NCSAM: Passwords - friend or foe? (Part II)by Steve Ragan - Oct 18 2010, 16:40
In 2008, one of the first NCSAM articles published by The Tech Herald looked at passwords. Many things in the security world have changed since then, but the problems with passwords have not. They are still a controversial issue, still hard to manage, and remain a single point of failure in the security chain.
No one will ever agree on a flawless authentication process. There have been calls to remove passwords from the security chain, on the business and home front, by replacing them with biometric methods. Why bother to remember a password when you can swipe a finger or speak into a microphone to access a network or application?
Yet those solutions rely on hardware, and hardware will fail. When that happens, you still need to authenticate. So what do you do then? Not to mention, businesses have grown up on passwords. It will be some time before they are ready and willing to move away from them. It’s the same for home users.
Passwords are everywhere. As we mentioned in 2008, you likely have a password for webmail, a password to login to the network, a password for voicemail, a password to access gaming and social networking, online banking, and so on. This doesn’t even account for the passwords needed on the dozens of websites that a typical citizen online accesses on a daily basis.
A recent study by security vendor Webroot found that the most commonly used password protected sites online consisted of banking, Web-based email, and social networking. The study examined the password usage among 2,500 people from the U.S., U.K., and Australia.
While the distribution of usage is interesting, what the respondents did with those passwords is also worth noting. They share them, they use them on unsecure networks, they make them easy to remember by using personal information or common words, they write them down (leaving them available to others), and they tend to use the same password on multiple sites. On top of that, many never cycle their passwords (changing them frequently).
The reason studies like the one from Webroot and other vendors show the same password related problems is easy to guess. Passwords are a pain to manage, a pain to create, and a nightmare to remember if they are overly complex. No two people will remember things the same way, and no two people will see password management in the same light either. The trick is to come up with something that works for you.
In the pages that follow, we’ll dig into some personalized password rules, but ultimately, you’ll be the one to put them to use.
If you have thoughts or suggestions, leave a comment or email us. We’d love to see them, and we’ll use them to develop better materials on the topic.
Password creation for the rest of us
The password creation process for a geek or technical user is nothing like process used by the average computer user. This is why we say “for the rest of us”. Even still, the basics apply to everyone and even the geeks use them. You don’t have to bump your IQ to create a strong password, just focus on you.
Don’t: Create passwords using personal information or information someone could guess.
This rule exists because of the wealth of information about you online. Some of it you have willingly shared, some of it you have shared unintentionally. Parents love to brag about their kids and talk about family. So creating a password based on these items is a bad idea.
You told everyone on Facebook that Billy’s soccer team, the Falcons, just won their championship. So creating a password like “falconchamps2010” isn’t good. Neither is “billychamp2010” or anything remotely close to that information. So if you are creating a password that focuses on you, how is this even possible?
Sticking with the information you shared on Facebook, what details did you keep to yourself? We all have dirt on our kids, something that is just private or would embarrass them a little. It’s a parent thing really. Even those without children know something about someone, family or friend, that is completely comical, yet they’ve never shared it with a living soul.
Given that you kept these little details to yourself, use them as part of a password. You will remember them, no one will guess them, and this information would certainly never be located on Google. The catch is, no matter the subject you use, it has to be something that you and you alone know.
For example, Billy once needed to have his uniform pants patched. The only thing available however, was a pink and white patch his sister had. As a father, I’m sure Billy would be mortified at having anything of his sister’s near his clothes. Thus, “p1nKp@tch3s4biLLy” is a possible (and comical) password.
Take note of the length, the use of uppercase and lowercase letters, special characters, and numbers in the password itself. This is an important part of the process. Feel free to mix things up.
Typically, @ or 4 is used for the letter A, 1 can be used for an I or L, 3 is a backwards E, 0 is used for O, and so on. The only downside to this is that some sites prevent some special characters, and limit password length. Keep that in mind when making a password.
Don’t: Create a password using words in a dictionary, no matter the language.
If a word exists in a dictionary or academic text, you can be sure it resides in a list used to crack passwords. If that isn’t spooky enough, that list has all of those words in reverse too. Some lists will use the words and substitute characters for letters, as we mentioned previously.
It’s just a bad idea to build a password based on a dictionary term alone, no matter how obscure the word is. However, you can use these words in conjunction with a personal item to layer their security value.
If you are a medical professional, then use a medical term, combined with something that only you would know, such as a humorous event during the time you spent shadowing others in a doctor’s office for class.
If you are a construction worker, then your trade not only comes with hard work and skill, but plenty of useful job-related terms. Use one of them, such as an insider name for a tool or task, and then pick a word to pair with it from a personal memory. Something unique to you, but remember to make it a word or phrase that no one would guess or know of.
Don’t: Make your passwords overly complex
When thinking of passwords that are personal, you need to make them longer than 8-12 characters as a rule. However, the longer the password is, the more likely you are to have problems remembering it, or the characters used to create it. (“Did I use an @ or a 4 when spelling ‘bradleyisabluepumpkin”)
Keep things simple and consistent. If you create a password that uses the letter A, then if you opt to swap it out with an @ symbol, then only use that symbol.
Also, the long passwords you took time to create should be ones that come to you quickly. Don’t be afraid to use phrases as passwords, as long as they are personal ones that no one could guess, and you can recall them easily.
Personal passwords offer risk, this is true, but they can also lower the odds of someone guessing them or a program cracking them. The rule for longer passwords comes from the fact that programs need time to crack them. Human error also means long passwords are harder to guess. So the longer it is, the harder it is to break.
Don’t: Use the same password on more than one site.
This is a hard habit to break, and even geeks and technical people fall prey to using the same password on multiple sites. The reason this is discouraged is because if the password you use on the crafting forum is the same as your bank, if the forum is hacked, the attackers now have your personal information and the password you use for online banking.
You should have a password that is unique and used for only online banking. If you do online banking and then manage loan payments via another financial source, then you need a unique password for that as well. Never use the same password between financial sites.
Password management tools will help you keep track of these passwords. We’ll cover them later for those who are interested.
The reason these tools are so valued is because once you have created a personal password, you need to keep track of it, and writing it down or storing it in a text document is a bad idea.
Don’t: Share your password with friends or family
Passwords are personal. They are something that should never be shared with only a few exceptions. One such exception pertains to parents. Parents should always have the passwords to any account their child maintains online for safety reasons. Otherwise, there is no real need to share passwords. This is just a good habit to get into.
Do: Test your password and create a new one on a regular basis.
You spend time creating passwords, so you should check the results of your efforts. This link from Microsoft will help you check password strength.
Once checked, you need to form a habit of picking new passwords quarterly at the least. Most experts will say monthly, but to some this is unreasonable, so quarterly is fine. The only exception to this rule is the password used for financial or other sensitive access. This password must be changed monthly for best protection.
Password management tools
The Tech Herald spent some time reviewing password managers. Many security applications have them built-in, such as Norton, McAfee, Kaspersky, etc., and they work great. At the same time, there are some seriously easy to use and effective third-party password management offerings out there worth a look.
First, two years later, we still maintain that PassPack is the most impressive Web-based password management offering we have ever tested in the TTH Labs. It sits in the browser, and offers single click access to your passwords free of charge. They recently launched paid offerings, but with 100 passwords available, the free offering is your best bet. [PassPack]
We tested LastPass 1.51.2 on Firefox and Internet Explorer 8, we were pleased overall with the results. (They are on version 1.70.1 now.) LastPass was easy to use, and because of this, the majority of users who try it out will likely never use anything else for their password needs. [LastPass review]
RoboForm was another password manager we tested in the TTH Labs. RoboForm is one of the most recognizable password managers on the market. It works in both Firefox and Internet Explorer, and once you get over a learning curve, is a snap to mange and use. It’s a commercial application however, so you’ll want to use the trial version first and upgrade if you like what you see. [RoboForm review]
The other password manager we looked at in the past was KeePass. KeePass could best be described as a small and portable warehouse for your passwords. KeePass isn’t the end all be all of password management software, but for a free application that is OSI (Open Source Initiative) certified, there is a lot of care taken to keep the program useful and small. In all honestly, this is a killer little application. [KeePass review]
Again, as we mentioned in 2008, password management software can come in handy if you have trouble remembering passwords. These tools also help you manage and rotate your passwords on a regular basis.
While not a replacement for solid password creation or an excuse to use a poor password, these managers can help relieve some of the stress.