Choosing Passwords

Password security is a relatively easy concept, if properly explained, but is often misunderstood, because it is often not well explained.  I will try to set a foundation for secure password management here.

Security Objectives

When we create an account on a service and assign a password to it we are setting up a system that will let us have convenient access, but will protect us from people who will attempt to use our account against us maliciously.  To give ourselves convenient access we need to be able to remember our password. To prevent others from using we need to make it something that cannot be guessed.  Another often overlooked objective is keep our various passwords different to each other, so that in the event of one account being compromised the attackers the attackers are no closer to accessing other account elsewhere.  This last objective is often seen as complicating the others by creating hundreds of password to remember.

These are the 3 objectives you should have for every password:

  1. Memorability
  2. Guess-proof
  3. Uniqueness

Memorability

I could outline a dozen methods I have found people using for doing this and many people will have many more, but I will give you my recommendation:  Write it down.  However, you should be recording it in a place that is secure and that only you have access too, but which is with you in any place you are likely to need it.  I will cut straight to the chase here by throwing a few ideas together and then telling you what they add up to: the internet; smart phones; a folder on your pc as a single location where it is all recorded.

Whenever I make a new password for anything I create a file that has all the information I need to use for that service.  I save this file in a folder called passwords.  This folder resides in my Dropbox folder.  I have the Dropbox app on my smartphone, so I can look at these wherever I am.  Note: Once you do this keep a pin or password for access to your phone and every computer that synchronizes your dropbox.

Guess-Proof

Now that you are recording your passwords, somewhere secure, it should be easy to add the mix off numbers, letters and other characters that have always proven too inconvenient.  As a rule of thumb you should mix upper and lower case characters with at least one number and at least one symbol, with the numbers and symbols in the middle somewhere.  The reason for this is that there are career criminals who are very good at their jobs, but here is an overview of the basics.

Me, the career hacker (I am not really), has a list of websites I want access to; another list of email address I have collected off the internet; and I have the dictionary.  I write a program that systematically goes to the websites and attempts to log in with any one email and any one word from the dictionary.  I let the program runs millions of times.  I record my successes and failures.  Because I am not stupid, I know that a lot of passwords are a word from the dictionary with a number 1 after them, or 01 or 2.  I try these too.  I also try the 4 digit number for a random year in the last 80.  Because I have a program doing all this for me and I also try dozens of the easiest way to remember passwords.

Here’s hoping this has scared people into using symbols.

Uniqueness

For a moment longer I am going to pretend to be the hacker above again.  Having captured email addresses off the internet, and used common words and number combinations and gained access to dozens of accounts somewhere with the password MyDog01, I now go to other websites and use the same email and password combination to log in.  I change whatever I want in these accounts.  I order things.  I send myself money.

Staying Secure

This article was designed to give people ideas about how to create and manage secure passwords.  Examples about my own practice have been changed, obviously, to protect my own security, but I hope this gives people ideas about how to create and maintain secure passwords.  To summarize, you should keep a secure record of your passwords because this will give to the freedom to use a variety of complex passwords.

Posted in Security