It seems almost everyone these days asks for a password to access their system. This ranges from registering to read a free newspaper online (which as far as I can tell has zero security requirements), through to accessing your bank account, where some care would certainly be advisable. It’s not uncommon for people to have password access to 10+ sites and managing this can be a pain.
Banks play a numbers game. It doesn’t make sense to spend $400,000 in order to prevent $100,000 of fraud, and so fraud will always exist. It’s not a problem for organizations in the grand scheme of things – just a cost of doing business. It is though, very much a problem for you personally, since if you get hit with identity theft, your life could be seriously disrupted whilst all you get from your bank is a merry advertising jingle as your call sits in the queue.
Let’s look at some ways to manage your passwords to help avoid this:
1. Use a separate password for every site
To minimize forgetfulness, almost every SaaS system uses an email address as the login username. Unfortunately this has the side effect that if anyone finds out your password on system A, they can typically use it as your username on system B, as your username is the same email address. Since companies as established as Adobe and LinkedIn can lose your passwords (and in both cases display a depressing lack of basic security competence, engineering review process, and crisis handling), it best to assume that size is no guarantee of safety.
2. Remember your password
A common attack is to take a file of encrypted passwords, and then run through every permutation of commonly used passwords – a so-called dictionary attack. This works because so many people use the same passwords. Companies should always not just “salt” their encryptions (adding their own secret string to each password to make them different from other password lists), but also “pepper” them too (adding a user unique string to each password to make sure that even the same password used by two different people is encrypted differently). LinkedIn did not even salt their passwords, and that was one reason they were decrypted so quickly. But even salted password files, whilst vastly more difficult, are still at risk of being hacked when (as at Adobe), you have millions of passwords lost, and the hacker can rely upon the fact that statistically the most commonly occurring one is just “password” (sad, but true). Knowing both the original password and its encrypted form, it’s a lot easier to reverse engineer the salt, which is why it’s good practice to add some pepper with that.
To guard against these types of attacks, many people recommend long, complex passwords that would not turn up in any such dictionary.
“hoaisHIUUQOIU#)(87395” looks like a really secure password. Except that you have to write it down in your notebook. Or paste it into a text file on your computer. Or post-it note on the display. Or in an email. At which point it isn’t really secure any more. You should not write down a password and should be able to memorize it.
Pass phrases are easy to remember, lengthy (so difficult to crack by brute force), and can easily be made even harder by sprinkling in some special characters. But with reference to the first point, don’t think you can use the same phrase everywhere.
3. Don’t put all your eggs in one basket
Websites that claim to manage all your passwords for you are a single point of failure, and I totally would not think of setting up a bogus one to rip off your passwords either.
Using your computer keychain is not such a great idea either, since when you lose the computer, you also lose your bank account, and that may prove more expensive than the laptop.
An inconvenient truth however, is that we all already have all of our eggs in one basket, and it’s called our email account. “Please click here to reset your password and receive your new password by email” – how often do you see that? Ownership of your email account means ownership of almost all systems you have access to. Your email address is easily guessable/findable, and the relevant email server address again is not hard to fathom. That just leaves the password – and how much effort did you put into that particular password? Also since email passwords are commonly saved and stored with desktop clients, anyone with access to your computer can then read your email and all the password resets with it too.
4. Don’t waste passwords
Making good passwords is difficult, so don’t waste them on newspapers or forums. Pick something easy like you girlfriend/dog/wife/boat’s name with some memorable numbers added – “saman488tha” would be a good one, “england66” would be a bad one, but since we’re talking about reading your free 6 articles a month, it doesn’t really matter.
Just remember to only use this on truly “non-secure” content. Watch out for things like Twitter, which whilst the content is non-secure, someone might break in and mischievously post the sort of things you actually think, and you probably couldn’t afford the ensuing libel cases.
5. Use a password scheme
One way to address these requirements is to create a scheme for generating passwords.
- Pick different series of things which are memorable to you, and you only. Some examples are:
• Car registrations, both personal and family if you know them.
• Memorable dates (not your own birthday though) or locations.
• Phone numbers (again, not your own, but your secret mistress/toyboy would be a safe one. You hope).
Ideally you want to be able to come up with 5-10 of these that no one could sensibly be expected to guess or uncover from reading your Facebook page.
- Pick two of these and put them together with some special characters. The way you combine these two and the special characters you use, work as a template. Again, this should be kept secret, but by only needing a single template, you can remember it, without writing it down.
As an example, the template could be something like
and, assuming I’m using something like car registrations, this could be
Since I will always remember both the template and the individual components, the only aide-memoire I need is “st” for this password, and that is something I can safely write down.
As a password, it will not appear in any dictionary attack, and if someone were to crack a single password, they would either need either to know the other cars I know (unlikely even my family members would remember these), or brute force the combinations, which limiting this to valid UK car registrations would still be around 10 thousand trillion combinations, or about the same as a completely random 8 character password. Since you’d be using different passwords for different accounts, and since most systems allow you at best 10 or so attempts to login before locking you out, the chances of them succeeding are pretty much nil.
6. Don’t tell anyone your password
99% of secrecy comes down to this. There is a security meme about never relying upon what they call “security through obscurity”. It’s good advice that you should not solely rely upon it, but then you should not ignore the value of it either.
You should not disclose either your own passwords, nor any hints or schemes of how you create them, and certainly never write a blog outlining how you manage your own passwords.
“If you have to kill someone, never, ever tell a living soul.”
Layer Cake, 2004
But you already knew this, right?
Photo Credit: Security Circus by Alexandre Dulaunoy / Flickr