Passwords – Creation & Usage – Online Safety & Security
Is your head swimming with the need to create a new password every time you want to use a new online service? Mine is. Are you like me and can’t remember what you had for breakfast let alone your password you created six months ago for the esoteric website that you want to visit only on the third thursday of May? Good to know we aren’t alone isn’t it. So let me help you generate secure passwords and then tell you how I shift the “technological” risk to a “physical” risk.
Let’s start with my messaging that I’ve been sharing for years, passwords should not be a word found in a dictionary. Doesn’t matter if the dictionary is English, French, Chinese, Russian or Swahili a word found in the dictionary can be broken by any number of the brute force password attack software packages available off the net with ease. (See Online Safety, USERIDs and PASSWORDs October 2009)
I recommend, 8-14 characters, with letters (mixed case), numbers and symbols. Here is an example of a strong password: s?9stATAS53E . Here is another example of a strong password: N3verU$eWords. In my opinion, both of these will provide similar protection from the brute force attack. So now that we have a strong password, how can we make sure we don’t undermine the strength of the password? Don’t use it more than once.
What do I mean. The evolution of online crime is as much about your password strength as it is about your password usage. If you use your strong password for shopping site A and then reuse the password for shopping sites B, C, D, E, F then you are basically saying to yourself – “I trust each of these sites to have the same robust level of security” The reality is, you are entrusting your password security to the company which has the weakest security, a somewhat counterintuitive perspective, but nonetheless true. If for whatever reason your password at shopping site C becomes compromised (say an employee of shopping site C publishes userids/passwords of customers), then your accounts with sites A, B, D, E and F all become instant vulnerable. The distance between the first compromise of your userid/password becomes easier for the criminal to exploit if you are always using the same userid or if your userid is your email account. Why? Because now they have one known part of the equation, your userid, and if they can simply try and log into all of their target sites with your userid and password. So as noted above, use the password once.
But how can you keep them straight? Some advocate using the tool within your browser (IE, Chrome, Safari and Firefox) to save your password when you log in. There are also commercially available software packages which will corral your passwords for you. Any of those solutions will work. But, I like the decidedly low-technology method. I keep two separate lists:
List #1 List #2
Company A kav3sAc#a8
Company B d9E=Ruge
Company C stug+fad$Uruf=
I keep the lists in two separate places in my home and when I need to remember the password, I can go get my lists and figure it out. Yes, if someone was to break into my home and search thoroughly through the house, they may find my hiding place. But the reality is, treat it like you do your credit card. If you lose your credit card, you cancel the old one and have a new one reissued. If you lose your password, replace it.
So how do I create strong passwords, here are a couple of password generators that I have used:
Secure Password Generator from PC Tools
Password Generator Tool (available for download) from Source Forge
Ultra High Security Passwords from GRC the perfect password
Any of these three will work just fine.
So remember. Use strong passwords and use the password only once.
how can you retrieve your passwd if you keep them at home on 2 lists when you are at work or to a friend home or with your phone ?
Your solution is a way to never have the password you need when you need it. Lock them on a bank wil be the same…
A better solution is a personal algo which permit you to generate and remember a unique password depenfing on what is the passwd for.
Then you will never loose any passwd
Problem is; almost NOBODY uses such techniques or tools, neither are they willing to do so. By nobody I mean probably <1%, no matter how much we try to convince them.
I like the idea to keep pass on two separate lists. I’ll say that it is a better way to keep your pass secret. Any software can be hacked. But anyway, everything is possible impossible just takes a longer 🙂
@julian_net
Highly recommend LastPass. Browser plugins and smartphone version makes it easy to use. Top of my list.
My favorite password management tool is KeePass. Keeping them all in there allows me to use strong and different passwords for every site. The downside is that I know very few of my passwords!
Thanks Eli – good to know what tools are being used.