You can’t prevent a Target. You can’t know how well websites protect your info. You can’t predict where the next attack might come.
You can, however, control the quality and security of your own passwords. And if you’re like me, you’re probably not doing it as well as you could.
There are a lot of rules about password security. The closer you abide by them, the more likely you are to forget them. Or to have to write them down somewhere. That, itself, creates a vulnerability. Which leads you to want to just use the same password across all sites. Which, in most cases, is the worst thing you can do.
It’s time to take passwords more seriously. Pay someone else to help you manage them. Or, take time to think up your own password creation, recall and secure storage system.
No more using “Password” or “Pa$$w0rd.” No more six- or eight-character passwords. Best avoid, also, words found in a dictionary.
“The only reliable rule is: ‘The more unpredictable, the better,'” says Saranga Komanduri, a doctoral student at Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory.
According to Chuan Yue, assistant professor of computer science at the University of Colorado at Colorado Springs, a desktop computer can attempt a password crack every billionth of a second. Computing power available for rent from Amazon can do it six times faster.
That more robust system can crack your typical 8-character password in 15 hours. “This kind of system nowadays can be easily used by attackers,” Yue said.
Hackers can try even more efficient password-cracking methods using so-called dictionary attacks. For this, they use a database of already known passwords harvested and published from breaks into other large websites. The largest was the 2009 hack of the RockYou.com gaming website, which resulted in more than 14 million unique plaintext passwords being posted publicly online.
The database might also include common password-picking methods, such as replacing the letter o with the number 0 or using the key directly above the letter of the word you recall in your head as the password.
Last year, the online tech publication Ars Technica (owned by Advance Publications, Oregonian Media Group’s parent company) asked a developer of cracking software, a security consultant and an anonymous cracker to hack away at a file of 16,000 encrypted passwords. The least successful of the trio cracked 62 percent of the passwords in an hour. The most successful had 90 percent hacked within 20 hours.
Let’s go over the newer dos and don’ts of password use. I’m skipping obvious ones like: “Don’t write them down in an obvious place” and “Don’t use ‘Password’ as a password.”
Don’t store passwords in your browser. Yue and his studentsreported in a study last year that passwords stored by Firefox, Opera, Google Chrome, Internet Explorer and Safari can be easily decrypted or used, once stolen.
Don’t reuse passwords to sensitive sites. At minimum, you should have separate, secure, difficult-to-crack passwords for your e-mail account, your bank, online shopping and work, said Michael Bazzell, a computer crimes specialist and author of “Personal Digital Security.” You’ll probably also want a different password for social networks.
Protecting your e-mail account is especially important. It’s usually how you reset all other passwords. If a thief cracks your email account, she can then use it to reset many of your other passwords
If you choose weak passwords for other sites, simply to remember them, at least give them the strongest ones you can recall.
Avoid dictionary words and common passwords. Hackers using available computer power and programs can easily search dictionaries of many languages to guess passwords. They can also use variations often found in cracked password lists
(“Pa$$word,” for example). And they can include other commonly used items: zip codes, popular baby names and common misspellings.
“Pretty much anything that can be remembered can be cracked,” writes Bruce Schneier, chief technology officer for Co3 Systems, a Cambridge, Mass., firm that helps organizations protect against and respond to security breaches.
Don’t save password lists in a password-protected Microsoft Office file. It’s just not safe enough. Look at Bazzell’s site, where you can download a program to crack Excel and Word passwords. Bazzell says he’s used a $39 downloadable software to crack such passwords “in seconds.”
So, what will keep you safe? Even if you can’t do all of them, start incorporating some of these best practices into your password use.
Use two-factor authentication. If a site offers it — as Google , Facebook and Bank of America, do — there’s no good excuse not to use it. This security feature requires users to provide something they know (password) and something they have (usually, a phone).
Such sites, in most cases, will send you a random, temporary code to your phone after you’ve entered your password. You then punch the code into the site when logging a computer or browser that the site doesn’t recognize. That way, if you lose your passwords, a thief will still need your phone to get a text to let them in on a computer that you’ve never used.
Use 12 characters or more, with numbers, caps and symbols, if the site allows them. In the United States, keyboards have 95 printable characters in all, Komanduri said. Making a password 12 characters long, with each character coming from a field of 95 possibilities, gives you more than 540,000,000,000,000,000,000,000 (540 sextillion) possible passwords, he said.
Even if a supercomputer could guess 1,000,000,000,000 (1 trillion) passwords a second (that would be about 1,000 times faster than they can now), it would take more than 8 years, on average, to guess all possible passwords combinations, he said.
“It’s really not that hard to remember passwords like this,” insists Komanduri. “It just takes practice.”
Pad them. The folks at Avalanche Technology Group in Australia, provider of shouldichangemypassword.com, recommends “padding” shorter passwords at the beginning or end with extra characters to make them longer. In its example, “Axis#47B” becomes “Axis#47B////”
Use phrases.Researchers at Carnegie Mellon, in a study published in 2011, found that requiring long passwords with no other restrictions are more resistant to cracking and more palatable to users than other requirements, such as rules requiring a capital letter, number and symbol. Five-word phrases from your favorite song or poem might just do the trick.
Just don’t use a common phrase such as “Oh say can you see.” And “no matter what you pick, be sure to make it abnormal in some way,” recommends Jeremy Duffy in The Geek Professor, a site about online security. Use a character instead of spaces, for instance. As in “0*say*can*U*sea.”
Use patterns. Another trick, promoted by Schneier, is to use an easily recalled phrase to create a password that appears randomized.
Think of: “You owe it to yourself to be safe.” Start your password with the first letters of each word: “Yoitytbs.”
Next, add a number and a symbol in a place you’ll remember. Perhaps: “You owe it to yourself @ 1nce to be safe.” So the password would now be: “[email protected]”
Carnegie Mellon researchers in a study last year found that passwords with more digits, symbols and uppercase letters are harder to crack, but less so if the digits are placed at the end of the password or if capitalized letters are placed at the beginning.
So, move the capital letter to the middle in a word you’ll recall, such as Yourself. Now it’s “[email protected]”
My example above got you 10 characters. You could grow it to 12 by adding a space somewhere and a period at the end. Or pad it with brackets: “[email protected]/.” Looks pretty random.
Test it. Komanduri helped Microsoft researchers develop a web tool called Telepathwords aimed at helping users improve the unpredictability of their passwords. The site tries to guess the next character you’re going to type in your password before you type it, using databases of common passwords, phrases and password-picking methods.
You can Google other password testing sites (security software provider Intel offers one), but I’d be sure to use Telepathwords, too. If you worry about typing your real passwords into these sites, then don’t. Try something similar.
Use a password generator. Janice, a reader in Portland, uses Norton’s Password Generator to come up with her passwords. You can set the length and type of characters you want used when it creates the password. Many password managers do the same
Save it safely.With the length and complexity requirements, some experts say it’s OK to write down clues for your strongest and most sensitive passwords and put them in a safe at home or somewhere not obvious. But that’s not very practical if you enter password-protected sites often. You’ll be tempted to leave it by your computer.
You could make your own encrypted storage vault stronger than Microsoft Office’s on your computer using disk- or file-encryption software. KeePass (free), Trucrypt (free) or Norton’s Identity Safe are examples.
Macs come with an encrypting feature called DiskUtility in their Utilities folder. To use, open it and click on New Image. Give this disk a name without the word “Password” in it, and be sure to check 256-byt AES encryption under the Encryption menu. And, as Komanduri said, give it a strong password, but one you’ll remember.
Use a password manager. If all this sounds too complicated, password managers will make life much easier. They take a bit of time to set up, and most cost money. They’re not a sure thing, either. Yue and his students found vulnerabilities in two commercial password managers. But they’re likely more secure than anything you’re doing now.