Pages

Saturday, January 15, 2011

Happy New Year - Change your passwords

So at the beginning of the year my wife and have resolved to change all out passwords.   We feel that going forward a yearly rotation of password will help the security of all out online accounts.  I got to thinking this could be a good thing if a significant amount of users would jump on the bandwagon.  Why wait until the scammers actually drain your account?  As a whole we could preempt them.  I'm sure there are lists of cracked accounts just waiting to be culled through.  Resetting your password(s) will nullify all that info. I propose that 15th of January be Global Change Your Passwords Day.

Think of all money that has changed hands for all the cracked accounts lists circulating on the internet.  By collectively changing all your passwords you reduce the value of these lists significantly. Think of it as an anti scammer flash mob. Talk about taking a bite out of crime.

It is NOT a good idea to use the same password for all you accounts. My wife and I use the following scheme for passwords. We segregate passwords according to purpose.  Here are our categories.
  1. Brokerage - Brokerages accounts, 401k etc.
  2. Banking - checking accounts, Loan servicing sites.
  3. Accounts with a Credit Card attached - Amazon, iTunes, Paypal, etc.
  4. Email - all email accounts.
  5. Blogs, other internet logins, twitter, facebook etc.
  6. Throw away accounts
 The reason for this segregation is your exposure is divided across the areas of segregation.  For example if your banking account gets compromised then your other accounts are still safe.  The email account is a special case. Since so many password resets flow through your email account, this account must be protected.  When a password reset email comes in it is a good idea to delete it after you are done resetting the password. The temporary passwords in these emails should be invalid but we do not know how these password systems are implemented.

Choosing a password is half art, half science.  You want to get a password that is easy to remember and associate with the account.  At the same time it needs to be strong enough that it is not easily cracked.  So many sites have a policy of just allowing letters and numbers.  This is just a really poor decision on the part of the website designer.  It really limits the user on the potential passwords that could be utilized.  Unfortunately since some sites do not allow these special characters we are stuck with the least common denominator. 

Strong passwords have some attributes that contribute to the password strength

Length
Complexity
Ease of association
Ease of entry

Unfortunately the processing power of cloud based cracking programs means that length of your passwords will need to increase. An eight character password used to be acceptable.  With the advent of the cloud processing resources this will need to increase to 12-14 characters.

To address complexity a combination of letter and numbers will ensure that your password will be difficult to crack with a dictionary attack  Dictionary attacks utilize a list of dictionary words to compose attempts at cracking your password.  If your password contains a combination of numbers and letters then the complexity is increased, rendering a dictionary attack more difficult.

Ease of association is what allows a password to be memorable. A password that is not memorable is one that will need to be written down, thus destroying the security of the password.  To facilitate your memorizing the password there are some memorable techniques (sorry I could not resist).  Your password could be a phrase like "TheseAreTheVoyages" or "MyDogHasFleas" or "TheShadowKnows".  To add more complexity you should add in capitalization and some numbers.  Using our examples we now have  "TheseAreThe93Voyages" or "MyDogHas23Fleas" or "TheShadowKnows1102".  Each of these is memorable, long enough and complex enough to protect your services.

Another technique to add complexity is lEEt or l33t.  This is a technique for replacing letters with numbers that have similar look. A = 4, S = 5, O = 0, G = 6 B = 8 are examples. Here are our original phrases using l33t. "The5e4reTheV0yages" or "MyD0gH4sFleas" or "TheSh4dowKn0ws"


In a previous post I provided a regex that could be used as a password complexity checker.  For you non programmer types I will be turning this into a javascript powered checker so that you can check your passwords.

Happy Global Password change day!

No comments:

Post a Comment