Not *another* password?
Passwords can be a royal pain, right? It seems no matter where we turn on the ‘net, some site or service is asking us for a password. And with good reason - passwords are probably the number one way we prove who we are. They allow you to access your email, bank online, purchase goods and access devices such as your laptop or smartphone. In many ways, passwords are the keys to your vault. Now, here’s the problem - if someone has your password, they can steal your identity, transfer your money, access all of your personal information, send a threatening email in your name or act as if they were you. And it happens all the time. Consider the following:
- There are 600,000+ compromised account logins every day on Facebook₁.
- 27 million Americans have fallen victim to identity theft over the past five years. 9 million of them found their identities stolen in the last year alone₂.
- It takes only 10 minutes to crack a lowercase password that is 6 characters long₂.
Strong passwords used properly are essential to protecting your identity and information. Let’s take a look at what makes a strong password and how you can use it securely.
Strong Passwords: Passphrases
The problem is the bad guys have developed sophisticated programs that can guess, or “brute force,” your passwords, and they are constantly getting better at it. This means they can steal your passwords if they are weak or easy to guess. The recent iCloud “attack” where several celebrities had their photos accessed, copied and distributed on the Internet is a good example of this. Never use common information for your passwords, such as your birth date, your pet’s name, spouse or children’s names or anything else that can be easily determined from your social networking posts or Google – it’s the quickest way to be in the same situation as a Hollywood starlet.
Now, if you’re expecting that I’m going to recommend a single password with 8 or more characters, a number and a special character, you’re wrong. We used to do that, but we found it was just too hard for people to remember. A much better approach, and what we recommend now, is to use multiple words or even a complete sentence. This type of password is called a passphrase, and it is one of the strongest you can use. And, it’s easier to remember than a long string of characters, numbers and symbols! Here is an example of one:
ham and pineapple pizza
That’s it; it’s that simple. If required, you can make your password even stronger by adding symbols, capital letters or numbers, such as those you see in the example below. This is especially important if you are using a website that does not allow multiple words, spaces or a complete sentence for your password:
Ham and p1neapple P1zza!
Notice how this example uses a capital letter. You can also replace letters with numbers or symbols, such as replacing the letter ‘i’ with the number “1” and the letter ‘o’ with the number zero, or use common punctuation marks such as a question mark, period or even spaces. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.
Using Passwords Securely
Strong passwords are no good if you’re not careful how you use them. Similarly, having a strong password is no good if bad guys can easily steal or copy it. Here are some tips:
- Be sure to use different passwords for different accounts. For example, never use passwords for your work or bank accounts that are the same as the passwords for your personal accounts, such as Facebook, YouTube or Twitter. This way, if one of your passwords is hacked, the other accounts are still safe. If you have too many passwords to remember, consider using a password manager. This is a special program you run on your computer or mobile device that securely stores all of your passwords for you. The only passwords you need to remember are the ones to your computer and the password manager program. For your work computer, Royal Roads has a program called “Password Safe” that staff can install and use if they feel they require a password manager.
- Never share your password with anyone else, including co-workers. I can’t stress this too much. Remember, your password is a secret; if anyone else knows your password it is no longer secure. If you accidently share your password with someone else or believe it may have been compromised or stolen, be sure to change it immediately. Conversely, don’t let someone else give you one of their passwords. If there ever was a problem with that person’s account you, as a person who knows their password, might become suspect.
- Do not log into a work or bank account through public computers, such as those at hotels or libraries. Since anyone can use these computers, they may be infected with malware (malicious software) or devices that capture all of your keystrokes. Only log in to your work or bank accounts on trusted computers or mobile devices you control.
- Be careful of websites that require you to answer personal questions. These questions are used if you forget your password and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even your Facebook page. Make sure that if you answer personal questions you only use information that is not publicly available or fictitious information you have made up. Password managers can help with this, as many allow you to store this additional information.
- A more advanced security option that’s becoming increasingly popular for on-line accounts is called two-factor authentication, or two-step verification. This is where you need more than just your password to log in, such as codes sent to your smartphone. This option is much more secure than just a password by itself. Whenever possible, always use these stronger methods of authentication.
- Mobile devices often require a PIN to protect access to them. Remember that a PIN is nothing more than another password. The longer your PIN is, the more secure it is. In fact, many mobile devices will allow you to change your PIN number to an actual password.
- Finally, if you are no longer using an account, be sure to close, delete or disable it.
1 “Naked Security”, security bulletin from Sophos, October 28 2011
2 “Stop The Hacker” security blog, April 20, 2012
Don Devenney is a member of the Server, Networks and Telecom Infrastructures team at Royal Roads University and is a GIAC Certified Windows Security Administrator.