Privacy Alerts - Password Security

Password security: the importance of a strong password

The single most important thing you can do to ensure your computer and online privacy is to use a strong password. Passwords are everywhere: your operating system, your files, your online banking, various e-finance accounts, and your social networking accounts.

So think about it, if these passwords are everywhere... and you are using a horrible password (e.g. "password" or "letmein"), you're really not doing yourself a favor. The same goes for if you're using the same password for all your accounts. Not a good idea. And I know some of you reading this right now are thinking: who would do that? Well, you'd be surprised.

Security experts are constantly amazed by the amount of people who spend money on high-end computer security products (e.g. encryption, firewalls, anti-virus, etc...) turning their computer into a veritable Fort Knox... but fail to change their password from "hack_this" (or something equally weak and asinine). The bad choice of passwords completely compromises all the security features (and flushes down-the-toilet the money spent on them).

FYI: A hacker is someone who uses the internet to access other people's computers illegally.

How might someone steal my password?

The three most common methods of hackers are:

Brute Force Hacks: The traditional idea of cracking. The method is to decrypt passwords by trying a large number of possibilities. For example, exhaustively working through all possible keys in order to decrypt a password or code.

Dictionary Attack: In contrast with a brute force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most statistically likely to succeed. These possibilities are typically derived from a list of words in a dictionary

Social Engineering: A collection of techniques used to manipulate people into performing actions or divulging confidential information. The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

Pretexting and Phishing are both social engineering...

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action. This is commonly done over the telephone. Pretexting is more than a simple lie as it most often involves some prior research or set up, using pieces of known information (e.g., for impersonation: date of birth, last bill amount) to establish legitimacy in the mind of the target.

Phishing applies to email appearing to come from a legitimate business — a bank or credit card company — requesting "verification" of information and warning of some dire consequence if it is not done. The letter commonly contains a link to a fraudulent webpage that looks legitimate — with company logos, seals, and content — and has a form requesting everything from a home address to an ATM card's PIN.

While not necessarily hacking, don't forget that keyloggers and spyware may also allow someone to gain access to your passwords and therefore your computer.

So, how to make a strong password?

Good question.

Longer is better. More complex is better. Longer and more complex is best. Refer to the table below and consider the security added with each additional character. Also important is the use of a variety of lower, upper, and special-case characters. When you mix your characters in the password, the cracking time jumps up exponentially. With an average computer, it takes an enormous amount of time to crack passwords that are over 8 characters.

Privacy Myth Busters: Eventually Any Password Can Be Cracked.

This is actually true. But in all honesty, a strong password can take longer than a lifetime for a hacker to figure out.

Check out the table below (source) and pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – you know, like @#$%^&*). Adding just one capital letter and one asterisk changes the hack processing time for an 8 character password from 2.4 days to 2.1 centuries. That's pretty impressive. You want that same level of security in your passwords.

Password Length All Characters Only Lowercase
3 characters
4 characters
5 characters
6 characters
7 characters
8 characters
9 characters
10 characters
11 characters
12 characters
13 characters
14 characters
0.86 seconds
1.36 minutes
2.15 hours
8.51 days
2.21 years
2.10 centuries
20 millennia
1,899 millennia
180,365 millennia
17,184,705 millennia
1,627,797,068 millennia
154,640,721,434 millennia
0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
2,046 millennia

One of the easiest techniques for a hacker to use is to break into one of your low security accounts to figure out your standard password, and then to see if you are foolish enough to use it on one of your high security accounts. For example, if you have an easily-cracked password for your Photobucket.com account (or NYtimes.com or Amazon.com), and you're using the same password for your Bank of America account, a cracker can spend time figuring out the password on the low security system, then will have access to your higher security system

If you use the same password for low and high security accounts, you are compromising all of the security Bank of America, Ameritrade, Wells Fargo, or whomever, put into place to protect you. This simply can't happen if you don't use the same password for all your accounts.

The Password Holy Grail (the not-so-holey grail):

Yes, do these:

No, don't ever do these:

  • Have a unique password for all of your higher security online accounts (e.g. banking, work networks, credit cards). 
  • You can substitute certain letters with special characters that may look the same to you (e.g. m0uNt@!n).
  • Mix lower, upper, and special-case characters in your passwords
  • Keep your passwords the maximum number of characters.  Remember, longer and complex is best.  Eight characters and over are really strong passwords.  
  • DON'T use your partner, child, or pet's name (even if it's followed by a 0 or 1).  Not even NICKNAMES.
  • DON'T use the last 4 digits of your social security number.
  • DON'T use sequences or repeated characters (e.g. 123... , abc...).
  • DON'T use your city, or college football team name.
  • DON'T use any of the previously mentioned things spelled backwards, or in caps, or otherwise disguised.  
  • DON'T use keyboard sequences, (e.g., asdfg). 
  • STOP using date of birth - yours, your partner's or your child's.
  • DON'T use dictionary words (English or foreign).  For god sakes, don't ever use these: "password," "god," "letmein," "money," and "love."
  • DON'T use a network login ID in any form (reversed, capitalized, or doubled as a password).
  • DON'T use the same password for all your accounts
  • DON'T write a password down where it can be accessed by others.  Just don't do it. 

So how often should you change your password?

Basically, if it is a password on a very important account it should be changed more frequently, say, every few months. Reality plays a role here though because how often can you realistically alter your passwords and remember them?

That depends on the amount of account and passwords you have.

If changing your passwords means that you are rotating and using the same passwords over and over again, that actually decreases you security.

Where does a password get stored?

If it's a password that is part of a login ID profile for your computer... then the password gets stored in the operating system of your computer.

If it's a password that is part of a file (say a Microsoft Word file), that password is stored in the file and read by the program that opens the software (Microsoft Word in your MS Office Suite). This password is essentially stored on your computer since the file is stored on your computer.

If it's a password that's stored on a website, the password is stored on the website's servers. The transmission of the password through the browser in plaintext (unencrypted) means it can be intercepted along its journey to the server. Most web systems today use HTTPS including SSL (Secure Sockets Layer) technology to establish an encrypted session between the browser and the server. This encrypts the communication between the browser and the server. To learn more about secure protocol, click here. This is done automatically by the browser and ensures the integrity of the session.

While logging into a website, your operating system may ask you "would you like us [Windows, etc..] to remember this username and password?" If you answer "yes", the username and password information will be stored to your cache on your computer. To learn more about your cache, click here.

From: http://www.securityfocus.com/infocus/1554

Test your password strength here: http://www.securitystats.com/tools/password.php

Related articles

Comments

Nayan Patel

September 22, 2007 at 9:21 AM

Basically, if it is a password on a very important account it should be changed more frequently, say, every few months. Reality plays a role here though because how often can you realistically alter your passwords and remember them?


aaron

December 19, 2007 at 2:33 PM

test

Rate this article

Current rating: out of 9 votes

Your vote:

Leave a comment

Your Name (required)

Questions about this topic? Ask them on our Contact Us page.

Bookmark this page