Two things are prompting this post. First, the recent leak of LinkedIn passwords, and second, family/friends’ email accounts getting hacked. It’s amazing to me how many posts there have to be on the Internet about password security, and how little attention people pay to them. One could say that many of the weak password demographic doesn’t read tech blogs, and if they did, they wouldn’t understand most of the post. Even then, I’ve had friends in the tech industry who should know better, and still ended up with hacked accounts. So, while I might be reaching a limited demographic, and for those who I am reaching, won’t care, I’m covering it anyway.
To prevent a compromise of your account because of your password, all you need to do, are two things:
1. Use different passwords for every account online
This is probably the most difficult step for most. Remembering 100 passwords or more can be a major pain in the butt. Everyone has their way of doing it too, but from what I’ve seen with most people, a single password is used on multiple accounts. This is especially critical for finance and corporate accounts. No one really cares if your personal email or fitness account is hacked, but you might care when your savings is emptied, or your boss might care if sensitive data is leaked.
So, I would recommend the following system for using different passwords on every account. First, generate and print a password card. I’ve blogged about this before. Essentially, your passwords are stored in plain text on the card itself. You pick a row color and column symbol on the card as the starting point for your password, then go from there. That becomes the password for your account. Second, I would install KeePass. For every password you create from your card, and add to your account, make note of it in the encrypted database, including where the password starts, the direction it takes, and how long it is. This way, should you forget your starting location, you have an encrypted database to get access to all the passwords you’ve created.
2. Use passwords with a great deal of entropy
I hate “password strength meters”, because they are always completely arbitrary, and really don’t communicate to the user what that strength is or where it comes from. Usually, they just assign points to things like uppercase letters versus lowercase, extra points for symbols and numbers, points for length, etc. Like playing tetris, if you fit all the pieces of your password together, maybe you can get a high score. To me, these are pointless and not helpful. Instead, you should be concerned about the entropy your password belongs to.
Think of entropy like a haystack. Your password is the needle. Aside from burning down the haystack, can you find the needle? Of course, the larger the haystack, the harder it will be to find the needle. I have also blogged about this in the past. Thankfully, Gibson Research Corporation has put together a web application that uses this analogy. Entropy can be defined in a simple equation: length of your password times the log base 2 of the character set search space. In other words, it’s not arbitrary points. It shows you the size of your haystack. The larger the haystack, the more difficult it will be to find your needle. Play with some passwords in that web site, and you’ll get an idea of how this works.
They key point here, however, is to help people understand how password attacks work. Attackers don’t start by incrementing through the alphabet, starting with ‘a’. Instead, if brute forcing, they will start with common words in a dictionary, and popular modifications of those words (think “leet speak”). They will use common phrases, then append and prepend numbers to these dictionary words and phrases. Believe it, or not, but this is a very effective way to get a vast majority of passwords. Why? Because the haystack is small. Very small. If your needle is in that haystack, it will get be found.
So how do you get a larger haystack? Well, first use uppercase and lowercase letters, numbers and symbols. We want a large character set to search through. But, make the password LONG. You would be amazed at how much bigger your haystack is with a 9 character password versus an 8 character password. Length will buy you much more hay then some convoluted, difficult to remember, pain in the butt password. Length is key. Different character sets are also important, but length gets you so much more hay.
Think. Think about your haystack. Think about being an attacker. Think about your data. If you would just sit down, and think your passwords through, you would be ahead in the game. Remember, different passwords for different accounts, and big haystacks.