Following on from last week’s post, today we will look at how to make better passwords, how to manage them and how to detect potentially insecure Web sites before giving them a password. If you missed the previous post, you may want to start there first for some background: Think your passwords are secure? Think again!
So, you want to be more secure online and have better passwords. How? Well, some of it depends on your level of concern (dare I say, paranoia) and your willingness to exercise some effort to be more secure. Let’s start with what everyone should avoid doing.
Avoid poor password practices
Do not reuse passwords. You have likely heard this before. The principle is simple. Just as you do not have the same key for every lock you own, you do not want the same password for every account. If you use the same password everywhere, then when it is breached at one site, nefarious persons can use it everywhere else. So, limit your risk by using a unique password for each site where you create an account.
Do not use common words. As illustrated by the high-speed, pattern-based password cracking in last week’s post, passwords that consist of common words are easy to overcome. Even little tricks such as combining two words with a digit or other character in between does not make your password secure.
Do not use well-known patterns. This is an extension of the prior point. Since password crackers have a treasure trove of real-world passwords, all the ways in which people have been making their passwords easy to remember, yet secure-looking, are not secure.
For example, always ending your password with an exclamation point or series of digits (myPassword123!), changing certain letters into numbers (myP455w0rd), taking the first letter of each word of a popular phrase (TBoNTBTitQ), and so on, have been done for ages. If it has been done, it is known and being incorporated into password cracking tools.
Do not write your passwords down. Good passwords are difficult to remember, but they are useless if they are written on a Post-It note stuck to your screen, keyboard or under your desk. So, store your passwords in a secure password manager that properly encrypts your account information and you can access them with a single strong password that unlocks the password manager. More on this later.
Do not give your passwords to anyone. This sounds obvious and perhaps even silly. However, many systems are breached by social engineering passwords directly from the account owner. No one needs to know your password except you. If you call a service, such as your bank, for help or to access information and the agent asks, innocently or not, for your password, just refuse. “Just say, no.”
Do not put real answers in security questions. Security questions, which are intended to increase the security of your account, actually reduce its security when used in the typical fashion. Think about it. Which is easier to guess or find on your Facebook page, a long random-character password or the name of your pet?
Most security questions ask for mundane things such as the names of relatives, teachers, schools, etc. Some now ask for your frequent shopper card or library card number, which is even easier to crack. Answers to these questions all breach the “do not use common words and patterns” rules mentioned earlier. Use a strong password as an answer to a security question if you have to have security questions on your account. Then, save the answers in a password manager.
Create good passwords
Although an eight-character password comprised of uppercase and lowercase letters, digits and special characters is not as safe as it once was, it is the basis for creating a good password.
The best method is to use a tool to generate unique passwords. Most password managers have a random password generator built in and provide some level of customization. Ensure that all valid characters are used when generating passwords and make the password as long as possible. If a site allows 16 characters, use them all. If you can use 50, go for it. The more, the merrier.
Another method is to pad one or more shorter passwords with a pattern of characters to increase its length as much as possible. This method is described on Steve Gibson’s Password Haystacks page at GRC. It is potentially less secure than a completely random password of equal length because repeated patterns are sure to become part of the password cracking regimen. Nevertheless, it provides the benefit of longer passwords with less to remember. If you are using a password manager to store your passwords, there is no need to use padding.
Manage passwords securely
Since complex, long, random passwords are difficult for most of us to remember, use a password manager to securely store all of your passwords. A good password manager will use strong encryption to make access to the password database extremely difficult to circumvent. Of course, you must also secure the password manager with a complex and long password. However, it is only one password to have to remember.
PasswordSafe is the password manager I started out using many, many years ago. It is a Windows program and, the last time I used it, also ran fine on Linux under Wine. The only reason I stopped using it is that I wanted to have one tool with compatible clients on more operating systems.
I have been using KeePass for several years now. It is available for Windows, Linux, Mac OS X, iOS (iPad, iPhone), Android, BlackBerry, Pocket PC, Windows Phone 7 and even Palm OS. Note that not all clients work with all versions of KeePass databases. Version 1.x compatible clients cannot read version 2.x password databases. There are many other password managers out there and several are likely safe to use as well. I certainly have not tried them all.
In addition, online services such as LastPass will integrate with your Web browser and encrypt your passwords before sending them to be stored on their servers (in the Cloud). Modern Web browsers such as Firefox and Chrome can take care of this themselves if you enable the feature. If you are very wary of your passwords going anywhere, do not use an online password manager or use it only for low-security passwords.
Watch for the warning signs of an insecure site
Even the best passwords may fall instantly when they are stored at Web sites that do not practice proper security. For example, if your password is stored as-is in a database and that database is stolen, your password will be available simply by looking in the database. It could be a million characters long, but that would not matter at all.
Following are some warning signs that your password might be at risk at a Web site or other online service.
Severely limited password length. If your password cannot be more than 8 characters, for example, it is possible that it is being stored in an insecure fashion using reversible encryption or no protection at all. A properly-implemented password storage system can handle a password of any length. A reasonable limit of 100 or so characters may be enforced to prevent excessively long form data, but you should be wary if you have to use less than 12 characters.
Strange restrictions on character selection. If your password is limited to only uppercase letters, only digits or cannot contain some or all special characters (e.g., and of !@#$%^/&*), it is possible that it is being stored insecurely. Such limitations also weaken the password by reducing the possible combinations of characters. Again, a properly-implemented password storage system is not limited in this way.
You receive your password via email. This can occur either when you create your account or when you reset a “forgotten” password. No one should know or be able to extract your password, not even the service itself. The ability to email your password is a bad sign that a hacker could get access to it too. In addition, any service that emails your password to you is not security conscious because unencrypted email is not a secure form of communication.
A customer service agent can give you your password. This is related to the email situation described above. If someone can access your account password from their terminal when you call for help, the database is insecure. No one should be able to extract, view or disclose your password, even if ordered to do so by a court of law.
A site tells you that your username is incorrect even without a password. This behavior, although intended to help you know what you did wrong, also helps someone to figure out the correct combination of username and password to get into your account. A good site will not distinguish between the wrong username, the wrong password or both. Instead it will display an ambiguous message such as, “Sorry. The username or password is incorrect.”
What should you do if you are subject to a site that exhibits one or more of these problems? First, complain! Call them, send emails, do something so that they know that people actually care about security. Then, realizing that whatever your password is supposed to secure may not be all that safe, determine if you want to use the site or service.
Well, this post has gotten pretty long. Next week we will switch to the software developer view of password security.
What password manager do you use or recommend? Let us know in the comments.