Tips for Your Users: Passwords You Can Live With
If you haven't already heard, you should be writing down your passwords. Good password security practices don't dictate that you must remember everything. Why would you want to, and what is the best way to do this securely? These, and other important questions will be answered in this article.
People have a tendency to pick horrible passwords. After all, it's something they know, and if they don't tell anyone, it's secure. Long, long ago passwords based on names or dictionary words were ousted as trivial to guess. Automated password guessing attempts run all the time.
Last week, I mentioned why it's important to change passwords frequently and disable old accounts. We also spent a great deal of time on the concept of publicly accessible authentication services. Every enterprise service exposed to the world is a vulnerability waiting to be exploited, or at least it can be used to run password-guessing attacks on. The importance of password strength cannot be stressed enough.
A strong password absolutely must contain letters, numbers, and symbols. If you cannot use symbols, your password needs to be much longer to get the same level of protection. Likewise, if you can use only letters in the alphabet, you're now talking about a 15-character password to get the same unguessability as an 8-character password composed of symbols and numbers.
Contrary to the theme, "write down your password," you probably do want at least one frequently used password that's rememberable. To create a strong password, there are a few simple guidelines which, if followed, will create both a strong and rememberable password.
First, you want to think of a phrase, or pair of words that are easy to remember. Second, trim it down a bit. If you're using a pair of words this isn't necessary, but a long phase can easily be remembered by using the first letter of every word. Finally, replace some of the letters with numbers and symbols. For example, 'a' can become '@' and 'B' can be turned into a pipe symbol and a number: '|3.' Using this strategy, it's quite easy to create strong and memorable passwords; just ensure they are at least 8 to 10 characters long.
Above all, be sure to avoid repeated characters and sequences. You may think that 'q1w2e3r4' is a decent password, as it has both letters and numbers. It's a keyboard pattern, and every password guesser in the world will try it.
If a password is compromised these days, it's a fair bet that the attacker has a tremendous amount of access to your life. People have a tendency to use the same password everywhere, since it's sometimes difficult to get certain passwords accepted by various online services. Once a strong, memorable password is found, most people use it at their bank, for all their work computer accounts, and even at home.
It may not seem important, since an attacker would need to know a lot about you to know where else they can use your credentials. Actually, it's trivial. People tend to use the same username everywhere, and in places they can't, they choose obvious alternatives. Let's say a personal computer at home was compromised, and the attacker knows the password. It's easy to see what online bank the victim uses, and that account's username may be the user's e-mail address or the same username as on the victim's computer. Access to e-mail also means that it's easy to find out where a person works. And it all goes downhill from there.
This is why writing down many different passwords is acceptable. You can secure paper: this is easy. If someone close enough to you wants to compromise you, it's not that difficult. The majority of the time it's the remote attackers that want to, and these anonymous attackers also do the most damage. Have different passwords for work, home, bank accounts, social networking sites, e-mail accounts, and anything else that's distinct and easily classifiable. Make them all very strong, and write them down. Identity theft or corporate intrusions often start with the weakest link, so you need to be sure that one compromised account cannot be used to divine access to others types of accounts.
The question, then, is how do you store your password. First of all, let's clarify what, "write it down" means. This does not mean you should keep a list of passwords under a keyboard. In actuality, this is probably fine since most attackers are remote, but when someone finds the under-keyboard treasure chest temptation can take over. So avoid that possibility altogether.
Here are some other things to avoid:
- writing usernames on your password sheet; you should remember the username
- writing down specifics about the account; e.g. write "bank" rather than the name of the bank
- forgetting about your password sheet
The last item is extremely important. If you have this list of passwords in your wallet, never let it leave your control. If it is lost or stolen, immediately change all your passwords.
Password "safes" implemented in software are generally secure, in that they prevent other people from reading the data store. They do, however, rely on a single passphrase to unlock all passwords. This is quite scary, especially in Web browsers, since the unlocking of the master password gives access to all usernames, passwords, and Web addresses that are stored. If you absolutely must, be sure to keep password safes' software updated, and use an extremely long master password. Ideally, your passwords are not accessible to any computers, they are written down on that archaic stuff called paper, and you physically control them.
These, too, are quite secure. A few companies make a keychain device that allows you to read all your passwords off a tiny LCD after entering a secret sequence of keys. These are generally secure, assuming the devices themselves and the software used to interact with them via your computer are implemented well. I find them all extremely annoying to use, but the option is there.
Companies should encourage all employees to carry a credit card-sized piece of paper with their passwords. I haven't talked about two-factor authentication, because the simple fact is that most sites don't do it. Some banks pretend to, but they simply ask for two passwords and call that two-factor. There will always be weak links and insecure software, so the best you can do is keep many passwords, and make them all extremely strong.