One of the issues surrounding computers and the internet that people seem to have the hardest time with is passwords. How long do they need to be? How do I a choose good passwords? How to I remember them? Can I write them down? Is it true what people are saying, that passwords are obsolete? While a password mistake can be very expensive in terms of time and money, people have turned passwords into a much bigger deal than they need to be. Here's all you need to know about passwords.
Despite what some people say, a good password is the best way for you to protect your accounts, online and off. The problem comes when the organizations with which you have accounts don't do what they should to protect your passwords or personal data. This also applies to accounts and personal information stored by organizations that you wouldn't normally think of as having anything to do with the internet: banks, brick-and-mortar stores, cell phone carriers, investment companies, credit reporting agencies, doctor's offices, employers, the Department of Motor Vehicles, etc. The reason is that everything and everyone is connected to the internet now, whether you access them on line or not.
The first mistake organizations make is lax security of their internal computer networks. They connect their computers to the internet and don't follow the precautions necessary to keep them from being broken into. While it is true that no precautions can prevent all break-ins, because there really is no such thing as a secure computer, there are precautions that organizations could be taking to make their computer networks more secure. They often don't take these precautions, simply because they consider them to be too expensive. Unfortunately, you usually have no idea how secure your bank's computer network is, so you don't know if it's really safe for you to bank there. Even worse, organizations of which you are not a customer, and may not have even heard of, have your private information. Fortunately, there are some consumer protection laws that can protect you to some extent. But there are plenty of organizations that the consumer protection laws do not extend to, like the credit reporting agencies.
The second mistake organizations make is not encrypting or not sufficiently encrypting your passwords that are stored on their servers. This means that no matter how good your password is, and no matter how carefully you have protected it, a thief can get it by hacking into the organization's computer network. Or, one of their employees can steal it. Again, you have no way of knowing whether an organization is storing your password securely.
Despite the lax security of organizations that have your personal information, you should still do what you can do to protect yourself. That includes using good passwords and closing your accounts with organizations with which you no longer need to do business.
Thieves generally use one of four methods of obtaining your password:
Social engineering involves calling up an organization, pretending to be you, and telling them that you forgot your password and need a new one. Sometimes it also involves conning you into revealing your password over the phone or by email. Sometimes, it may involve asking you seemingly innocuous questions about your first car, your address, the name of your first pet when you were a child, etc. This may even come from someone you know. This information is used to answer the so-called "security" questions of an organization that asks for them before issuing you a new password. If a thief is successful in a social engineering attack, the password you use is irrelevant, he now has access to your account.
The second approach, connecting to a website and guessing your password, doesn't usually work unless a thief already has a pretty good idea of what your password is. The reason is that most websites are smart enough to only allow a certain number of guesses before locking out the thief.
The third approach is password cracking. This is a procedure that is beyond the scope of this article to explain fully. But, basically, it involves a thief stealing a long list of account holders' encrypted ("hashed") passwords from a server and finding the "salt" (an added string of characters) and the encryption algorithm that was used to make the hashes of the passwords (usually one of a few well-known algorithms). Then, the thief salts and hashes a very large dictionary of possible passwords and compares the hashes of each possible password in the dictionary to each hashed password in the list he has stolen. This is called a dictionary attack. If a particular password he is trying to decrypt is not in the dictionary, he will have to do what is called a "brute-force attack", in which he salts and hashes randomly-guessed passwords until he gets a hash that matches the hash of the salted password that he is trying decrypt in his stolen list. When he gets a match, he has cracked the password.
The last method of obtaining your password is to obtain it directly from you in ways other than social engineering. If we are talking about a thief who is in a different city, this may involve stealing your password out of your computer. If we are talking about a local thief, most likely someone you know, in addition to socially engineering you, they could get your password from your computer, or from a place where you have written down your password.
There is nothing you can do to prevent successful social engineering attacks if they are directed against the organizations with which you have your accounts. If they are directed against you, your best method of preventing them is to always be aware when people are asking you personal questions and not give out personal information that the person asking does not need--for example your birthday, middle name, address. One of my coworkers once asked my favorite color. I had to tell him that I wasn't willing to reveal that, because it was one of the security questions they used at work to identify us for password resets. He didn't seem to be insulted by this. Usually, honest people will not be upset by an answer like that, if it is delivered in a calm and sympathetic tone of voice. Another thing I always do is to leave the security questions on websites blank or fill them in with long strings of nonsense. This way, even people who know me well cannot reset my passwords.
There are a couple of things you can do to thwart password cracking. The important thing for you to know is that, since the dictionary attack method usually takes far less time than the brute-force attack, you don't want to choose a password that is the thief's dictionary. Assume the dictionary consists of several million passwords. That means never using something simple like a word or name followed by a number, a consecutive string of numbers, a compound word, two words strung together, or any password that is too short. You can test your potential password against one such password dictionary here.
In order to thwart the brute force attack that may follow--depending on how much time the thief wants to dedicate to his cracking effort--you should make what is called a "strong" password. This is simply a password that can withstand a brute-force attack for a long period of time. A strong password consists of a long string of a combination of upper and lower case letters, numbers, and "special" characters (like &, ^, /, +, ?, etc.). This gives you, if I added them together correctly, a set of 94 possible choices for each character in your password. If you choose 15 of these in a random order, that will give the thief a set of 94 to the fifteenth power of possible passwords that he will have to search through to be certain that one of them is yours. That is roughly 2.86 x 1029 passwords. Given the current state of computer technology, a thief with a desktop computer and a fast GPU can generate, hash, and compare to the hash of your password about ten billion password guesses per second. Commercial password cracking computers can manage something in the neighborhood of three trillion password guesses per second. That means that with a commercial password cracker, it would take a thief something like nine billion years to crack your fifteen-digit password. The makers of some of our current encryption tools are suggesting that you use 20 characters or more. My feeling is that is overkill. But they are probably just being conservative, since no one can predict the password cracking capabilities that could exist in fifty or a hundred years. There is also something called "hash collision" which reduces the number of guesses needed, but that is beyond the scope of this article. Let's compare nine billion years to the length of time it would take a thief to crack a weak, eight-character password composed of lower case letters and numbers only--about one second. That means the thief can either try to crack your strong, 15-character password or the millions of weak passwords he may have on his stolen list. Which do you think he will go for? The thing you need to take away from this article is simply that it is worth the effort for you to use strong passwords.
To prevent a thief from getting your passwords out of your computer, make sure your passwords are not in your computer. Most passwords are stolen out of computers, because people allow internet browsers to remember their passwords. Never do this with sensitive passwords. Also, it is a good practice to not store even encrypted passwords on your computer. Use an encrypted USB stick instead, or at least an unencrypted USB stick with an encrypted file of passwords.
Many people believe, for some reason, that trying to create strong passwords is a waste of time, because you will not be able to deal with using several strong passwords. That is absolutely untrue. But let's assume that you have a bad memory and need to store little-used passwords somewhere. There are a number of ways of doing this.
The first is the least secure, but will work against all remotely-located thieves, and it's free. This is to simply write down your passwords on a piece of paper and stick it into your desk drawer. You should also make copies of your passwords and put them somewhere else, like a safe deposit box, just in case your house burns down. You may consider this method for storing passwords to accounts for which it would not be the end of the world if the passwords were stolen, like your Pandora account.
Another way that is still free, but more secure, is to put your passwords into an encrypted file. This works against both remote and local thieves. The password to the encrypted file is your master password that you will use nearly every day, and are therefore, unlikely to forget. So, the only password you have to remember is your master password. Put this encrypted file on a thumb drive. Don't forget to make at least two backup copies.
Another method that is somewhat secure, meaning less secure than the method just mentioned, is to use a base password that consists of maybe eight or ten characters. Then follow this with a series of perhaps four other unique characters. So, each of your passwords that you have for email, bank, and other online accounts will consist of your base password followed by a different four characters for each password. Then you only have to remember one base password and several four character passwords. A system that uses a more secure variation of this is the Qwertycard. With either my suggested system or the Qwertycard, you may not have to store your passwords. You may be able to remember them all. Or, for even more security, you could use eight-character unique parts of your passwords and store them in an encrypted file and remember your base password.
The most secure method of storing passwords begins with a hardware-encrypted USB stick. Then encrypt a password file yourself and add it to your hardware-encrpypted USB stick. This gives you doubly-encrypted password files. I always question manufacturers that claim that their USB sticks are hardware-encrypted if the USB sticks don't have physical buttons that you press with your finger. In my opinion, USB sticks that are merely software-encrypted by the manufacturer are not to be trusted. For maximum security, look for hardware-encrypted USB sticks that are FIPS-compliant.
The last method, which I do not suggest, is to use a service like LastPass. I don't recommend this for two reasons. The first is that it costs money, and even worse, you pay a monthly software subscription fee. The second reason is that if your master password is stolen from the the password service's servers, every password you have will be in the hands of the thief. In my opinion, it is always better to store sensitive passwords and data yourself than to trust a third party with them.
The bottom line is that there really is no excuse for not using strong passwords on all of your accounts, because you now have multiple methods of ensuring that you won't forget them and be locked out of your accounts.
Two-factor authentication is a way of improving your account security even more than by using strong, securely-stored passwords. I'll discuss two-factor authentication in a later article.
Copyright © 2018-2019 The Cheapskate's
Guide to Computers and the Internet. All rights reserved.