Friday, February 17, 2012

Truth About Password Security & Being Hacked

I have the privilege of currently living with not just one but two computer programmers. Because of their interests and my various pursuits on the internet, we often get into discussions about internet etiquette and common misconceptions. I've been wanting to share some of my new-found knowledge with my fellow non-professional internet consumers, because these are things I didn't used to know, and why hold on to good information!?

So here are a few things I've learned about the internet in the past five plus years of living with one or more persons who "know better":

On Password Security

Recently, my friend Lauren shared this article all about using secure passwords from CarrieActually. The gist of the article is that Carrie recommends using a secure password generator to make passwords of random characters which are much more difficult to hack than the standard (common word or pet's name + birth date) that lots of folks use. Then, she suggests that we store all these randomly generated passwords in a text file on our computer's desktop to access when we need them.

Respectfully, I completely disagree with the advice, (particularly the latter portion) and here's why:

There's no reason you need to use a password you can't remember in order to have a secure password. You can easily make up a password that is very difficult to be guessed by hackers while still being extremely easy for you to remember. If you can remember your passwords, then you don't have to store them anywhere except your brain, which means if your computer is lost or stolen, your passwords will still be safe. (I do agree with Carrie that you should write your passwords down somewhere and keep them very secure—like inside a safety deposit box—in case of a catastrophic life event.)

Of course, Carrie is 100% right on this point: completely random passwords are very secure. However, they're also extremely difficult to remember. If your password is so hard to remember that you need to store your passwords somewhere else (especially somewhere insecure like a text document on your computer's desktop), you are effectively compromising the security of the password.
From an article by Symantec (makers of Norton anti-virus software) on password security (emphasis mine):
Users should exercise extreme caution when writing down or storing passwords. Stories of hackers obtaining passwords through shoulder-surfing and dumpster diving are not urban myths, they are real. Users should resist the temptation to write down passwords on Post-It notes stuck to their monitors or hidden under their keyboards. Instead, they should choose passwords that they will be able to remember.

Another thing that people do which is reasonably effective is to choose a common word (found in the dictionary) and substitute special characters for predictable letters: a becomes @ or 4; i becomes 1, etc. This is probably not as secure as you think because a hacker can account for predictable character substitutions in a password cracking program. So if your password is "animal" turned into "@n1maL", you are slightly more secure than just using the simple version, but you'll likely be annoyed trying to remember which characters you capitalized and substituted as you type in your passwords.

I believe the best solution to this tricky password business is to choose a password which is both easy to remember and difficult for others to guess. My favorite suggestions for this are either to:
  1. Come up with a mnemonic phrase that means something to you (lyrics to a song, a sentence you say often, etc.) and use the first letter of each of the words as your password. You can then substitute capital letters for naturally capitalized letters like "I" and the beginning of names, and substitute other special characters as you would naturally. (For example: "I'm a little teapot, short and stout!" would be "Ialts&s!")
  2. Come up with a collection of unrelated words which is silly and random. Your password will be long and secure but simple to type and easy to remember because it is odd. (For example: "correcthorsebatterystaple")
 From the same Symantec article I quoted above (again, emphasis mine):
Depth refers to choosing a password with a challenging meaning – something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. “A good password is easy to remember, but hard to guess.” (Armstrong) The purpose of a mnemonic phrase is to allow the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ‘ImuKat!’ (instead of ‘I’m a cat!’) or the first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.”
What may be most effective is for users to choose a phrase that is has personal meaning (for easy recollection), to take the initials of each of the words in that phrase, and to convert some of those letters into other characters (substituting the number ‘3’ for the letter ‘e’ is a common example). For more examples, see the University of Michigan’s Password Security Guide.

My cynicism about password security is summed up by this xkcd comic about password strength:

So true! And why should we try to remember frustrating and nonsensical passwords when we can remember a silly phrase instead (which is also quite secure)?

I also like this article about password security and usability. It explains the different methods that are used to crack passwords and it illustrates (with math!) the security of various types of passwords. It also reinforces the point I've already made: completely random passwords (with symbols, numbers, and mixed-case) are very secure, and so are short phrases made up of common words ("this is fun" or—even better—uncommon words ("fluffy is puffy").[1]

What if I'm really paranoid and/or my memory is really bad?

If you've got your heart set on using a different, completely random password (that you don't have a hope of remembering) for each site, or you can't remember silly phrases for different sites you visit, there's still hope for your internet security! Consider using a paid service (like 1Password) which can generate random secure passwords for you, and then store them for your various accounts. All you have to do is remember one master password to unlock all of those when you need them.

If you don't want to pay for a service to do this for you, the built-in password storing service in Firefox works pretty well too, since you have the option to lock all stored passwords with a master password. (The same goes for Keychain in Mac OS.) The downside of a system like this goes back to trust. If someone physically gains access to your computer, they automatically have access to all of the accounts for which you have saved passwords. (Of course, that can be remedied by consistently locking your computer—"logging off"—when you're away from it, and by using a unique and secret user account password.)

Whatever option or combination of options you choose, you don't have to use a password you can't remember to know your information on the internet is secure!

More on the Potential to be Hacked

I know a lot of people are concerned about their privacy and security on the internet, and that is totally a matter of personal comfort level. I care about others' level of worry though, particularly when it seems their fears are not based in fact.

Here's the first thing I know: People usually get hacked for one of two reasons:
  1. There's a very good reason to want to know inside information about your personal data (i.e. You are really important, very rich, or famous, etc), or
  2. Your password is so easy to guess or obtain, that someone is opportunistically hacking your accounts just for fun, or for monetary gain. 
So the Average Joe with a secure password (see above) can go about life assuming no one is going to hack into his personal accounts. They just don't care enough to try.

A very common way for security breeches to happen is through social engineering. Con artists pose as trusted employees or other individuals you might not think twice about allowing access to your secure information in order to procure your password. They might do this via phone (calling "from your email provider" with a "problem" about your account), by email (with your bank's header image asking for your password to "verify" something), or in even in person (as the cable guy or other public service employee to do work in or around your home), all in the name of getting your passwords. CarrieAcutally's solution of storing her randomly generated passwords in a text file on her desktop is completely vulnerable to this common attempt at security breech. (Ironically, the act of writing the post she did telling everyone where her passwords are stored has actively weakened this aspect of her password security.)[2]

Here's the second thing I know: If you're slightly more paranoid (read: vigilant, careful, cautious, concerned) than Average Joe[3], make sure you:
  1. Have a reasonably secure password (which you store in your brain or using an encrypted method);
  2. NEVER click on links unless you know what they are;
Adopting these three strategies will protect you from encountering a host of problems and potential security weak points when it comes to your internet life.

The bottom line is: If you're comfortable with the way you're handling your passwords and online security, great! I am not trying to tell anyone they should want to do it the way I think is best. I also want everyone to genuinely enjoy their time spent perusing the internet, and I've encountered many a person who seems to feel like a slave to these "rules" they've learned about how to best stay safe on the internet. If you're feeling frustrated by your current password methods, I simply invite you to entertain the idea that there's another (perhaps easier, more enjoyable, and still very secure) way to go about it.

I honestly care about you, your security, and your overall internet experience.

1. Please remember to be mindful and creative when coming up with a new password for yourself. Obviously, some of the simple examples that I used above, like "I'm a little teapot" or "this is fun" are not ideal for real password use. The more off-the-wall ideas that come to mind, the better it will be for the security of your password.

2. I mean no disrespect to Carrie at CarrieActually, and it is certainly not my intention to pick on her or single her out. Her article just happened to be the catalyst that brought about this particular thought process (and subsequent conversations with my resident "experts"). I care very much about Carrie's security and the security of her readers, too!

3. I'm referring to myself here, folks—the woman who changed every single one of her passwords before clicking 'publish' on this post.


  1. My Brother-in-law worked in Internet security for one f our major ISPs. His suggestion for passwords was to use car registration numbers for cars you used to have and mix it up with a word or phrase.

    I've been known when particularly frustrated with having to think up yet another password to use the phrase 'yetanotherdamnpassword'

  2. Walker has been trying to convince me to use the same base word for each website that needs to have a password with an addition somewhere in there that has something to do with the website itself. So if my base word was "Horse" my password for Amazon could be "Horsebooks." Sadly, I think that would be too hard for me to keep straight, so I'm using the XKCD recommendation of phrases.

  3. Oh! My Dad (who also works in computers) used to use phone numbers he needed to memorize, but you are rarely allowed to have a numerical only password nowadays. That also has the drawback of being easier for a computer to randomly guess, I would assume.

  4. Software deployment tools make sure that the process of updating the latest software on the systems is no more a hard task that demands much effort and attention. You can now save a lot of time and labor that goes in to the process of installing the software as it is now possible for a single technician to simultaneously install the software on a large number of systems.driver toolkit crack

  5. This comment has been removed by the author.

  6. The presumed firms are not the customary security people, the people from the Firm are prepared well under the SIA plan and they are specialists in managing the criminal postings as well. rogue antispyware removal


Thanks for your comment! I love hearing from you.


Related Posts Plugin for WordPress, Blogger...