Thursday, Jul 12th 2012
A month or two ago I was providing passwords to a new client via text message when he replied “How do you come up with these?” Although the password as made sense to me, I took it as a compliment that, although it made sense to me, it was gibberish to him as it would make it that much more difficult for password hacking program to figure out.
How secure (i.e. difficult to guess, figure out, hack) is your password? Is it a word in the dictionary? How long is it? Dos it mix upper and lower case letter with numbers and other characters? Is it your birthday or someone close to you? Is it your address, perhaps or favorite Bible passage? Not good.
Do you use the same password across all web sites and computers just to keep things simple? Even worse!
Do you talk the IT security talk but fail to walk the IT security walk? Shortly before going out of business a former client of ours would get IT security assurances from me regarding backups, passwords, etc. His data had been ripped off before and he wanted to be sure things were locked down tight. He also demanded that his user account have full administrator level access to the network. Even though he had no idea what to do with that access, it made him feel more in control. Unfortunately this gentleman could not handle remembering and entering a password any more complicated by his initials follow by 12345. How long do you think that would stand up to a brute force attack? Talk about a gaping hole in security!
But, he is not alone. PayPal says that two out of three people use just one or two passwords across all web sites with web users averaging 25 online accounts. A study by PC Tools found that men were the worst offenders – 47% of them use just one password compared to 26% of women.
Last month hackers posted the passwords of 6.46 million LinkedIn users. If you missed that news, you’d be well advised to log in and change your password. About the same time another hacker posted the most common passwords for users of Gawker Media. The list included “password,” “123456,” “qwerty,” “letmein,” and “baseball.”
If you have any similar passwords change them ASAP and develop a system for creating new ones. Pass-phrases are more effective, such as “I enjoy eating fudge.” Now encrypt it a little by swapping numbers and characters for the letters plus a dash of enthusiasm at the end: 13nj0y3@t1ngFudg3! The I was replaced with a 1, the Es become threes, an @ symbol replaces the A and so on. If your dog’s name has been your traditional password go ahead and keep using it, but employ the above technique to beef it up. For example, let’s say your password has been your super fluffy dog, Spot. Change your password to the passphrase “spotissofluffy,” then encrypt it to: $p0t!$$0F1uFFy!. It might be tricky to enter it at first, but I promise that it will become second nature and your bank account and proprietary company data will be that much more secure.
If you want to enjoy that level of password security but don’t feel up to tracking them all in your head, there are password managers such as LastPass. This free and popular program will record passwords as you enter them. The next time you go to the site, LastPass will enter the password for you. They are protected in the program by a single Master password, but you’ll have to remember that one on your own.
This just in: check out his super cool tool from he kids over at DropBox. Enter a password you use and see how long it will take to get cracked. I was happy to see that the examples provided above would take "centuries." You can check out the demo here: http://dl.dropbox.com/u/209/zxcvbn/test/index.html