- Apr 17, 2011
- 9,224
Ever since news broke out that millions of passwords belonging to LinkedIn, eHarmony and Last.fm users have been exposed, experts from some of the world’s most renowned security companies have rushed to release advisories to once again teach internauts how to choose and safely store the precious strings.
We’ve decided to make an advisory of our own, and to make it as good as possible we’ve asked a bunch of security experts and even hackers to share their opinions, not only on how strong passwords should be chosen, but more importantly, on how they should be stored.
Given the fact that each of these experts has a different opinion on how passwords should be safely stored, it might be a bit confusing to try and follow all the advice they give. However, it’s clear that all their recommendations can be effective in certain cases, you just have to figure out which one suits your needs the best.
Before choosing your favorite password-securing method, take a moment and ask yourself these questions. They should be able to help you in taking a decision.
1) How important is the data that my passwords protect?
2) Who am I most afraid of? Cybercriminals or my own friends and family?
3) What kind of damage could someone cause if he would obtain my passwords?
So let’s start with David Barclay from Trend Micro who highlights the way users can protect their passwords.
“Passwords are the ultimate key to your online life – and you should protect your online experience just as you would for your own cherished possessions. We recommend using different passwords for different web sites, and never utilize one password across multiple sites,” Barclay told Softpedia.
“Each password should contain a combination of letters, numbers, and characters, combined with capitalization of the letters in random places within the password. We also recommend you change your password every three months. Never share your passwords with anyone unless it is absolutely required (e.g., you become incapacitated and need to access.)”
We can probably all agree that this is sound advice that’s been given by all security experts throughout the years.
However, as we all know, it’s not easy to store all those complex, different passwords. Should we memorize them, write them down, or should we use specialized software to keep the passwords secure?
Each security expert has a different answer to this question.
“Given the necessity to set up passwords that would be difficult for a 3rd party to crack, as described above, committing passwords to memory will become challenging. Therefore we recommend you don’t try to commit them to memory – human nature will lead you to create passwords that are easy to remember, and hence easy to crack,” Barclay explained.
“For these reason we recommend you use a password manager solution that is protected by full 256-level encryption. This means you only have access to your list of passwords by only having to remember one password, which is only known to you.”
He recommends the use of Trend Micro DirectPass because the software stores the password in a secure location, protecting it with 256-bit encryption. DirectPass also comes with a generator that automatically creates strong passwords.
Regarding the pen and paper method, Trend Micro professionals don’t quite agree with it.
“We highly recommend against this. A list of passwords on a piece of paper can easily be lost or stolen and your online accounts put at immediate risk. Would you leave your wallet or purse laying around in an open area? Your passwords should be treated the same. Never write them down in such a way that someone besides you can see them,” he concluded.
So let’s see what an independent security researcher thinks about password security.
“People really don't like to remember anything so they use easy passwords. For example, their pet’s name, phone number, first name, last name, birthday number, etc. This is the main problem. The attacker always tries first to crack the password because he/she knows it’s probably weak,” Ucha Gobejishvili revealed.
He added, “It would be great if they would make high quality password, characters with caps, small, digits, special symbols. It would also be great if they could remember the password, but if they can't do it, the alternative method is pen and paper, because no one can ‘exploit’ your paper.”
To make this advisory a bit more interesting, we’ve also asked the opinion of Gambit, a hacker who has dedicated his time to “cracking” websites. He has an interesting view on password security.
“Well, the safest way to store passwords is in the uncrackable safe known as the human brain, but complex passwords which are the safest to use (passes with upper & lowercase letters + numbers & symbols) are hard to remember,” Gambit said.
“Pen and paper is also a good way but then anyone that has access to your house or that can break into it will have a chance of finding it. Software I wouldn't trust nor would I trust cloud servers, but that's just me, if you think the cloud is a safe place then by all means take the risk.”
So here’s his way of storing the passwords in that “uncrackable safe”:
The key to that is repetition. Write down a complex password say like “DmI3S@!$sMK3dsmqPo%#1”. Just a random string of chars with upper and lowercase letters and numbers and symbols, then take 5 or 10 minutes out of the day and just look at it and repeat it over and over in your head.
We all learned in elementary school during English class when we were given our weekly vocabulary list "going over each word at least three times will help you remember it better," so do that, just sit down spend a few minutes going over it in your head.
Within a week you'll have it memorized and when you no longer need it go grab your lighter and burn the paper so your password is nowhere but in your head.
We have also contacted AVG and asked them for some insight on this topic. They pointed us to this blog post in which they detail the steps to creating a strong password.
Here are a few of their more interesting tips:
- If you subscribe to online services, such as LinkedIn’s or another site’s premium services, put aside a credit card just for online purchases so that once it’s compromised, you can alert just the one credit card company of the breach. Do not use an ATM card for such purchases as you may lose access to cash anywhere from a few hours to a few days;
- Consider creating Google alerts for any service that maintains your personal data. An alert for “LinkedIn” + “hack” could have alerted you about the recent intrusion and allowed you to quickly act;
- When a security attack occurs, look for information about the attack either from the company that’s been hit or credible news sources.
Consider placing a security freeze on your credit report to prevent fraudulent accounts being opened in your name.
Next, let’s take a look at the advice provided by one of the most vocal experts when it comes to password security. He has made numerous password creating tutorials, including a video advisory. That’s right, we’re talking about Sophos’ highly charismatic Graham Cluley.
“You have to have different passwords for every website. And you have to have hard-to-crack complicated passwords that can't be easily cracked. The typical guy in the street always responds by saying ‘Well how will I remember the passwords?’. The answer is, you don't,” Cluley explained.
“My advice is to use password management software. KeePass is a well-regarded open-source program, which runs on multiple operating systems. It not only stores passwords securely, it can also generate new passwords for you which are hard to crack. Other products include 1Password and - if you want a web-based solution - LastPass.com.”
He continued, “The above is what I do - so I'm not just recommending it, I'm living it. As a result, I have absolutely no idea what my Facebook or Twitter or PayPal password is... I have a computer program that remembers those for me, and (touch wood) keeps them secure.”
Sorin Mustaca, data security expert at Avira, has also published a great blog post after the LinkedIn, eHarmony and Last.fm incidents. He is a big supporter of the memorization method, but he is aware that it also comes with certain risks.
“Any password repository (aka software that stores passwords encrypted) needs a way to store the encryption key - assuming that they encrypt the passwords and store them in plain text or their MD5s (as Mozilla software does, for example). So, it is simply moving the target a little bit more, but not making it invisible,” he told us in an email.
“The ‘Pen and Paper’ method means to write them down... that's basically no security since anyone is able to get that piece of paper at some point. And, what do you do with these methods when you're not at your computer or home/office? How do you retrieve the password? Do you call your colleagues/wife to give your password from the ‘secure’ place (software or locker)?”
He believes that “creating associations and keeping them in your head is less error prone,” not to mention the fact that the passwords are available anywhere you are.
“Of course, there is also a disadvantage here: if someone desperately needs your password, they might attack you instead your software or locker.”
Finally, we have Aryeh Goretsky, a distinguished researcher at ESET, the man who inspired us to make this article. In a blog post entitled “Guarding against password reset attacks with pen and paper” Goretsky talks about storing the answers to the password reset questions.
“Write them down in a small notebook (that is, the kind you write in with a pen or pencil, not a laptop computer). Or, if you are not partial to keeping a little black (or orange) book, a business card or recipe card holder filled with index cards works just as well, too,” he wrote.
According to Goretsky, the book should be stored in an area near the computer, but not directly at the device.
“For additional security, do not store the actual answers to your password reset questions, but rather mnemonics or clues that will tip you, but not an attacker, to the answers,” he added.
“Regardless of whether you choose to store password reset questions or the actual passwords, it’s important to keep in mind, though, that the physical security of any written-down information in your notebook—whether it be the passwords themselves or just the responses password reset challenges—is paramount:
“Writing down that information is the equivalent to putting your passport, driver’s license, social security card, check book, credit cards and debit cards (and their PINs) all together in one convenient bundle.”
Source
We’ve decided to make an advisory of our own, and to make it as good as possible we’ve asked a bunch of security experts and even hackers to share their opinions, not only on how strong passwords should be chosen, but more importantly, on how they should be stored.
Given the fact that each of these experts has a different opinion on how passwords should be safely stored, it might be a bit confusing to try and follow all the advice they give. However, it’s clear that all their recommendations can be effective in certain cases, you just have to figure out which one suits your needs the best.
Before choosing your favorite password-securing method, take a moment and ask yourself these questions. They should be able to help you in taking a decision.
1) How important is the data that my passwords protect?
2) Who am I most afraid of? Cybercriminals or my own friends and family?
3) What kind of damage could someone cause if he would obtain my passwords?
So let’s start with David Barclay from Trend Micro who highlights the way users can protect their passwords.
“Passwords are the ultimate key to your online life – and you should protect your online experience just as you would for your own cherished possessions. We recommend using different passwords for different web sites, and never utilize one password across multiple sites,” Barclay told Softpedia.
“Each password should contain a combination of letters, numbers, and characters, combined with capitalization of the letters in random places within the password. We also recommend you change your password every three months. Never share your passwords with anyone unless it is absolutely required (e.g., you become incapacitated and need to access.)”
We can probably all agree that this is sound advice that’s been given by all security experts throughout the years.
However, as we all know, it’s not easy to store all those complex, different passwords. Should we memorize them, write them down, or should we use specialized software to keep the passwords secure?
Each security expert has a different answer to this question.
“Given the necessity to set up passwords that would be difficult for a 3rd party to crack, as described above, committing passwords to memory will become challenging. Therefore we recommend you don’t try to commit them to memory – human nature will lead you to create passwords that are easy to remember, and hence easy to crack,” Barclay explained.
“For these reason we recommend you use a password manager solution that is protected by full 256-level encryption. This means you only have access to your list of passwords by only having to remember one password, which is only known to you.”
He recommends the use of Trend Micro DirectPass because the software stores the password in a secure location, protecting it with 256-bit encryption. DirectPass also comes with a generator that automatically creates strong passwords.
Regarding the pen and paper method, Trend Micro professionals don’t quite agree with it.
“We highly recommend against this. A list of passwords on a piece of paper can easily be lost or stolen and your online accounts put at immediate risk. Would you leave your wallet or purse laying around in an open area? Your passwords should be treated the same. Never write them down in such a way that someone besides you can see them,” he concluded.
So let’s see what an independent security researcher thinks about password security.
“People really don't like to remember anything so they use easy passwords. For example, their pet’s name, phone number, first name, last name, birthday number, etc. This is the main problem. The attacker always tries first to crack the password because he/she knows it’s probably weak,” Ucha Gobejishvili revealed.
He added, “It would be great if they would make high quality password, characters with caps, small, digits, special symbols. It would also be great if they could remember the password, but if they can't do it, the alternative method is pen and paper, because no one can ‘exploit’ your paper.”
To make this advisory a bit more interesting, we’ve also asked the opinion of Gambit, a hacker who has dedicated his time to “cracking” websites. He has an interesting view on password security.
“Well, the safest way to store passwords is in the uncrackable safe known as the human brain, but complex passwords which are the safest to use (passes with upper & lowercase letters + numbers & symbols) are hard to remember,” Gambit said.
“Pen and paper is also a good way but then anyone that has access to your house or that can break into it will have a chance of finding it. Software I wouldn't trust nor would I trust cloud servers, but that's just me, if you think the cloud is a safe place then by all means take the risk.”
So here’s his way of storing the passwords in that “uncrackable safe”:
The key to that is repetition. Write down a complex password say like “DmI3S@!$sMK3dsmqPo%#1”. Just a random string of chars with upper and lowercase letters and numbers and symbols, then take 5 or 10 minutes out of the day and just look at it and repeat it over and over in your head.
We all learned in elementary school during English class when we were given our weekly vocabulary list "going over each word at least three times will help you remember it better," so do that, just sit down spend a few minutes going over it in your head.
Within a week you'll have it memorized and when you no longer need it go grab your lighter and burn the paper so your password is nowhere but in your head.
We have also contacted AVG and asked them for some insight on this topic. They pointed us to this blog post in which they detail the steps to creating a strong password.
Here are a few of their more interesting tips:
- If you subscribe to online services, such as LinkedIn’s or another site’s premium services, put aside a credit card just for online purchases so that once it’s compromised, you can alert just the one credit card company of the breach. Do not use an ATM card for such purchases as you may lose access to cash anywhere from a few hours to a few days;
- Consider creating Google alerts for any service that maintains your personal data. An alert for “LinkedIn” + “hack” could have alerted you about the recent intrusion and allowed you to quickly act;
- When a security attack occurs, look for information about the attack either from the company that’s been hit or credible news sources.
Consider placing a security freeze on your credit report to prevent fraudulent accounts being opened in your name.
Next, let’s take a look at the advice provided by one of the most vocal experts when it comes to password security. He has made numerous password creating tutorials, including a video advisory. That’s right, we’re talking about Sophos’ highly charismatic Graham Cluley.
“You have to have different passwords for every website. And you have to have hard-to-crack complicated passwords that can't be easily cracked. The typical guy in the street always responds by saying ‘Well how will I remember the passwords?’. The answer is, you don't,” Cluley explained.
“My advice is to use password management software. KeePass is a well-regarded open-source program, which runs on multiple operating systems. It not only stores passwords securely, it can also generate new passwords for you which are hard to crack. Other products include 1Password and - if you want a web-based solution - LastPass.com.”
He continued, “The above is what I do - so I'm not just recommending it, I'm living it. As a result, I have absolutely no idea what my Facebook or Twitter or PayPal password is... I have a computer program that remembers those for me, and (touch wood) keeps them secure.”
Sorin Mustaca, data security expert at Avira, has also published a great blog post after the LinkedIn, eHarmony and Last.fm incidents. He is a big supporter of the memorization method, but he is aware that it also comes with certain risks.
“Any password repository (aka software that stores passwords encrypted) needs a way to store the encryption key - assuming that they encrypt the passwords and store them in plain text or their MD5s (as Mozilla software does, for example). So, it is simply moving the target a little bit more, but not making it invisible,” he told us in an email.
“The ‘Pen and Paper’ method means to write them down... that's basically no security since anyone is able to get that piece of paper at some point. And, what do you do with these methods when you're not at your computer or home/office? How do you retrieve the password? Do you call your colleagues/wife to give your password from the ‘secure’ place (software or locker)?”
He believes that “creating associations and keeping them in your head is less error prone,” not to mention the fact that the passwords are available anywhere you are.
“Of course, there is also a disadvantage here: if someone desperately needs your password, they might attack you instead your software or locker.”
Finally, we have Aryeh Goretsky, a distinguished researcher at ESET, the man who inspired us to make this article. In a blog post entitled “Guarding against password reset attacks with pen and paper” Goretsky talks about storing the answers to the password reset questions.
“Write them down in a small notebook (that is, the kind you write in with a pen or pencil, not a laptop computer). Or, if you are not partial to keeping a little black (or orange) book, a business card or recipe card holder filled with index cards works just as well, too,” he wrote.
According to Goretsky, the book should be stored in an area near the computer, but not directly at the device.
“For additional security, do not store the actual answers to your password reset questions, but rather mnemonics or clues that will tip you, but not an attacker, to the answers,” he added.
“Regardless of whether you choose to store password reset questions or the actual passwords, it’s important to keep in mind, though, that the physical security of any written-down information in your notebook—whether it be the passwords themselves or just the responses password reset challenges—is paramount:
“Writing down that information is the equivalent to putting your passport, driver’s license, social security card, check book, credit cards and debit cards (and their PINs) all together in one convenient bundle.”
Source
