Perhaps plenty people have previously pontificated prudent password procedures for all their various online accounts but I, for one, have not. What I mean by password procedures is what method should be used for deciding on which password to use on which account. I was recently reading about a list sold on the cyber blackmarket containing hundreds of thousands (or more?) of usernames/passwords/websites that those combinations can be used upon. The reason hackers were able to generate such a list was that people are too lazy (or lack the proper security procedures) when signing up for new accounts online and often use identical login/password combinations on either some or all of their online accounts. This means that if one of the 50+ websites you have an account on gets compromised, then all your accounts are effectively compromised. One disturbingly common mistake people tend to make is signing up for new accounts that require an e-mail address and using the same password on the new account as they do for the e-mail address they provided (I am willing to bet with great certainty that many people who read this post have made this mistake on with their sdmb account!).
Has anyone solved this problem? I am aware of password-storing software that would allow unique secure passwords for each account while encrypting the list of your passwords with a ‘master key’ but this isn’t suitable for many people like myself who rely on a variety of different devices to access their various accounts (mac desktop, mac laptop, pc desktop, pc laptop, iphone & public terminals).
It obviously isn’t practical to use a completely different password for every website, but perhaps there is a happy medium that I have not considered?
There are programs that do this via USB, so the software holding all your passwords is portable. You can use a biometric fingerprint scanner specifically built for this purpose, or you can use a flash drive with one of many password managers installed on the USB drive itself. For the superparanoid, you could use this entertainingly-strong flash drive for that purpose.
You could also carry around your passwords on this gizmo which you would hold on a keychain and which would store all the passwords in a database.
Really, though, the most important thing here is to generate strong passwords. Crackers will look for passwords without numbers first, and then without numbers in between alphabetical characters. Names, pet names, and common words should be out entirely. Good passwords look like vqdbm3n (a password I used a couple years ago), mn4k7a, and lut6fudp. They look totally random at first, and in fact they are. But when you use that master password regularly, you eventually learn it very, very well. I think my ability to perfectly recall vqdbm3n after not using it for years shows that its totally possible to remember these seemingly-random passwords.
I have one password that I use for random sites, and a completely different one for my email, so my email would not be compromised if my pw on some website was discovered. One technique if you need to remember a complex password fast is to make a long acronym and “leet” it up a bit.
You could start with the phrase “I love Cecil with all my heart and soul.”
This could be translated into:
IlCwam<3&s
This uses the 4 major types of characters, lowercase, uppercase, numbers, and special characters.
I have a computer security book someplace in my library that contains a list of only 300 passwords. That list supposedly contains 80 percent of all passwords often used to protect various accounts, world-wide. People are just not very inventive at creating passwords.
I create passwords from made up acronyms, and events out of my life that only I know about. For example, a simple password to remember is GwTw1939. It stands for Gone With The Wind, 1939. Or perhaps, 4Sa7ya, meaning “Four Score and Seven Years Ago …”
Just don’t write it down and use a Post-It note attached to your monitor!
Yes, it may not be practical, but my federal employer requires a unique password for every access account I possess. The password history goes back at least ten iterations for each account, a password must contain at least 8 characters (from a defined, specialized alphanumeric list), no password can contain more than two consecutive characters that may have been used in a previous password and I cannot use any part of my name (and a few other personal details) when creating a new password. Each account requires a password change no more than every 90 calendar days.
Oh, yeah. I have about 50 accounts. Practicality is a royal PITA. So is trying to remember all of them. The best I can come up with is a personal password database program that contains my accounts and passwords, all protected by a 16-character password on a Truencrypted Flash drive.
The use of strong passwords like IlCwam<3&s or vqdbm3n would not solve the problem unless one uses different passwords for every website.
I know thelurkinghorror mentioned that they have a separate e-mail password, and I do too, but I still find myself re-using passwords based on the perceived ramifications of the account-in-question being compromised. For instance, I will use a relatively insecure password for a scrabbulous (online-scrabble) account, and a secure password for an ebay account. But I still find myself reusing the insecure passwords too often.
The Mandylion system looks like it might solve my problem, though it would such to not be able to access an account just because I left that device at home. Also, it would be imperative to have a back-up or two of the passwords, or a few extra devices in case it was lost.
Just make a really strong password. My old one that i never user anymore for anything was:
k4t6+iS9L_8F?*
Its honestly not that hard to remember. I used that password for most of my acccounts except email that way i could always reset them if those accounts ever got into.
Well, the only alternative to a physical unit which you would have to bring with you is an online password manager. Several of these do exist, but if you’re paranoid I guess it wouldn’t seem safe to you. I’d guess that they would be really fucking sturdy, but you seemed to be concerned with worst case scenarios.
The US military uses Mandylions; I’d expect they are plenty stable. It would be tough to lose if you keep it with your other keys on a keyring.
Disclaimer: I have never actually used a Mandylion. I’m not nearly paranoid enough for that. It just looks like the most efficient solution.
Not really true at all. The way cracking passwords virtually always works is simple brute-force methods of testing a list of passwords against a list of usernames. If you have a truly unique password, your risks of getting hacked are astronomically small. There are way, way, *way bigger risks that you go through every day without thinking if you use a password like
"k4t6+iS9L_8F?".
Missed the edit window to add:
Those wordlists aren’t really sold on the cyber black market too often; they’re freely available all over the place. Usually, they aren’t lists of confirmed username/password matches. Instead, they’ll literally be lists of words - an entire dictionary, plus a list of usernames and particularly common passwords (12345, etc). The cracker then tests that against a big list of usernames scraped from the web. If they’ve got a lot of time or computing power, they’ll use a program that expands the wordlist by appending digits to the end of the words on the list. If they’re really committed, they’ll do the same, but allow digits anywhere in the word.
As you can see, this progressively expands in complexity. A password like k4t6+iS9L_8F?*is nearly unbreakable, simply because of the enormity of the search that the cracker would be employing. It’s entirely random, and it’s 14 characters. There are usually roughly 70 allowable characters, if you include alphanumerics and special characters like +, ?, and _. The number of permutations of passwords that have 14 characters of 70 possible options is inconceivably large - it’s 14^70, or 1.6941915 × 10^80. There are only 7 × 10^22 stars in the entire visible universe. No computer could compute that many permutations on earth, probably even if it were calculating since the earth was formed. And even then, you have to run each set of 10^80 passwords against every username on the list.
In short: No, you’re pretty safe with a good password.
It doesn’t matter how clever a given password is. If you use it on a large number of websites, it is not unlikely that one of those websites will be compromised over the course of say, 3-6 months. Now if the web designer was reasonably competent, they encrypted their website’s account list, but I can assure you that many coders neglect to perform this simple task. Even if they do encrypt their list, once the server is compromised, any data sent to it (i.e. your password) is no longer secure.
Consider again my example from the OP, the massive internet-wide master-list of specific username/password/accounts that was being traded on the blackmaret. Those passwords were absolutely not bruteforced, they were compiled by cracking into sites and then applying the compromised login combos to other common sites.
What I do is combine a memorable phrase with some more characters that are derived in some not too obvious fashion from the website’s name. So every password is different, I don’t have to memorise anything except the phrase and the simple method I use to encode the website name, and yet my passwords are all different and their relation to their website is not immediately apparent. Depending on the scheme you use for combining the two parts, the passwords need not even look similar.
You need to step back, take a breath and look at what you’re protecting.
A password to read the NY Times? All but worthless. Things like bugmenot actually can make it truly worthless.
Your password here? Facebook? Blogger? Still not particularly valuable and not exactly state secrets.
Your password to amazon.com? If you have One-Click enabled, it’s a direct line to drain your credit card or bank account. Might want a good password here. Similarly for eBay - someone could start bidding or just hitting “Buy It Now” items and put you on the hook for a lot of money.
The password for your online banking? You really want a good password here.
Now, how do you keep track of them?
Write them down.
You heard me. Make them strong and write them down and keep them in your wallet. People are surprisingly good at protecting small pieces of paper, especially when they’re something called money. If you can keep the money in your pocket safe, what’s one more slip of paper?
I use normal words as passwords. I use a different one for every use. At work, I switch them every thirty days and never use the same one twice. I don’t use “password” or my birthday or my dog’s name or anything obvious like that. I just pick a random word. So if you feel like it, have a seat and try to log on to my account. I’ll come back next week and see how you’re doing.
By then, your data will be toast. Look up “Dictionary attack.”
I do note that no one has used the one rule I use. That tends to confirm my feeling it’s a good one – if people aren’t thinking of this, hackers probably aren’t, either.
In addition to everything else, make the first character a non-alphanumeric character: %p@55w<rd is going to be tougher to crack, since nearly everyone starts with a letter (and sometimes with a number).
When I started my present position at a financial services firm, I discovered every account’s username and password, including his own SSN, neatly printed out and posted on a cork board next to the computer! He’s my security poster child.
Our company allows “cyclic” password changes-- e.g., password1, then reset it to password2 the next time. Using this technique, one might use a base password-- naturally, somewhat difficult to guess!-- and change the extension to match the account. As an example,
FWIW, I encourage my users to use some easy leet (leet lite?) techniques in combination with employing acronyms or something from the user’s past.
We are allowed to keep passwords written, although they must be locked up. I like the idea of keeping it in a wallet! Unfortunately, some feel that nobody would EVER think of peeking under the keyboard, so keep their lists taped there. It’s an ongoing battle (sigh).
One problem is that computers get faster and disk drives get larger, while the human brain’s capabilities are not improving. Password crackers now have access to sophisticated algorithms, very fast processors, and huge amounts of file storage space. It isn’t just easily guessed passwords that are at risk. Completely random passwords are also vulnerable if they are too short, and what is “too short” is a moving target. 80-bit crypto keys are considered to be just adequate for today’s environment by many people. That’s equivalent to about a 12 character password, randomly selected from the printable characters on the keyboard. Can you memorize a completely random string of 12 characters?
I’ve taken to using a password manager, and randomly generating the ones that matter. Use it often enough, and you can remember any string. After fishing it out of the password safe a dozen times, I have it committed to memory. If I’m not using it that often, I can just go the manager when I want it. As observed, most password managers are small enough to install on a thumb drive, or you can install it on a couple of machines and copy the data file around as needed.
An entire dictionary - in which language? I agree that using the words in a dictionary are asking for trouble, but how would the person know what language my passwords are in?
My pet peeve that I always bring up when I post in a password thread: The list of characters allowed in a password, the minimum length of a password, and the maximum length of a password are different at every place that asks you for a password. For example, my online bank would not accept the password you suggested because of some of the special characters.
I once used a password for a large online store (think woman_warrior.com) When I went to to a foreign division of that online store (woman_warrior.fr) I was supposed to be able to use the same password. But the password I used at woman_warrior.com was too long according to the password guidelines for woman_warrior.fr! The only message I got back was “invalid password”. It took me forever to figure out.
Any user interface that asks you to “enter new password here:” should also include the following information to aid you in creating your password:
list of characters allowed in password - most important
minimum length of password
maximum length of password
any other rules (i.e. must contain at least one special character, or one digit, or cannot be the same as your username)
If dictionary passwords are too easy to guess, then the programmers writing the password routine should help protect people by disallowing users from using dictionary words for a password.
I share your peeves, Arnold Winkelried. If a bank wants to have stringent password requirements, fine, because it is my money, and they would also suffer if my info was compromised. However, some of the toughest password requirements I have seen are always on the most mundane websites, and there is no personal or financial information that can be stolen from those websites. I have seen more security on things that pay bills than on things that allow money to be taken from me.
I run into problems similar to that on “that website” (come on, just say Amazon!) all the time when they accept an input, but don’t check their requirements when you enter it. My name has a non-alphabetic character in it, and many systems will either allow it or tell me right out that it is unacceptable, and would I please change my name for the time being? However, sometimes it is accepted initially in that part of the system, but everywhere else would have unexplained problems with access because it didn’t like my name.
When I worked at a bank, I had to set my password 4 separate times in order to change it. When it is about to expire, it is no problem to change it, but it is more difficult to reset if your time isn’t up for my main system password. Apparently my new password was acceptable to that one system, but the other three would not allow it. I was dealing with remembering which of the two passwords goes to what over the next 8 weeks.