I was originally paid to write this piece for atlantic.net.
We’ve all heard it before: you need a good, secure password. Use uppercase letters, special characters, and numbers. Never write it down. Never tell anyone what it is. Change it regularly. Use unique passwords for each account.
It all seems such a fuss, who’s got the time or memory for that? And is it all necessary anyway?
Why are we given so
much advice about passwords?
It’s easy to feel invincible when you’re sitting at your computer. We forget the real-life implications of our online actions. If you do online banking, you can access all the money you own with a few taps of the computer keyboard. This makes life more convenient for you, but it also makes it a lot more convenient for a hacker too. If the only thing between you and your money is a simple password, then that simple password is also the only thing between a hacker and your money.
It’s not just bank accounts though, anything that you’re dependant on is a potential target. You might not think that a hacker would be interested in getting into your email account, but they could use it to exploit your friends http://www.theatlantic.com/magazine/archive/2011/11/hacked/308673/ or, if it’s an important part of your working life, they could hold it to ransom. The same goes for all social media accounts. What about your cloud storage such as Dropbox or Google Drive? How much would you pay to have those returned to you? Hacking isn’t difficult to monetise, and that’s why you need a solid defence.
What makes a password
stronger?
Above we mentioned the standard advice about making passwords more complex by including uppercase letters, special characters (exclamation marks, ampersands, etc.) and numbers, but what does that actually do?
It’s all mathematical. The more different possible password combinations there are, the harder it will be to get in. Take a combination lock, for instance. At some point we’ve all accidentally locked one of those and forgotten the combination. We start with ‘1-1-1’ then we try ‘1-1-2’ and work our way through all the possible combinations until the lock finally clicks open again. This is the same basic idea behind ‘brute-force hacking’. A program will try every possible combination in order to get into an account. With our combination lock there are three dials each with nine possible numbers. This means that there are 729 possible combinations, all the way from ‘1-1-1’ to ‘9-9-9’.
This can be calculated by taking the amount of different possibilities per a reel and multiplying it by the power of the number of reels.
There are nine possible digits per a reel, and there are three reels. 9 to the power of 3 = 729. It would take the blink of an eye for a program to try 729 combinations, which is why we try and make passwords more complex.
By making a password longer, we increase the amount of possible combinations. If we add another reel to our combination lock the amount of possible combinations leaps to 6561. The same is true if we add special characters, uppercase characters, and numbers. Rather than just having numbers 0-9, we can add 26 lowercase letters, 26 uppercase letters, and 24 special characters. That takes us from nine possible digits, to 86 possible characters. If our password / combination is still only four characters long, there are now over 50 million possible combinations.
Hackers will also use ‘dictionary attacks’ where the program they are using will try all the words in a dictionary as possible combinations. Humans like using passwords that mean something because they’re easier to remember, and so can be fairly predictable. Using special characters, different cases, and numbers, will increase protection against this kind of attack too.
A unique password is a strong password, if you use the same password for every account, a hacker only needs to crack one account to crack them all.
Techniques for
generating passwords
Remembering otherwise meaningless passwords isn’t easy, but there are systems that it is easy to remember. For example, to generate a secure but memorable password, you could use the name of your cat and remember the system you used to alter it.
For example, if your cat’s name is Raymond.
Firstly, substitute the letters that look like numbers:
O becomes 0 and A becomes 4.
Raymond becomes R4ym0nd.
Now change every letter to be the letter that proceeds it in the alphabet.
R becomes Q, y becomes x, etc.
R4ym0nd becomes Q4xlnmc.
All you need to remember is your cat’s name, and two simple steps. You can use this or come up with your own system, but I guarantee that having some kind of pattern or twisted logic to your password will make it far easier to remember.
Security versus
convenience
Of course, this advice is all well and good, but the technology needs to be usable. Your average person can’t memorise 20 different complex 15-character passwords, even if they are using a cats’ name system. So what’s the happy middle ground between security and convenience?
There is such a thing as passwords that are too good. You don’t want your account to be so secure that even you can’t get in! This is something you need to seriously consider, what level of security is still practical for you? How many passwords or password systems can you remember? This will be different for every person, and it’s easy to understand why you might be enticed by an alternative…
Password generation
services
Password management and generation services are becoming increasingly popular. These are pieces of software that look after all your passwords for you and, if asked to, will generate complex and secure passwords for your accounts. The sophistication of these applications varies, from those that merely store an encrypted copy of all your passwords on your computer, to those that store them online and require one master password for you to quickly and easily be granted access to all of your accounts from any computer.
There is an obvious advantage to this: the memory problem is
solved and you need only remember one password. Password managers also often
have their own additional security measures built in. For example, they have
software to defend against phishing and keylogging.
There are also inevitable disadvantages to password managers. There is still, in a lot of password managers, the need for a master password which could be compromised by all the traditional means of stealing a password. There is also the issue that all your eggs are in one basket – should the password manager become compromised, all of your accounts are also compromised. It has, however, been pointed out that this I the same attitude we take in the physical world. We put all of our money in a bank or a safe, we put all the criminals in a prison, the point is that these places are particularly secure. Password managers are built to be particularly secure.
Password managers come in various flavours, usually with a combination of features, here are some examples:
Desktop – A desktop password manager stores encrypted passwords on a local hard drive. Many services offer this as an option in addition to their cloud and online services. KeePass http://keepass.info/ is a well-respected open-source desktop password manager available on Windows, Mac, Android and IOS.
Portable – Portable desktop managers can be run from USB drives. This way you can carry your passwords around with you without having to be paranoid about the cloud. RoboForm2Go http://www.roboform.com/for-usb-roboform2go-windows is a portable version of the popular password manager that works with Internet Explorer and Firefox.
Web-based – These are online password managers where the passwords are stored on a website that can be accessed with a master password. Thycotic’s Secret Server is an example of this. http://thycotic.com/products/secret-server/
Cloud-based – The difference between cloud and web password managers is that cloud password managers require software to be installed on the machine being used. This makes it more secure, but less versatile. Lastpass offers cloud, web, and desktop iterations of its password manager.
Are passwords the way forward?
As you can see, there are many good reasons to have secure passwords and many different ways to create and manage them. It’s all about finding the solution that best suits your needs. There are, however, alternative security solutions and we’re going to explore them in our next article.