while chatting: where you were born, your teachers, pets, anniversaries, family genealogy, etc. It is easier to guess answers to the security questions posed by the “forgot my password” recovery methods than to hack the password itself.

Where possible, create your own security question and provide an answer that you'll know but that others are unlikely to know — even those that read your online posts and conversations.

Protecting Your Passwords

In order to maintain the security of your passwords, you should minimize the chances that your passwords are compromised by regularly changing them and by ensuring they are known only to you. Situations where you'll want to immediately change your passwords include:

  • whenever you suspect they've been compromised;
  • when you give your computer to the repair shop (you can change it to a temporary password); and
  • whenever someone will no longer need access, such as a terminated or transferred employee.

There have been several useful discussions about protecting passwords on Security Now! (a security podcast available in audio but transcribed in several formats).

Be careful who has access to your computer. Restrict potentially-dangerous activities to people you trust to maintain your computer.

  • Don't provide passwords to friends or family asking to use your computer.
  • Better still, provide a "guest" account without access to your personal files.
  • Never let anyone using your computer install software that you aren't familiar with or won't be using.
  • USB thumb drives can automatically install software that copies passwords or otherwise compromises your security.
  • Monitor your children's computer use and provide their own access with a limited access account (no administrator privileges — they'll be unable to install software). Be wary of your children's friends access your computers.

Encrypting your files provides even more protection, but ensure you have backups in case something goes wrong or you may not be able to recover your own data.

Return to top

Hints for Remembering Passwords

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
xkcd.com

Memory Helpers

Remembering complex passwords can be made easier by using “memory helpers.”

  • You can use the first letter of a phrase that makes sense to you.
  • For better security, we want something that combines upper & lower case letters, numbers and, where possible, symbols.

For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.

Other Suggestions for Making Memorable Passwords

These resources contain other methods of creating memorable passwords and have suggestions for choosing word bases. Be sure that you're using words that are hard to guess and vary the suggestions against the other advice on this page (e.g. the use of common alternative characters, patterns, etc.).

Avoid Patterns in Passwords

If a pattern is evident in your passwords, then your lessen the security of the password.

  • If you use the site name or address as part of the “recognition” pattern to help you (such as google23s32), this will weaken your passwords.
  • Dates are generally not a good idea as they follow consistent patterns (some variation of MMDDYY or MMDDYYYY, etc.).
  • Avoid the common pattern of beginning with a capital and placing any numbers and symbols at the end.

However, by using patterns that are unique to us (not copied from Shakespeare or easily guessed by the nature of your site) you can have a more secure password that you can remember.

Be Careful With Lists

Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.

  • Don't keep passwords on Post-it notes stuck onto your monitor where visitors and other employees can see them.
  • However, you can disguise a password within a list of waybills or invoices if such a list would logically be found in a similar setting (such as an office).
  • If you keep a list of passwords in a file on your computer, be sure it isn't obvious. For example, a document called “Passwords” is vulnerable (or any likely name that can be searched for).

Password software that will help to remember your passwords and to create secure passwords for you is a much better idea.

Return to top

Password Software

Password software includes software that stores passwords securely as well as software that generates passwords.

Remember, there are differing levels of security in these methods and all are subject to the vulnerability of the master password. Use only reliable and secure password software.

Web Browser Capabilities

You can use the password-remembering capabilities of your web browser:

  • Ideally, this should be used on a single-user computer with a secure password.
  • If there are multiple users on your computer, each person should have their own log-in identity, protected with a unique and secure password.
  • You should NEVER use this software to “remember” passwords for on-line banking and other critical sites.

Passwords stored by the browser are known to be potentially vulnerable:

[H]ow browsers store your passwords, and why in some cases you shouldn't let them. However, it would be unfair to end the post saying that browsers are completely unreliable at storing passwords. For example, in the case of Firefox, if a strong Master Password is chosen, account details are very unlikely to be harvested.
How browsers store your passwords (and why you shouldn't let them)

  • Firefox was the most secure (if a strong Master Password is chosen).
  • Internet Explorer ranged from very unsecure to quite secure (depending upon the version).
  • Chrome was not a good choice for storing passwords.

Regardless of the browser you're using, I'd strongly recommend moving to LastPass for password storage with the added benefit that it can be accessed on all your devices.

Password Storage Software

If you separate the password function from the browser using an external program, you increase your security — provided you use a secure complex password to protect it.

For Storing Passwords on One Device

The following password storage software uses encryption to protect your passwords on one device:

  • Password Safe is a free secure password storage utility designed by Bruce Schneier using the Blowfish algorithm for encryption. This software keeps all your passwords secure with access protected by single password and provides several methods of adding and extracting your passwords.
  • KeePass is a free (open-source) password manager or safe which helps you to manage your passwords in a secure way using AES and Twofish encryption. Versions are available for Windows and Linux.

Sharing Passwords Between Devices

People are commonly using several devices, including smart phones and tablets to access the Internet as well as their home and work computers. Sharing passwords across devices is tricky unless you have an online service.

I recommend LastPass, a free free online password manager and form filler:

LastPass is a free online password generator and manager (and provides access to your mobile devices for only $1 per month)
  • Your sensitive data is encrypted locally before upload so even LastPass cannot get access to it.
  • LastPass is safe from the Heartbleed bug, a vulnerability in the software that protects secure (HTTPS) servers that allows stealing of information normally protected by SSL/TLS encryption. It also verifies that the sites you're logging into with LastPass are safe.
  • LastPass users can click on Security Check in your vault to learn what passwords need updating as a result of the Heartbleed bug.
  • LastPass will generate complex passwords so you don't have to.
  • LastPass will log you into sites automatically. It watches you log in the first time and offers to remember the process.
  • Everything is secured by one password, so make sure you use something only you can remember but is not easily hacked (you only need to remember this one password).
  • LastPass Premium provides access to your mobile devices for only $1 per month (billed at US$12 per year).

Making LastPass Convenient

There are several addons for Firefox that make using this increased security more convenient including the LastPass Firefox Addon.

Check your browser's website for suitable addons.

PwdHash Password Generating Software

  • PwdHash, by Collin Jackson (Stanford University) uses a general password to create a secure password for each site based upon a "hash" of the site domain and your chosen master password.
  • There is a PwdHash Firefox Addon.

Significant Flaws

PwdHash generates relatively-short passwords without any non-alpha or non-numeric elements (and therefore not recommended):

For example, Alex King's PwdHash version generated the password aC5WhcM7Ny for “http://www.google.ca/” when using “Password” as the key.

If anyone guesses your master password, they'll know your password for every site.

Return to top

www.RussHarvey.bc.ca/resources/passwords.html
Updated: April 10, 2015

Use unique passwords for every site you are required to log into

Generating Passwords

The problem with creating passwords is that we tend to be creatures of habit, looking to memorable patterns and recognizable signals. These may be great in remembering your passwords, but not conducive to creating secure passwords.

Use an Automated Password Generator

Using a program or site to generate passwords avoids these issues. Password generators are the electronic versions of the one-time coding pads you read about in spy novels or history books.

  • Gibson Research Corporation provides an Ultra High Security Password Generator on their site that generates a new set of passwords every time the browser is refreshed. There are three sets generated — use the middle line where possible.
  • PwdHash is software that generates passwords based partly upon the site your create it for.

Random Passwords Better

Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.

The use of forced random passwords at MyBART provided an interesting look at the effectiveness of using random passwords when the site was hacked. The discussion following the article provides additional insights.

Make Passwords Long, Strong and Complex

Make sure your passwords are difficult to guess and make sure that your passwords are not easily discoverable. When generating passwords, make them long, strong and complex.

Make Them Long

Passwords should be at least 8 characters long (but remember the warning about the vulnerability of 8-character passwords, so make them 15–20 or longer where the site will allow it).

  • If you're using the 4 digits of your bank card, you're just asking to be the victim of identity theft.
  • If the site only allows short passwords with letters and numbers that site is probably storing them insecurely.
  • Secure sites that allow long and complex passwords are forced to encrypt them to save space.

Make Them Strong

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.

  • Sites that provide a tool to assess password strength encourage the creation of more secure passwords.
  • Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g. “admin”) and passwords that are more vulnerable to a “dictionary” attack.
  • Test your password on Microsoft's check your password — is it strong? (Remember, there is the possibility that your results are being tracked and recorded.)

Make Them Complex

Passwords should not be easily discovered words such as your family members' names, your pets, girlfriends, favourite sports teams, etc.

  • Be careful where you post personal information.
  • One man hacked dozens of women's email accounts by using the information the women posted on Facebook to answer the typical questions asked when recovering a lost password.

Passwords should not be simple phrases or common combinations such as variations of password, qwerty or 123456 as these are easily guessed.

  • Avoid simple substitutions like 3 for e (flow3r) or 0 for o (passw0rd).
  • The challenges of creating complex passwords on smart phones and tablets has led to people using patterns like “7” or “Z” on the number pad. There are only so many of these combinations, making them particularly easy to check.
  • If you can say it (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.
  • Password Reuse Visualizer (a Firefox addon) shows where you're using similar passwords in an interesting graphical display.

In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
duosecurity.com

Some sites now will not allow passwords without certain criteria including disallowing repeated characters or common patterns and will not allow you to reuse previous passwords.This protects both the site and its users from being an attractive target for hackers.

Make Them Random

You should preferably use complex random characters if the particular site supports that. They should contain a random combination of letters and numbers interspersed with other characters where possible.

  • Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
  • The 10 digits (numbers) and the various other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.

The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a slash, backslash or chevron brackets) may not be allowed.

  • Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
  • Some ISPs will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.

Network & Router Passwords

Since the passwords used to generate pre-shared keys are configured into the network only once, and do not need to be entered by their users every time, the best practice is to use the longest possible password and never worry about your password security again.
grc.com

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!