Passwords

By Greg Gagne

In today’s digital world, passwords are often the most neglected first line of defense against data and security breaches.  They can be a hassle, to be secure you shouldn’t repeat passwords, or even ways of generating passwords between sites and services to maintain absolute security for yourself.  The most secure passwords are long, with randomized letters, numbers, and special characters.  In addition, frequent changes of passwords are needed to keep your data secure.  Depending on how many sites, services, or software you have to use daily, a list of passwords to remember correctly and change on a frequent basis could grow to be unbearable and even impossible. 

There are numerous online services and offline software that generate very secure passwords and will remember and/or auto-fill these passwords for you.  These services/software usually range from being free but ad-supported to more than $50, depending on the features you may want.  The problem is that consumers are putting all their eggs in the same basket.  As happened recently with the Heartbleed vulnerability outbreak, the behind-the-scenes security that should keep this bundle of passwords securely stored was broken.  Who’s to say that someone out there doesn’t have access to all your passwords that you put into one of these convenient services?  This entirely negates the convenience of this software when you have to regenerate your passwords again and trust that in fact they are secure from anyone but you. 

For me, I use the following method to generate passwords that are secure enough.  I say secure enough because most sites, ironically enough most banking sites for example, do not let you use truly secure passwords.  For instance my bank only allows an eight-character password using only capital and non-capital letters and numbers.  I can’t use any special or extended characters such as an asterisk or spaces which would make the password all that more secure.  Their password policy is the bare minimum truly to be somewhat secure

So I do the following for creating a password.  I come up with an easy-to-remember sentence that is meaningful to me, for instance “I am graduating in 2014.”  To make this into a password, I take the first letter of each word and combine them.  This would be Iagi2014.  I then randomly add a special character if it is allowed.  I make sure to make a sentence with frequent upper-case and lower-case letter usage and it has to have some numerical value in it. 

I also try to make a nonsensical sentence that would be very grammatically incorrect, as this helps to spoil the efforts made by hackers using dictionary libraries.  What makes a password secure is if you combine length, inability for words to be found in a dictionary, and complexity which comes with upper case, lower case, numerals, and special characters.  In order to remember all these passwords, I write them down and carry them on a sheet of paper in my wallet.  Before anyone says this is totally insecure, I encrypt these by changing around the ordering depending on the site/service and add an indication of what site or service it pertains to.  For example I used the phrase “The Moon is blue tonight!”  The password would be TMibt2014* and I’m using it on amazon.com I write down on the paper *4102tbiMTamz (the amz letting me know its Amazon).  This isn’t totally foolproof but it would keep the casual person confused as I don’t directly write down Amazon.com User name: xxxxx Password: xxxx on this sheet of paper.  Figure out an “encryption” that works for you. 

Unfortunately passwords are only as secure as you make them and how long they’ve been used.  For me, as much as a hassle as it is, I tend to change passwords on a frequent basis depending on how critical the service, site, or system is.  For anything financial, I change on at least a monthly basis if not more often. For that kind of data, frequent changes are really the only true-and-tried security in addition to the password being complex and long.  This adds another barrier to entry on your accounts.  Again do not share like or exact passwords between sites; this is the biggest reason accounts, services and systems get hacked, directly after easy- to-guess passwords.

Also, when it comes time to set up your methods of recovering a password, such as putting in your mother’s maiden name or high school friend, do not actually use an answer that is true.  For instance, my high school friend’s name was Dustin Johns.  Nowadays finding out this piece of information through scalping of social networking or any various forms of social engineering is too easy.  I’d change this to something I could remember but makes no sense, such as Marvin the Martian or something along those lines.  This is an often-neglected area of password security – how easy you make it to recover a password.  Another good thing to do is to make a note if possible, on any account that allows it, to not allow password resets of any kind through a telephone call. This is a far-too-easy venue for hackers to capitalize on using social engineering to gain access to your accounts. 

Make access to your accounts about as difficult as possible on all avenues, including passwords, password resets, and frequent password changes to spoil any attempts by attackers.  Unless you’re being specifically targeted for a reason, if you make it difficult enough, an attacker will give up after a certain amount of time.  They are looking for the most gains with the least amount of work.  

Stay Safe