Thursday, February 2, 2017

Password Creation & Management

Password creation and management is one of the first things you should consider when thinking about web security. Everything you do on theinternet, including accessing it in most cases, will require a password. This is the very base of your pyramid of web security.

Knowing how to properly create and manage strong passwords is the perfect  place to start the security discussion. Just putting this chapter’s tips into practice gives you a heads up on the vast majority of web users out there.

The following steps will ensure you create great passwords:

1. Avoid The Obvious - The first thing you have to do is avoid the obvious. Do not use anything like your name, birthdate or even any of your interests. Remember, not all hacks come from some mysterious stranger overseas. A lot of problems can arise, right in your own house - from friends, roommates, parents or children. Don’t choose something that someone could guess!

You will also want to avoid the common passwords that every noob uses. That might be a bit harsh but if you use something off of the top ten most used passwords list (shown below - courtesy of Huffington Post) then you are a noob!

rockyou (name of the site these pws were hacked from)

So as you can see - avoid the numbers in order, avoid the name of the website you are using and the actual term password. Not shown, but equally bad - using “admin”, copying your username or leaving it blank!

2. In Fact Don’t Even Use a Word - No matter how clever you think you are - don’t even choose a word - English or foreign. Any word that can be found in the dictionary can be cracked using a brute force attack. If you insist on using a word then make sure you connect more than one word with
numbers and symbols (more on that below). If you choose a single word that is in the dictionary (any languages) you are wide open for a hack.

3. Sorry, Size Matters - I know it is easier to remember 5 digits than 9, but guess what? Size counts! If you chose a random string of 6 lowercase letters (or worse a 6 letter word) it would take 10 minutes for a hacker to use a brute force attack to figure that password out. Ten minutes to test
every possible combination of letters. To avoid this, or at least severely lengthen the time it takes, make sure your password is longer than 6 characters. I would say try to aim for 9 or more characters. Might seem like a lot to remember, but a phone number with area code is ten digits, and we all have many of those memorized. If you have a password 9 characters in length - it will take the same program about 4 months! And that is before we add variety...

4. Mix Up Characters - To maximize your password’s security you need to mix up your characters. This means you need to add symbols (%@#), numbers and mix up the case of your letters (capitals and lower case). The best passwords will have all different types of characters. Remember the time it would take to crack passwords mentioned above? Well if you have a password that is 9 characters in length, has upper and lowercase letters, plus symbols and numbers - it would take 44 530 years to hack that password!

If you keep those 4 very simple points in mind, then you will create great passwords that are virtually “unhackable”. Creating passwords and managing them though are two different things. Following this blurb are some points you need to consider about HOW to use these great passwords.

1. Have More Than One - This is probably the single most important password management tip. Don’t use the same password everywhere on the web. If you do, you highly increase the chance of having it compromised. If someone is able to glean your password on one site they may be able to put 2 and 2 together, and access other accounts you own. Some of these accounts could be really important. Memorizing a new password every site is hard (impossible?), but you should have at least 3 strong passwords that you use for different things. You can break down your passwords into 3 categories:

A Level - These are passwords that are super important, and direct access to them could directly lead to financial trouble. (i.e. Online Banking or Paypal)

B Level - These passwords are also important, and while getting hacked could cause trouble, the hacker won’t be able to clear a bank account, or run up credit. (i.e. eMail, Twitter or Facebook)

C Level - These passwords are for random free accounts online. (i.e. Message Board, Blog Comments or Fantasy Sports)

If you are going to try to go with just several different online passwords, try not to mix them up between categories. You can also make your own categories if you want. For example, for those people who work online, an FTP or Hosting password, could very well be an A-Level. Use your own
common sense when deciding which category a password would fit in.

2. Change Password if Compromised - If you ever have your password compromised - then you need to change it ASAP. This seems like it isn’t worth stating, but I have seen it far too much. Not only do you have to change the compromised password, you also have to change all of the other accounts tied to that password. That might seem like overkill, but it is the most basic step to take if you have a password hacked. You should not avoid this, no matter how annoying it may be to change all of those passwords. This is yet another reason to make sure you don’t just use one password!

3. Don’t Be Afraid to Use Software - For people who have a whole bunch of passwords, you can consider using software for password management. This is especially helpful for people who work online, we sign up for so many accounts, that remembering passwords can be tricky!

There is paid software that can help you out. Roboform is the first that pops into my mind. I have never used it but it seems popular. The reason I have never used it is because I found KeePass, a free password management tool that works on any operating system.

Keepass will keep all of your passwords for all of your sites. You have to manually enter the info but once it is in there, it is kept in it’s own encrypted file. Another great feature is that KeePass will create passwords for you. Of course, they will offer the chance to enter the number of characters you want, and will include numbers and symbols as well.

If you follow these three tips, your passwords will be managed about as well as they can be. Remember, even if you haven’t been compromised, you should still consider changing your password every 6 months or so. This might seem like a hassle, but it will help ensure your online safety.

No comments: