Password Policy

Password Reuse

I thought I would start my blog with a little word of advice to all my friends about securing your online identity. The problem, as Mr. Munroe so deftly explains, is not so much how strong or weak our passwords are, but the fact that we reuse them all over the place.  I would say that password complexity is also an issue, but you have to pay attention to both.

On the one hand, using the same, very hard to crack password on all systems might not seem so bad, especially if you are one of those people who don’t think they have much of an online presence. But if someone gets your email password, they have access to EVERYTHING, because then they could reset your password on other accounts you have as well as create new accounts in your name.

At the other extreme, you could use a password locker like Keypass (a very good program, which I highly recommend).  Keypass lets you store your passwords, has an easy way to copy your password to the clipboard (for pasting into the password entry box), and can automatically generate long random passwords for every online account you maintain.  This is an excellent approach for those who want the maximum of security, but it is a bit too technically challenging and tedious for most.

So for people like my children, my non-technical friends, extended family, etc., let me offer the following strategy:

  1. Maintain 3 or 4 passwords for use with different categories of websites.
  2. Create STRONG passwords.

For instance, your strongest, most secret password would be for your main email account.  This one is never used anywhere else, never shared with anyone, and only typed in on computers you trust.  Then have a second password for financial sites – your bank, your credit card, your insurance company, etc.  This one should also be very strong, but you my use it in several places.  Again, only enter this password on computers you trust.   Select a third password for your social networking sites, your Diaspora account, your Cubbi.es account, your Twitter account, even (gasp) your facebook account.  And then finally have a password for all those myriad sites that make you create an account before you can get in.  These are the sites you may never visit again, and in which you’ll have very little investment.  Four passwords shouldn’t be too hard to remember, is it?

Now, as for passwords,  what is a strong password?  It is a password that has a high degree of randomness, which means that it’s very difficult to predict.  This is why passwords like “password”, “123MainStreet”, and “123456789” are weak — they are all common sequences.  A password like “Abithiwtitb” is stronger because a) it’s long, and b) it doesn’t follow any easily recognizable sequence.  A truly random sequence of characters is hard to remember.  So how do we create apparently random passwords that are easy to remember?  Easy — pick a medium length phrase that you can remember.  To create the sequence above, I used “A bird in the hand is worth two in the bush”.  Then take the first letter (or the second letter, or the last letter, or what ever pattern you like) of each word and use it as the next character of your password.  Finally, put in some non-letter characters into your password, either by replacing certain letters, or inserting them somewhere.  So, we could make “Abithiwtitb” a bit stronger by replacing one of the i’s with a 1, t (for two) with a ‘2’,  and adding a ‘#’ symbol like this: “Ab1thiw2itb#”  This is a pretty strong password.

Just for comparison, I submitted some of these passwords to a password strength-o-meter and here’s what I got:

Password                    Strength
123456789                   4 - Very weak
Abithiwtitb                 35 - Weak
Ab1thiw2itb#                95 - Very Strong

So, I hope this has been helpful.  Post questions to the comments section.

About dbfiore

I was born a wretched sinner, utterly lost and without hope. But by the grace of God, I am a redeemed member of God's holy family, and I will live forever with my Lord and Savior, Jesus Christ, to the everlasting glory of the father.
This entry was posted in Security and tagged , . Bookmark the permalink.

4 Responses to Password Policy

  1. Michael Smith says:

    I’ve heard a lot said about the insecurity of WiFi networks. Someone said that even typing your bank password at home can be dangerous because someone parked outside or nearby can hack in and read it. Care to comment? Or perhaps you could have a post about WiFi security. (as in, not just trusting the computer, but the network you’re using)

    • dbfiore says:

      You raise two important issues, Michael. The first is the security of WiFi Networks. In the old days, WiFi routers were configured to use unsecured communication by default. It used to be very easy to stroll around your neighborhood, hop on any of a dozen open networks and surf the net. And once you are on someone’s WiFi network, if you happen to have a packet sniffer, you could read anything that went across the wire in plaintext. These days however, most WiFi routers are configured to use encrypted communication by default. So today, the average person who goes to their local electronics store, buys a router, takes it home, and turns it on, gets a pretty secure network by default. I say pretty secure because any security measure can be circumvented. Your goal is not prevention (which is impossible), your goal is to raise the cost of infiltration.

      The second issue you raise is that of entering in your password on a computer and sending it over the internet, irrespective of the transport medium. This probably deserves its own post, but for now, let me say that when you sit at your computer and type in a password you are trusting your computer, the connection from your computer to the computer receiving your password (which includes many systems and and disparate administrative domains), and the computer at the other end. At any step along the way from your fingertips to the AC power plug on the remote computer, there are vulnerabilities which could, in theory, be exploited. Once the packet leaves your computer it traverses many systems, under the control of many different people, where it can be copied and stored for later analysis.

      Let’s assume for the moment that there is no malware running on your laptop capturing your keystrokes and sending them off to Kazakhstan. Let’s assume also that your bank has a stronger culture of security than that of the office of the president of Syria (See Bill E’s comment). Assuming your laptop and the remote computer are trustworthy, the two can communicate securely using encryption. Banks, Google, and many other sites use this method transparently, meaning you don’t have to do anything special on your end to make use of encryption with these sites. Your browser will tell you if it is using a secure method of communication, but depending on your browser, how it tells you will be different. I use Firefox 10.0.1, which is the latest version (always update your browser, the updates often patch recently discovered security holes). To the left of the URL for the page I am on, my browser inserts a little banner. If I hover over the banner, it tells me a little about the site’s identity. If I click on the banner, it will tell me if I am using an encrypted connection to the remote site or not.

      So, the most important thing to pay attention to when entering in your password is, am I using a secured connection? If you are, you don’t have to worry too much about whether the packets traverse un-secure networks (they all do). Your bigger worry is, what happens if the remote site is run by criminals (movies for FREE!), or if not criminals, what if they get hacked, like the FBI did. That’s why you want to use different passwords for different classes of sites, and keep your email password extremely safe (never use it anywhere else).

  2. Bill E says:

    Nice job dbf…

    One question, if i submit my passwords in your comments section can you post back which ones are strong.

    Enjoyed this story about the same…
    http://www.techdirt.com/articles/20120208/03295517697/syrian-presidents-email-hacked-his-password-was-12345.shtml

    • dbfiore says:

      Hi Bill, Yes of course, post all your passwords here and I’ll tell you how strong they are. Better yet, just email them to everyone@gmail.com.

      Your link shows just how little attention so many people pay to their online security. I guess some folks just figure it’ll never happen to them…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s