There are a myriad of articles on the web about picking good passwords; just go to Google and type in ‘how to choose a good password’ and you’ll get 127 million hits (seriously). Yet despite that, it amazes me that people still make poor choices when it comes to password strength or choose to use the same password at multiple websites. Is it that they don’t care about security, don’t understand how to be secure, or is their lack of security born of an ignorance that bad things can happen to them?
For those who aren’t familiar with the Gawker Media hack back in December of 2010 I’ll give you a quick recap; big media company gets hacked into, hackers steal the usernames and passwords for Gawker’s users, those users had used those same usernames / passwords other places, the users could get their other accounts broken into. That’s a pretty broad summary, but for our purposes it’s an apt description. My point is simple – hackers are all over the place and the things they do might not target you specifically but they can affect you. Some hackers are good, some evil, and most subsist somewhere in the middle of the either as a grey-hat wearing mob. I’m not saying Gawker isn’t blameless, but to be fair, the users who used the same password all over the internet aren’t blameless either. So using the Gawker gaffe as an example…
Rule #1: Use a different password for every website, service, computer, network, etc
Common objection: that sounds really … difficult. I made a quick list off the top of my head and came back with 28 different websites I have passwords to which I use on a somewhat frequent basis. This includes work passwords, banking, personal email, regular websites I visit which require a username / password, and other local passwords, such as my encrypted hard drives. Remembering 28 passwords would be a challenge for most people (or almost all) and there are times where I forget passwords quite frequently. So how do I track all this stuff? Simple, I use a password manager which keeps all my passwords organized and encrypted. Note I underlined, bolded, and italicized encrypted. We’re not talking a spreadsheet, text file, or word doc here folks. Alternatively, there are other options which are supported on mobile platforms as well. And those are just two I know of – Google has a lot of other options.
Rule #2: There is no excuse for not having a way to manage your passwords
Since we know we need to keep our passwords different for each website and we have a way to store them encrypted, the next logical problem is a password like ‘quDj3aK!a9_1gf2’ is impossible to remember. Yep, I agree, it’s completely impossible to remember and as a password it completely sucks – I would never use a password like that. Instead, I find something that is easy to remember yet would (most likely) never be found in an English dictionary (we also call these passphrases).
[Editorial side note: security professionals have been talking about passwords versus passphrases and how much more secure they are for over a decade… yet we continue to use the word ‘password’ on website login forms and in our own security documents. Maybe we’re not so good at this “leading by example” thing anyway].
So as for an example to what a good password looks like, my banking password for a long time was ‘I need $$ to buy bling’. Seriously, just like that (yeah, it’s been changed now so don’t bother trying to brute force it). As a password it’s about perfect – it doesn’t exist in the English dictionary as a whole word, has some special characters randomly in it, and best of all is easily remembered. What’s even better is you can come up with these little phrases all day long. Amazon: ‘I like to buy b00ks’. iTunes: ‘No Beatles here!’. And so on and soon, it’s really quite easy.
Rule #3: Good passwords are easy, if they’re not, you’re making it too hard.
Password changing has always been a good topic of debate between users and security professionals. We set policies to force people to change their passwords every 30 / 60 / 90 days and most of the time the users complain. The reason for this is simple – once I figure out what your password is, and you never change it, I have access to your account forever. Using the Gawker hack as an example, the list of passwords the attackers have in their possession never gets stale – they will continue to work because people have website accounts somewhere on some forgotten service and they will never, ever, remember to go change them because they never use the service anymore. And that particular service might have your credit card information stored in it. Good example is Ticketmaster, your local pizza chain, or iTunes – they all save your credit card info to make it easier to purchase items.
Rule #4: Change your password. It doesn’t have to be every X days, but realistically, at least do it every few months.
One trend that I find incredibly convenient is the use of your email address as your login name for different websites. As most of us know, the login name needs to be unique and as we all know, email addresses are as unique as your finger print (no two are the same, really). But here’s the problem – let’s say your email address is email@example.com and someone steals the iTunes user database from Apple. It takes an attacker about a fraction of a second to go login to Gmail with your iTunes username (firstname.lastname@example.org) on the Gmail website and see if your iTunes password and Gmail password are the same. If it is, guess what… they’re in your email. And since you’re lazy and don’t change your password regularly they are in your email forever. And since you didn’t change your password whenever someone else gets that same stolen iTunes data
then you’ve got two people in your email now (or more).
Rule #5: Don’t ever use your email password anywhere else.
As is constant in life, the next “big thing” is always right around the corner and for passwords that is the use of ‘two factor authentication’ (2FA) whereby you use something you know (like a password) in combination with something you have (like a USB token). More and more services are starting to deploy 2FA in their offerings – give it a few years and we’ll see much more wide spread adoption, but for now it’s only relegated to the very techno-savy or techno-brave. In the meantime, mind your five rules above and you’ll probably be fairly safe for the time being.