Secure Passwords Guide

A padlockA password is a form of authentication represented by a string of characters that the user can easily provide, but it is hard to guess. In front of the registration form people use obvious passwords such as the names of their children or their house number in order not to forget them or simply because they can’t come up with better ones. Their importance is often ignored – at least until the account gets hacked. This guide will show you how to choose secure passwords and still be able to remember them, you’ll find links to software that might help and hopefully you’ll be determined to change your passwords to more secure ones.

What makes a password strong?

The answer is length, complexity and randomness. The common way to crack passwords is by using a brute force attack. The attacker attempts to crack passwords by trying as many possibilities as time and processing resources permit. A related but much more efficient method is a dictionary attack. Words in one or more dictionaries and lists of common passwords are tested. A long password, composed from multiple types of characters in a random order will be hard to crack

Guidelines for creating a good password:

  • Minimum length of 8 characters. The longer your password is, the better.
  • Passwords should use all of the following four types of characters:
    • Lowercase
    • Uppercase
    • Numbers
    • Special characters such as !@#$%^&*(){}[]
  • Don’t use passwords that are based on personal information because it can be easily accessed or guessed.
  • Do not use words from dictionaries (English or foreign), names or places.
  • Even if you slightly misspell words, spelled them backwards or used 1337 speak your password is not secure.
  • Do not use consecutive numbers or letters such as “1234” or “abcd”.
  • Do not use adjacent keys on your keyboard such as “qwerty” or “asdf”.
  • Do not repeat the same character in your password such as “aaaa” or “2222”.

To achieve such complexity while still being able to remember your password you can use mnemonics.

Example:

“My favorite song is Led Zeppelin – Stairway to Heaven”. This phrase is easy to remember (especially if this is your favorite song). It is a phrase with a question and an answer. I can convert it to a password like this:

  1. Using the first letter of every word, while keeping cases and punctuation: MfsiLZ-StH
  2. Adding a special character between the question and the answer: Mfsi/LZ-StH
  3. Adding numbers to my password by converting L (the first letter in the answer) to 12 (L being the 12 letter in the English alphabet): Mfsi/12Z-StH

The result is a good password. It is long enough, has complexity by using letters (both lower and uppercase), numbers and special characters and finally it is sufficiently random. The password itself might not be easy to remember but it is easy to reconstruct from the easy to remember phrase and the 3 simple rules that generated it.

Test your passwords: Link 1, Link 2, Link 3.

Using your passwords safely. Software that you might need.

Making a good password is just the beginning. You should also be careful how you use it.

Guidelines for using passwords securely:

1. Don’t write down your passwords on paper or inside a non-encrypted file. Instead of using weak passwords, it might be better to use strong ones, even if you have to write them down. Fortunately you can do so in a secure way by using a password manager.

2. Do not use the same password for all accounts such as additional email accounts or other log-ins you may have on the Internet. To keep track of all passwords you’ll have to use a password manager. A password manager encrypts all your passwords using a single password that you’ll have to remember.

3. Use a password manager. I use LastPass browser plug-in (the free version). It offers support for all major browsers and the free version is sufficient for even the most demanding users. Furthermore it works as a cloud service – your passwords are sent encrypted and through a secure connection on their servers. As a result they are available everywhere, even on multiple devices. If you would rather use a stand-alone application instead of a plug-in, try KeyPass (open-source). It doesn’t include a cloud service (and some might appreciate that) but it offers a portable version that you can carry everywhere on a USB stick. Both can also be used to create strong passwords so next time when you’ll be facing a registration form you won’t have to spend time creating a strong password.

4. Do not share your password with anyone. Anyone includes your friends and family. First of all, passwords are private and second you don’t know if the person your are sharing the password with will take necessary precautions to safeguard it.

5. Watch for attackers trying to trick you into revealing your passwords (phishing attacks). Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Do not reply to phone calls or email messages requesting that you reveal your passwords. Legitimate websites or organizations will never ask you for your user name and password. To protect from malicious websites, I recommend using a browser add-on that warns you when you try to visit such a site: Web of Trust (all major browsers) / Norton Safe Web (Firefox and Internet Explorer).

6. Be aware of when a password is sent securely across the Internet. Sites that begin with “https://” rather than “http://” are secure for use of your password. Most sites offer https connection, but unfortunately they use http as default or fall-back to http immediately after the log-in. I recommend using a plug-in that enforces a secure https connection: HTTPS Everywhere (for Firefox) / Use HTTPS (for Chrome).

7. Secret questions are vulnerable to guessing attacks. Most websites offer this method as a way to recover your lost password. Choose answers that are hard to guess and if you fear you might forget them, use a password manager.

8. Do not use the “remember my password” feature offered by many programs. These programs have varying degrees of security protecting your passwords. Some store the information in clear text in a file on your computer or with a weak encryption. Software tools that can retrieve passwords in all major browsers, instant messengers and e-mail clients are available.

Tip: Firefox can protect your passwords with a “master password”. If you plan on letting it store your passwords you must enable this feature. Go to Tools > Options… > Security, check Use a master password. A window asking for the master password will pop-up. This password will be used to encrypt all your other passwords so make sure it is strong and remember it.

Note: Latest versions of most IM clients (ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype) do not save the password itself, but its hash that is used for authentication. Even so, if an attacker gets a hold of that file he can use it to log-in into your account.

9. Keep your PC malware-free. Make sure the security software you are using is up-to-date and offers protection against key-loggers. A key-logger is a type of malicious software that runs on your computer logging every keystroke. If your security software doesn’t offer this kind of protection, I recommend installing Keyscrambler Personal (IE and Firefox add-on) – link to Firefox add-on. Update: Mozilla tightened the rules concerning what is allowed on the Mozilla add-ons site, as a result many add-ons – including Keyscrambler – have been removed (read more). You can still get the software from the authors’ site.

10. Don’t type your passwords on someone else’s computer. If possible, don’t use someone else’s computer that you don’t trust to log-in to any website, especially to very sensitive websites such as your banking account. That PC might be infected with a key-logger or other types of malware that can steal your passwords. Public PC-s are highly insecure.

11. Secure your wireless connection. Using a non-encrypted wireless connection or a WEP encrypted one (WEP is flawed by design and easily breakable) exposes you to a man-in-the-middle attack. An attacker can easily connect to your network,  intercept you packets and possibly steal your passwords or hijack your session. Use WPA2 or WPA encryption (if you own devices that can’t use WPA2) with a strong pass-phrase to protect your wireless connection. Be aware that most public hot-spots don’t offer a secure wireless connection.

12. Change passwords immediately when they are compromised. Even if you have the slightest doubt that one of your password was stolen, change it immediately.

13. Change your passwords regularly. Changing you passwords twice a year ensures you that a persistent attacker won’t have enough time to brake them by using brute-force.

6 thoughts on “Secure Passwords Guide”

  1. I agree. Probably the most important thing is the way a user handles his password. If the password is used to protect an online account the time needed to brute force a somewhat difficult password is greatly increased because of Internet roundtrip delays. So simply asking for the password is much more efficient.

  2. Good recommendations…. I recently read an article which was published by a serious ‘hacker’… He noted the easiest way he uses to discover a password is to merely ask for it…

  3. That’s sad to see :( People need to give their digital as high value as our real life in that sense what we inform us and also take care how to protect ourselves.

  4. Thanks. There are many other similar articles on the Internet, but people ignore the security of their passwords.

Comments are closed.