Don’t Let Your Password Choices Set You up for Disaster
February 12, 2010 - By Ivan A. Vazquez
February 12, 2010 – Did you know that hackers can crack nearly any dictionary-based password? The problem with normal words found in the dictionary or combinations of letters found close to one another on the computer keyboard is that they are susceptible to manual or automated “brute force” attacks. In this scenario, hackers basically try out password after password until finding the right one. If there is no account lockout feature enabled, the trying can go on all day long, until they find one.
Another common mistake is the frequency with which a password is used. Many people use the same password for every account they have on the web. Each and every application, account, etc. should receive its own password. Otherwise you’re just creating a single point of failure. If someone gets one account login and password, they have every one of them.
The best method for creating passwords is to come up with a phrase or sentence like “On my 30th birthday I received 500 dollars from Aunt Eunice!” Using this sentence, take the first character of each word and you have “Om30bIr500dfAE!” This is a password that meets all of the basic security requirements. The Golden Rule in passwords is this: Minimum of eight characters, mixture of uppercase and lowercase letters, plus at least two each of numbers and special characters.
The password method chosen above is great with regard to security, but remembering all of these unique passwords is another thing. Writing down passwords is generally a bad idea, since the “yellow stickies” could easily fall into the hands of intruders. If you absolutely must write them down, make sure they are at least locked up in a safe in your home or a rented safety deposit box. An even better idea is to create a two-column document. On the left-hand side, write your user names. On the right-hand side, write your passwords. Then cut the paper in half. Seal the passwords in an envelope and store it in safe or other secure location. The half with the user names can be folded up and stored in your kitchen’s drunk drawer. No one will be the wiser, unless you write a title like “Account User Names and Passwords” at the top!
If you’re a high-tech person who likes to automate everything, password vaults are the newest hot thing. These reside on your computer like a normal application but function as a vault for all of your passwords. The advantage is that it only requires the user to learn only a primary password. You use this password to access the electronic vault and the rest of the passwords. This solution does have a number of flaws, as displayed by experts at Germany’s Computerbild magazine. In a recent Computerbild tests of eight “software vaults,” half of the candidates earned a failing grade, including the built-in vault functionality in Mozilla Firefox 3.5 and Internet Explorer 8 browsers.
The employees of Computerbild and the experts at Germany’s Fraunhofer Institute tested the products by bombarding them with malware. In all failing products the passwords could be recovered from RAM, the Hamburg-based magazine found. Even the two top-rated solutions only earned a “satisfactory.” Test winner, Password Depot 4, from Acebit earned a solid “B,” with some demerits but also kudos for strong encryption and good protection against brute force attacks. What is the point you should take away from their efforts? No one received an “A”.
The lesson here is that its best to create complex passwords and memorize them. If that isn’t an option, software vaults may work, but they rely on the physical security of your home or office, to make sure know one gets physical access to the computer to try and crack them. Whatever method you choose, just make sure your passwords don’t use your birthday, family names, school mascots, or other information that would not be that hard to figure out.
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. — Bruce Schneier
Related posts:
- Learn from Jennifer and Protect Your WiFi and Yourself
- Does Your Free Wi-Fi Access Provide Free Access to Sensitive Data, too?
- A Ten Step Guide (for Regular People) to Securing Your Home Wireless Network
- Your P2P Empowered Computer: Over 1,000,000 Served!
- Firewalls: A Guide for Normal People (Part 1)
[...] Good luck and safe surfing! If you found this article useful, you may also be interested in A Ten Step Guide (for Regular People) to Securing Your Home Wireless Network or Don’t Let Your Password Choices Set You up for Disaster [...]