• Home »
• Self-Help Resources »
• Preventing Unauthorized Access »
• Passwords

Passwords

Protecting Your Electronic Signature

Generating Passwords | Protecting Your Passwords
Remembering Passwords | Password Software

Why Passwords?

An important technique in protecting your privacy and your documents is the proper use of passwords (and possibly encryption).

I know that sounds a bit like James Bond and you're thinking that your computer doesn't contain the nation's secrets, but have you stopped to think what would happen if someone were to gain control of your computer?

Your Information at Risk

Do you do on-line banking? Purchase goods or make donations on-line using a credit card or PayPal? Do your taxes or e-file? Use email to write to friends and relatives?

Increasingly, our lives are lived on-line. Those that think they are safe because they don't do these things forget that banks, merchants and charities do all these things on-line on your behalf. (You didn't think your bank's local branch had a direct line to their main branch across the country, did you?)

You Need to Take Responsibility

Identity theft is on the increase because people don't understand the risks of personal information nor understand their responsibility in protecting their own identity.

If you become the victim of identity theft, you will be fighting that for many years to come (some say indefinitely, much like that whack-a-mole game). Learn more about identity theft….

Passwords Protect You

As you set up accounts on Hotmail, Yahoo!, and eBay you are asked for a user name and password. Many people view these passwords as something imposed upon them rather than something that protects them.

The password serves the same purpose as your signature on your cheque or credit card purchases. It needs to be as unique and protected just as diligently.

Someone having both the user name and the password can do anything you can do with those accounts: make a purchase, change your account (or cancel it) and post damaging information about you or your business.

Being Lazy With Passwords Can Cost You

“Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.” — Stanford Security Lab

"The thousand-dollar penalty for reusing passwords" is an excellent narrative demonstrating the fallout from using poor passwords on an "insignificant" site which is then exploited to gain access to a more important site. Use complex and unique passwords.

Windows Especially Vulnerable

Windows computers are particularly vulnerable. A 2003 study found that [u]sing 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes…in 13.6 seconds…. A more current source indicates an even shorter period of grace:

“Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.”
— Ipswitch

Your Website/Blog/Facebook Account at Risk

More and more people have their own website, blog, Facebook account and more. In addition, they're providing more information and accessing their financial information more frequently on-line.

We're becoming more and more connected electronically. These resources are only as safe as long as the password is secure.

Be Careful What You Post

Be aware that what you're posting on public websites may be enough information to gain access to your accounts. Many of the questions used to regain control of webmail accounts include the sort of information that many users blindly post in Facebook while chatting: where you were born, your teachers, pets, marriage dates, family genealogy, etc.

Return to top

Generating Passwords

The problem with creating passwords is that we tend to be creatures of habit, looking to memorable patterns and recognizable signals. These may be great in remembering a password, but not conducive to creating secure passwords.

Automated Password Generators

Using a program or site to generate passwords avoid these issues. If you know what one-time coding pads are from reading spy novels or history books, these are the electronic versions.

• Gibson Research Corporation provides an Ultra High Security Password Generator on their site that generates a new set of passwords every time the browser is refreshed. There are three sets generated — use the middle line where possible.
• PwdHash is software that generates passwords based partly upon the site your create it for.

Randomly-generated passwords at myBART provides an interesting look at the effectiveness of using random passwords. The discussion following the article is worth viewing.

Generating Your Own Passwords

You can also generate your own passwords (although they're probably not as secure).

Make Sure Your Passwords Are Difficult To Guess

Ensure that your passwords are not easily discovered. The following are key points to look for when generating passwords:

• Passwords should be at least 8 characters long (15–20 where the site will allow it).
  • If you're using the 4 digits of your bank card, you're just asking to be the victim of identity theft.
• Passwords should not be easily discovered words such as your family members' names, your pets, girlfriends, etc. and be careful where you post this information.
  • One man hacked dozens of women's email accounts by using the information the women posted on Facebook to answer the typical questions asked when verifying a lost password.
• Passwords should not be simple phrases or key combinations such as variations of password, qwerty or 123456.
  • Avoid simple substitutions like 3 for e (flow3r) or 0 for o (passw0rd) as these are easily guessed.
  • If you can say it (even with variations like "password with a zero") it can be compromised in as little as one second using a dictionary attack ("dictionary" refers to a list of potential passwords, not just words listed by Webster's).
  • In the Gawker Password Dump the top three compromised passwords were 123456, password and 12345678.
• You should preferably use complex random characters if the particular site supports that.
  • They should contain a random combination of letters and numbers interspersed with other characters where possible.
  • Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
  • The 10 digits (numbers) and the various other legal characters (such as the pound key and the underscore) significantly increase the security of your passwords.
  • The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a forward or backslash or chevron brackets) may not be allowed. Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
• Some ISPs will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.

Password Strength

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies. This is a useful tool on sites where accounts are generated as it encourages the user to create more secure passwords.

Return to top

Protecting Your Passwords

In order to maintain the security of your passwords, you should be aware of several ways you can minimize the chances that your passwords are compromised.

Vary Your Passwords

Don't be lazy. Generate a fresh password for every site and account that requires one.

• The same password on a site with weak security will allow a more secure site like PayPal to be compromised.
• Companies buy other companies all the time and merge their tech departments. Realizing that you used the same passwords for both companies will allow unscrupulous people to take advantage of your ignorance.

Regularly Change Passwords

It is also a good idea to change passwords on a frequent basis (every few months) or when you feel a password has been compromised (such as when you have to give it to the computer repair shop).

There have been several useful discussions on passwords on Security Now! (This is a security podcast available in audio or transcribed in several formats.)

Return to top

Remembering Passwords

If you have difficulty remembering your passwords there are some things that will help you:

• Don't use PostIt® notes on your monitor. You can disguise a password within a list of waybills, invoices or any other logical listing of random characters near your computer that could logically be found in a similar setting.
• You can use the first letters of a phrase that makes sense to you. For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.
• A document called "My Passwords" on your computer is vulnerable. Password software is a much better idea.

Avoid Patterns in Passwords

Just remember that if a pattern is evident in how you compose your password, then your lessen the security of the password.

• If you use the site name or address as part of the "recognition" pattern to help you, this will weaken your passwords.
• Dates are generally not a good idea as they follow consistent patterns (some variation of MMDDYY or MMDDYYYY, etc.).

“Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
— xkcd

However, using patterns that are unique to us (not copied from Shakespeare or easily guessed by the nature of your site) you can have a more secure password that you can remember.

Return to top

Password Software

There are various pieces of software that will help to remember your passwords and to create secure passwords for you. Remember, there are differing levels of security in these methods and all are subject to the vulnerability of the master password.

web browser Capabilities

You can use the password-remembering capabilities of the various web browsers, including Firefox (Tools > Options > Security > select "Remember passwords for sites") and Internet Explorer (Internet Options > Content > Autocomplete Settings > select "User names and passwords on forms").

• Ideally, this should be used on a single-user computer with a secure password. If there are multiple users, each person should have their own log-in identity, protected with secure passwords.
• Because there is the potential for such wide-spread tools to become compromised, you should not use this feature for on-line banking and other similarly critical sites.
• An external program like AI Roboform Toolbar for Firefox provides the same convenience but, by separating the program from the actual browser, reduces the risk of compromise.

Password Safe

Password Safe is a free secure password storage utility designed by Bruce Schneier using the Blowfish algorithm for encryption. This software keeps all your passwords secure with access protected by single password and provides several methods of adding and extracting your passwords.

KeePass

KeePass is a free (open-source) password manager or safe which helps you to manage your passwords in a secure way using AES and Twofish encryption. Versions are available for Windows and Linux.

PwdHash

Password generating software, PwdHash, by Collin Jackson (Stanford University) uses a general password to create a secure password for each site based upon a "hash" of the site domain and your chosen master password. There is a PwdHash Firefox Addon.

The software generates relatively-short passwords without any non-alpha or non-numeric elements. A version available at Alex King's PwdHash version generated the password aC5WhcM7Ny for "http://www.google.ca/" using "Password" as the key. Of course, if anyone guesses your master password, they'll know your password for any site.

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

• Avoiding Spam — Unsolicited Emails and Mailing Lists
• Identity Theft — Obtaining Information by Deceit
• Proper Email Address Etiquette — Using To:, CC: & BCC: Correctly

Securing Your Computer

The following related pages offer more information about securing your computer:

• Security Basics — Preventing Unauthorized Access
• Firewalls — Your First Line of Defense
• ZoneAlarm Security — Recommended Firewall Products
• Anti-Virus Protection — Current Alerts, Strategies, Hoaxes & Software
• Encryption — Protecting Your Data
• Your Privacy At Risk — Spyware Detection & Removal
• Web Security — Vulnerabilities in Internet Software
• Windows Security — Vulnerabilities in Windows

Return to top

www.RussHarvey.bc.ca/resources/passwords.html
Updated: November 15, 2011

| Conditions of Use | Site Navigation | Site Map | Contact Us | Copyright © 1996–. All rights reserved. |

Skip Navigation

• Site Home
• Web Design »
• Writing & Editing
• Computer Services »
• Self-Help Resources
• Personal Pages
• Contact
• Site Map & Navigation
• Site Search

» Click for sub-menu.