Saturday, February 4, 2012

Making Strong Passwords – and Keeping them Safe

Hello there! If you are new here, you might want to subscribe to the RSS feed to receive updates.
SecurityEveryone is totally crazy about security these days – especially computer security. We’ve all got antivirus software, a firewall, spyware scanners, and god knows what else loaded up on our PCs to protect ourselves from the “evils” of a networked world.
Some of us choose to use certain operating systems that we believe are inherently secure, while the reality is quite different. I remember hearing all about how “ultra-secure” OS X Tiger was in comparison to Windows XP. I know a lot of people who believed this, and who even went out of their way to harp on XP and how insecure it was. Well, there have been numerous updates for Tiger and Leopard that were sent out from Apple HQ. Guess what? There were scores of security vulnerabilities in OS X. What really might shock you is that the vulnerabilities in OS X read like a list of XP security holes (see here and here and here). That’s right, just because Apple tells you OS X is safer doesn’t mean that it’s actually true! Go figure!
Of course, there’s also Linux. In some respects, Linux is safer. In others, it’s no different than XP and OS X. Personally, I prefer Ubuntu and Vista at the moment. But the bottom line is that when it comes to security, it’s up to you to keep your data safe. The first and best way you can do that is to create and use strong passwords!

Two of the biggest problems I have seen in the way that most people use computers are:
  • Not using passwords at all
  • Using silly passwords that are easily hacked
First, let’s examine not using a password at all.
In Windows XP, a user account password is not required. Neither is an administrator password. I’m guessing that you might never even have heard of the Administrator account if you’re using XP. If you installed XP yourself, you had the option of setting the Administrator password during installation. If you didn’t, it’s easy enough to fix.
  • Click Start -> Control Panel -> Administrative Tools -> Computer Management
  • In the left-hand pane, click the + next to “Local Users and Groups”
  • Click the “Users” folder
  • In the main pane, right click “Administrator” and choose “Set Password”
  • Set an Administrator password
A shortcut for the first step is to right-click My Computer and select “Manage”. Note that if you’re using Windows XP Home, the process is a bit more involved:
  • Reboot your computer.
  • Hit F8 just after the BIOS bootscreen is displayed. This will bring up the XP boot options menu. Select “Safe Mode” from the list.
  • Click Start -> Control Panel -> Users Accounts
  • Select the “Administrator” account from the list
  • Set/Change the Administrator password
In Vista, you’re already set up. The reason you don’t want a blank Administrator password is because this is one of the primary ways that hackers can do evil things to your computer. No Administrator password is like leaving your doors not only unlocked, but wide open. Anybody can just wander in, and they will wander in because you are basically advertising the fact that you are an easy target.
Alrighty, this brings us around to problem #2: using crappy passwords.
The easiest way to hack most passwords is to try what is known as a dictionary attack. From Tech-FAQ.com:
A dictionary attack consists of trying “every word in the dictionary” as a possible password for an encrypted message.
A dictionary attack is generally more efficient than a brute force attack, because users typically choose poor passwords.
But you’re clever, right? You use “strong” passwords? Guess again:
The first method of improving the success of a dictionary attack is to use a larger dictionary, or more dictionaries. Technical dictionaries and foreign language dictionaries will increase the overall chance of discovering the correct password.
The second method of improving the success of a dictionary attack is to perform string manipulation on the dictionary. For example, the dictionary may have the word “password” in it. Common string manipulation techniques will try the word backwards (drowssap), with common number-letter replacements (p4ssw0rd), or with different capitalization (Password).
Okeydokey. So, how do you make a REALLY strong password?
A good password should be a random combination of letters, numbers, and punctuation marks. The longer, the better. But there is one problem with strong passwords: they can be really hard to remember!
What we need is a good way to make a strong password that seems random, but that actually has a meaning to you in a way that someone who knows you won’t be able to guess your password. Absolutely the #1 BIGGEST mistake that people make is to use a spouse’s birthday, birth year, your dog’s name when you were a kid, etc. Let me be perfectly blunt: passwords like that are UTTER CRAP.
So, how do you make a good password?
It’s easy. First, at the time you are choosing the password, look around you. Say you are in your basement, and there’s a painting on the wall. It reminds you of a trip you took as a child to a big lake. You remember that the name of the boat you took out on the lake was “Minnow”. That’s a good start. But “minnow” is a dictionary word, so you can’t use it. And don’t just reverse it and use “wonnim”. Too easily hacked!
So let’s take “minnow” and work with it. You also see a photograph of an old race car that has the number “23″ on it. Fabulous. You now have “minnow” and “23″. Now, let’s say that thinking about boats and race cars reminded you of a time in high school when you were doing a report on the history of transportation. You worked and worked on your report, only to find that somehow, half your report went missing after you turned it in. You got a 50%. Ouch.
We now have “minnow”, “23″, and “50%”. All these concepts are linked together in your mind through a sort of “stream of consciousness” process, but they don’t mean much to anyone else. But now we have to make the password strong.
  • Wrap “23″ around “minnow”, giving you “2minnow3″
  • Change the spelling of “minnow” to something phonetic that is preferably NOT in a dictionary: “2mynno3″
  • Add “50%” in a creative way (between the double-n): “2myn.5%no3
  • Throw in some capitalization (Y=yes, I DID write the whole report!): “2mYn.5no3″
  • Add some more punctuation for good measure because you were REALLY upset about that “0.5″ on your report: “2mYn.5no3!”
And there you have it: 2mYn.5no3!
It makes no sense to anyone else, but when you think about it, it WILL make sense to you since you are the one who went through the very human process of generating a pseudo-random sequence of characters that is creatively linked together in a way that is unique to you. In fact, I think you might be surprised just how easy it is to remember passwords like this. In letting your mind wander and allowing the creative half of your brain to play with the logical half, you are in fact performing an “exercise” that is strikingly similar to those in certain “whole brain” courses and books. Ya know, the kind of courses that are supposed to make you smarter, improve memory, etc…
Well, in any case, give it a try. You’ll be surprised at the results! Just remember that you shouldn’t follow my example above; let your mind wander and lead you to the perfect, easy-to-remember password!
Alright, now what happens when, like me, you need to store literally hundreds of passwords? Well, that starts to become a rather large load for my poor brain to handle. A tool is needed to store the passwords.
I know some OSes come with a password storage mechanism, but I don’t use them. I don’t trust them. I prefer something open source, which generally will be a bit more secure because everyone is looking at the code trying to make it better. My personal preference is KeePass.
If you visit the KeePass download page, you’ll find versions available for Windows, Mac, Linux, mobile phones, Blackberry, PalmOS, U3 devices, and so on. You’ll also find the source code!
I highly recommend getting the USB stick version. It doesn’t have an installer, which means you can simply unzip it into the folder of choice, and make your own shortcut to the program on your desktop. When you need to take your passwords with you, you just copy that folder over onto a USB stick, and off you go.
The data in KeePass is stored with a good (and selectable) multi-pass encryption scheme that you can actually customize yourself. You can make it ultra-secure, or just mostly-secure. It’s up to you. KeePass is small, light, fast, and updated regularly. Currently, KeePass 2.07 Beta is out. Best of all, it’s completely free and completely open source.
There is a slight learning curve with KeePass, although not what you might expect. It just may take you a few days to explore all its numerous options and to optimize it’s very well-designed database. You can create your own categories in the database, such as “E-mail Passwords”, “Online Stores”, etc. You can store whatever kind of data you want. You can even customize how long username/password data remains on the clipboard before being removed automatically, and the program protects against clipboard spies that may be running on your machine as you are copying/pasting passwords into web pages.
It may sound complicated, but it’s really quite handy and very simple to use once you play around with it for a bit.
So, get out there and make some strong passwords! And if you just have too many passwords to deal with and you need a good place to store them, check out KeePass!

0 comments:

Post a Comment