Using and remembering strong passwords

Creating and remembering passwords is, for many, one of the biggest hassles of using the 'net. Many people try and short-cut the process by chosing one simple, memorable password for everything, and never changing it. Sometimes they'll keep a note of it either in their wallet, or on their keyboard. In a recent experiment, researchers found that the majority of users would reveal their passwords for a chocolate bar or similar.

But why does it matter? Surely no-one's actually going to bother to hack *your* account - you might consider that:
1) You're not an interesting target
2) There are so many accounts out there that the odds of yours being picked is minimal
3) You're not actually *that* worried about revealing the data anyway.
and
4) your network guy at work or tech friend are just enjoying a bit of scaremongering or a power trip.

Unfortunately, (to use an astoundingly cheap literary construction), it don't work like that. Even chocolate bars aren't required to hack systems; pretty much any password-protected system these days can be hacked automatically - whether it's a website password, an email one, or a server login.

For example, security logs on a little-used, nondescript remote server I help administer reported around 500 password-guessing attacks on Sunday - in 3, 5-minute bursts. From Poland.

Now, I don't actually know anyone Polish, but apparently they don't care about that. Chances are they didn't know who they were aiming at either - they just fired up a script and went off for a nice cup of something Polish.

I've no idea how many people try and hack my blogs and webmail accounts, as I don't get to see the security logs from those. But I'm sure they're just as fun a target.

So, strike 1), strike 2). Does it matter? Well, if you're talking about a closed system, where you have no privileged data, and you don't mind having everything of yours read and/or deleted, and the user faking your identity to send spam and attack other systems, then, perhaps not. But chances are, there's something in there that you or someone else would rather keep private, and you'd rather protect your reputation from being labelled as a spammer or hacker. And remember that most websites, and many related online system, will send helpful "reminders" of your password to your email account - so if that's compromised, everything's up for grabs.

Equally, it's not always only your data that your password compromises. For online communities such as Facebook, MySpace or LiveJournal, your password grants access to your frends' private posts, data and contact info. So a compromise in your account could affect a whole lot of people. And at work, a compromise in email can cause major commercial loss or embarrasment (Dear Our Biggest Client, F*ck Off, signed My Hacked Account), or loss of data (Someone used your access to delete the financial records? Sure, we have backups - but they're yesterday's data, and we'll have to take the system down half a day to restore them.).

So, hopefully, strike 3). Oh, and 4)? We've got *much* better things to do than scare people, trust me. Working out why the server keeps hiding the boss' email is a particular favorite, for example.

So, if you believe that you need a secure password (and I really hope you do), how do you create one for each of the dozen systems you use?

Well, if it's any consolation, I apparently have over 350 passwords. I use a secured password manager to hold this lot. Most of you will have a rather less scary task.

Livejournal, for example, will happily tell you what a secure password looks like:
http://www.livejournal.com/support/faqbrowse.bml?faqid=71 says:

Your LiveJournal password must meet the following requirements:

* 6 to 30 characters long.
* 4 different characters.
* 1 number or symbol.
* ASCII characters (characters found on a standard US keyboard).
* Not based on your username, email address, displayed name, or a commonly-used password.

Yeah, fine, but how on earth are you going to remember it without writing it down and so risking people seeing it?

There's a few tricks, which provide a range of levels of security:

1) Use two words, joined by a number, and mispell one of them (skwid8KIPPER)
2) Play "catchphrase": eg 9tiSTITCHme approximately equals "A stitch in time saves 9"
3) Take initial letters of a favourite book, act, album or track, eg:
40SoR:KSR (40 signs of rain, Kim Stanley Robinson)
pT3L3X-RH (Planet Telex, RadioHead)
4) This trick also works well with near-random phrases, which (research suggests) you'll recall better if they're slightly rude or outrageous (mbFsl99YoG - my boss' feet stink like 99 year-old gorgonzola, nouns capitalised). PS - boss - they don't, it's just an example, really.
5) Don't use licence plates, mother's maiden name, pet names, phone numbers - you'll run out, and someone will guess anway.


But, if the attackers are using automated tools, what good does a "secure" password do anyway?

Well, the good news is that these automated tools can't practically "try" all password strings - in an 8-character password, for example, there will be about 45^8=16,815,125,391,000 options. Even if each attack takes a fraction of a second, it'll take tens of thousands of years to try them all - and that's if they *know* it's exactly 8 characters. So most attack scripts just check simpler possibilities - dictionary words (particularly 'password', 'secure' etc) with basic numberic substitutions, variants on the account name or email address, and numeric strings. The further you get from these "easy guesses", the longer it takes the script, and the higher the chance it'll either give up or run out.

Whatever trick you use, it does pay to change passwords every few months. If, like me, you just have too many to recall even with the above tricks, you can look at password apps (which encrypt the data they store) like Password Safe, KeePass, or a similar app for your PDA or mobile phone. Whichever you use, though, you'll still need one *really good* password to lock it with.
Posted by parsingphase, 2007-07-02 22:05

Anonymous user

Login

Blog

Contact

I'm currently available for contract work in London as a Senior PHP Developer. Contact me for a CV, rates, or a chat.

Twitter @parsingphase
Email richard@phase.org
Github parsingphase
LinkedIn Richard George
Flickr parsingphase