Well, October is National Cyber Security Awareness Month and in order to celebrate it, I’m going to start a new set of posts about good practices related to several security subjects, this week I’m going to start with… Passwords!!. A password is in fact the most valuable piece of data that you may own, it’s your first (in some cases your only) defense against evil users, so the stronger the password, the better for your own sake.

Let’s start with the recommendations:

 

1. The length of the password really matters:

I know what you are thinking, “my 6 character long password is virtually safe”, think again!! You may be vulnerable and the solution could be easier that you thought.  Let’s take a look at some data from Max Knoblauch at Mashable.com, his article “The 25 Worst Passwords of 2013” indicates that some of the most common passwords that are easily hacked are:

1. 123456

2. password

3. 12345678

4. qwerty

5. abc123

6. 123456789

7. 111111

8. 1234567

9. iloveyou

10. adobe123

If we ignore the obvious combinations, what else do they have in common? They are short passwords!!. A dedicated desktop pc can generate billions of combinations per second, so a short password is just piece of cake and very fast one. Let’s see how easy we can make a password harder to crack by a pc by just increasing the length, for example the basic abc123, we are going to use https://howsecureismypassword.net, it’s a good online service that can measure how strong your password is and how much time a computer will take in order to crack it.

abc123 password is so easy to guess

As you can see, the power of a pc can crack the abc123 password almost instantly

abc123abc123 is stronger but not desirable

If you just set the password as “abc123abc123”, a pc may take like 37 years to crack it.

In our example, abc123abc123, a 12-character long password represent 5 quintillion of possible combinations, while it looks safer it’s still vulnerable, here is where my next advice comes.

 

2. Do not use ordinary words on your passwords:

One of the most used mechanisms to crack passwords is the Dictionary Attack. This method uses every single word present in a dictionary as a password, it does sound dumb but there are several users on the internet that uses ordinary words as the password, take a look at the advice #1, one of the most cracked password was “qwerty” and guess what? qwerty is present in the dictionary (http://www.thefreedictionary.com/QWERTY).

Try to not take the word “Dictionary” too lightly, the hacker is not going to use just a “Cambridge English Dictionary”, he/she may use a full collection of random words plus old hacked passwords, so “abc123” will be on their records and depending on their algorithms “abc123abc123” won’t be too hard to crack.

 

 3. Do not use the same password in all your online accounts

One of the most common mistakes, I know, there are too many online places to use like banks, universities and social media, so probably we have like 6 or 10 online accounts with the same password, what could go wrong? Have you ever heard about the “domino effect”? Think about it, Imagine that you have the same password on facebook, google and paypal and by some reason facebook is attacked and all the password data is exposed, a smart malicious user may take that data and get into your other accounts and do some… errr … evil stuff. Notice that our scenario started on a social media and it will “damage” every other account that you may have with the same password, it’s sound like a fairy tale,  but this really happened in the past, according to the article “The domino effect of Gawker’s poor password practices” by Roman Yudkin, a group of hackers did expose passwords from Gawker site and took control over different accounts on other sites like Twitter and LinkedIn,  each  hacked account was used to publish spam content and malicious links.

I really do recommend to make some effort and try to create different password for each online account, that will prevent the “domino effect” and your other accounts will be unharmed. If you have a bad memory (just like me) then the next advice may come in handy.

 

 4. Use a password manager (optional but desirable)

Personally, I was quite skeptic about these tools but they are quite useful. I did use an Excel file to store every single password of my online accounts and I didn’t notice how vulnerable it was (even when a password was set), after losing the file a few times, I end up trying msecure (available in all platforms), the tool is just amazing, it does keeps your password data encrypted by using a 256 bit Blowfish Encryption and according to splashdata no data encrypted with blowfish has not been cracked (yet…).

There are some benefits by using this tool (and others):

  1. Every password can be stored in categories so it can be easy to find and use.
  2. It does provide you a password generator, so you if you need a strong password you can just say how hard you want it.
  3. It can synchronize your password library between your devices (let’s say your PC and your smartphone) and you can save a backup by sending the library file to dropbox or you email (the file is encrypted).
msecure for iOS (old version)

msecure for iOS (old version)

msecure for Windows (old version)

msecure for Windows (old version)

These password manager are easy to use but comes with one tricky potential problem, you need a password to unlock them, if you forget that, then you can face some bad destinies, one could be a total lockdown of the application for several minutes and the other one is that you may trigger the auto-destruction mechanism that some of these application may have and all your password information will be gone for good. If you want to use these application, then memorize the password by heart, I recommend a password that is not used online.

 

5. Pay attention to the Internet, a security breach may occur at anytime:

This is not the time to panic, but as soon you see an alert that some site has been hacked and you have an account there, change your password immediately or check for additional information that may come from the site owners. If you have same password in several place, you know what you have to do.

 

6. A strong password is not just a mix between letters and numbers

Dilbert Password Policy

It may sound like a joke, but creating a password with just letters and numbers won’t make things harder to hackers, Source: Dilbert.com

Remember the #1 about the length of the password? The length of a password may increase the amount of time to crack it but depending on the mix of characters it could be vulnerable to dictionary attacks, so I recommend the use of special symbols like !@#$%^&*()_+[]{}'”?><,./ and even mixing uppercase and lowercase letter as follow (use them as a reference):

C%fKy$4u&3X2

J52_p#b%P5Qn

5!gmH4Od0$*G

2Mk5$1$e#VTd

According to howsecureismypassword.net, it will take 344 thousand years (approximately) to crack that passwords, these are certainly good and passwords but you need to complement these with the following recommendation.

 

7. Change your password periodically

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months“. – Clifford Stoll

It could be every 3 or 6 months, the main idea is to be active and unpredictable. When changing your password, try to switch the length between 2 numbers, for example: I have now a 13 character long password, the next month I will use a 15 character long password, after that I will use 14 characters and so on, by doing this, you are too unpredictable and a hacker won’t be able to find a pattern in your password in order to hack into your accounts.

 

8. Don’t handle your password security on public networks or even computers that you don’t own

Unless you are visiting SSL sites, logging into insecure sites on public network is too risky, insecure sites tends to receive your password data as plain text and you don’t know if you are accessing the internet directly or via a proxy server, a malicious user can be listening all communications at the proxy server and he/she may grab your credentials, if you don’t follow good practices with your password you could be dangerously exposed. Please take a good time to read Jacob Penderworth’s article “How to Keep Your Information Safe on Public Wi-Fi“, he provides some good tips to be safe when using public networks.

As part of this recommendation, do not use your passwords on computers that you don’t own, the reason is simple: YOU DON’T KNOW THE STATUS OF THAT COMPUTER. Have you ever heard about keyloggers? This is the most common trick used by hackers, it could be a software or a piece of hardware, as software the keylogger will capture every character that you type on the keyboard and it will send the information via email or it could be stored locally for later use (Yup! the owner of that computer could be your enemy). Cyber cafes are good source of personal credentials, without the right maintenance, malicious users may install keyloggers on all terminal and start collecting information, that’s why you won’t use Paypal or Amazon on such machines. I do recommend to use known machines in order to perform sensitive activities like banking or online purchases. Take a look at Casey Johnston’s article “Thieves allegedly install keyloggers to capture credit cards at Nordstrom“, you will see how dangerous is this threat.

 

9. Complement your password with Two Factor Authentication

Months ago I did a post about this subject for Google Gmail Security, Two Factor Authentication is like adding an extra force field to your account and it’s virtually too hard to crack, this mechanism provides a second passcode, meaning that a hacker requires more information to take over your account, the passcode must be generated every time you want to access your account and it’s used after your normal password, the code is automatically expired after the use so, further sessions won’t be able to use the same code.

Take some time to read my previous post about this subject, it will show you how to set it up on Google Gmail and I’m sure you will agree with me that this mechanism is certainly useful.

 

10. Ask for additional security measures on online stores, you have the right to do that.

No matter how good is your password security, stores with dedicated servers and poor security are like a legion of knights without armor with the vague hope of staying unharmed, these stores should provide enough security levels in order to gain your trust and keep your personal data safe and you have the right to ask for it, it’s just personal data and money after all. There are a few questions that the store owner must answer (if possible) before you plan to use his/her service:

  1. Does the store uses a SSL certificate?  the SSL certificate means that the communication is encrypted between your pc and their server.
  2. is the SSL issued from a trusted authority o is it self-signed? A self-signed certificate is a cheap way to get SSL on a server, most browsers alerts about sites with self-signed certificates like risky sites, this certainly may lower the credibility of the store, you may want to read this article at globalsign, they do enumerate other risks.
  3. how good is the SSL security on your site? You can check how secure is by typing the url in http://www.networking4all.com/en/support/tools/site+check/, if the report says that there are potential vulnerabilities, ask for a security upgrade, if they don’t comply, then try to find another store, do not put your data on risk.

    Site report for amazon.com

    As you can see, amazon.com look pretty safe to use

  4. is the server physically accessible by anyone in your company? You must confirm that the dedicated server which stores your personal information is isolated from normal human contact, physical access must be restricted and the server must be fully monitored with a good suite of antiviruses, firewalls and nice patching system just to stay updated with the latest fixes. If you find out that the server is located in the middle of a office without the proper security, ask for improvements, otherwise you should really consider looking elsewhere.

A word of advice: If you want to start your own service, avoid shared hosting, while the option is by far cheap, it does not offer the means needed to ensure a good security level. Go for a dedicated server. you will be amazed by the level of control and privacy that you will have.

 

Let’s spread these recommendations, let everyone know about some good password practices..

 

Follow me

Carlos Alberto Umanzor Arguedas

Web Developer at carlosumanzor.com
Web Developer, QA Engineer and Gamer Enthusiast, Developer of Linkcrawler and Father of a future computer ninja.
Follow me

Pin It on Pinterest

Shares
Share This
Optimization WordPress Plugins & Solutions by W3 EDGE