There seems to be an ever-increasing disclosure of cases of exposed passwords. Recently it was Mozilla and Gawker (the Gawker incident exposed quite a number of websites). Laptops are stolen containing databases with this kind of information. Hacks into web servers can compromise accounts (university servers seem to be especially vulnerable). While we can keep our personal computers and devices locked up, or physically secured, our online presence is especially dependent on passwords. Whenever we are online the device we are using is vulnerable (perhaps someone will address firewalls in a future column). How secure are you? Ask yourself these questions.
Do you use a password manager? If the answer is no, then you should get one. Most password mistakes are made because we are too lazy or find it too difficult to implement unique and secure User ID and password combinations on the number of sites we visit. The built-in password managers in browsers like Firefox only offer the minimal amount of functionality you really need in a password manager. I will address password managers below.
Do you use the same User ID and password combination at more than one site? If you have a password compromized on one site you will be vulnerable on the other sites. If you use the same password on more than one banking, financial, or shopping site, change them today! If these sites will allow you to change your User ID, consider providing a unique User ID for each site. For example, while I may use apswartz for most of my social sites, I might user other User IDs where security is really important: AlanTheSwartz, Here1am, 0My1User2Name (most sites allow letters and numbers only in User IDs, but other sites may allow other characters). By using a unique User ID AND a uniquely generated password for each of these sites you are making it difficult for others to even guess your User ID effectively doubling your security.
Do you use easy-to-remember passwords that might be guessable? Please note that simply adding a number to a word doesn’t make it safe. So-called dictionary attacks prepend and append numbers to words and names when trying to crack a database file. They also mix up the cases of letters and convert words to ‘leetspeak’ in the attack. Leetspeak is simply converting letters to numbers (or numbers to letters) so that a word like Superman might look like $up3rm@n or 5up37m4n or — well you get the idea. Variations of your name, your spouse’s name, your children’s names, or birthdays, etc., always make for guessable passwords. Please remember that we are talking about guessing using sophisticated cracking software that allows you to target someone’s password using that type of information.
So, what makes for a good password? It should not be a word or combination of words or a mixture of words and numbers. It needs to be long. The longer the password, the more computing time it will take to crack it. It should include letters (upper AND lower case), numbers, and nonalphanumeric characters, such as: !@#$%^&*()-+. (No that isn’t cussing, this isn’t the comic page!). A good password looks like this: fy{Q#Caz69L8&5t.
So, what is the best way to secure our online presence? I recemmend you get a good password manager to do this for you. There are a number of excellent managers, but the one I think stands heads and shoulders over the others is LastPass.[1] I like LastPass for the following reasons. First, it works in all my browsers. Second, it works on Smartphones and computers. Third, passwords are encrypted and stored on the cloud.[2] This allows you to have access to your passwords regardless of what computer or smartphone you are using. This last item was the deal maker for me. I can change a password while using Chrome on my laptop and have immediate access to the change on my Droid phone.
Using a password manager means you only have to remember two passwords. One to log onto your computer or device and one to log into your password manager. These passwords are critical to your overall security and should be carefully thought out and implemented. You don’t even need to worry about changing this two passwords if they are secure to begin with.[3] Here is one way to make a good, memorable password that should not be easy for others to figure out.
First, select a phrase. Don’t select your favorite phrase or one that people might associate with you, but one you can easily remember. For example, I will use a phrase from the Bible, “Blessed are the poor in spirit, for theirs is the kingdom of heaven.” Now I will use the initial letters and punctuation from the phrase while capitalizing the nouns (or you can choose some other form of speech or reverse the process). This will give me BatPiS,ftitKoH. Now I will tweak it a bit. I will replace the word ‘are’ with the letter ‘R’ and the word ‘for’ with the number, and replace the period with an semi-colon so it now looks like BRtPiS,4titKoG; — but I really should have at least another number, so I will make the ‘o’ a zero — BRtPiS,4titK0G; and I now have a 15 character, seeming random mix of letters, numbers, and characters. So remember this and one other password like it along with a password manager like LastPass and you are good to go. Or, you can get a website to do the work for you.[4]
- – - – - – - – - -
1. “The Last Password You‘ll Have to Remember!” http://lastpass.com/; Accessed: Wednesday, December 29, 2010.
2. “Cloud Computing,” http://en.wikipedia.org/wiki/Cloud_computing; Accessed: Wednesday, December 29, 2010.
3. “Change your password? Maybe not.” http://blogs.computerworld.com/17549/change_your_password_maybe_not; Accessed: Wednesday, December 29, 2010.
4. “Hugh‘s Secure but Easy to Remember Password Generator,” http://www.hughchou.org/calc/pwgen.cgi; Accessed: Wednesday, December 29, 2010.
