Why your passwords need to be long, complicated, different and changed often

 In News and Events, Tech Tuesday

 

You often hear complaints these days about all the passwords we have to remember to live in an online world.

“It’s too hard to remember them all, I’m just going to use the same one for everything.”

 

Tips and tricks on how to set and remember passwords can be found everywhere – this is not an article of more tips and tricks.  This is about why some of the techniques that are recommended, that seem to make life difficult, are in fact important.

 

security

 

Many people that lament the necessity for so many passwords and for keeping passwords strong and complicated tend to imagine that somewhere in a dark room in a far off scary place there are evil hackers, sitting at a computer screen trying to enter as many passwords as they can, in order to “crack” peoples’ bank accounts and steal money.

 

Unfortunately, things are a bit more clinical and certainly a lot less personal than that. Outside Hollywood, this is not really the threat – not the immediate one anyway. Your friends may have some fun on social media if they can guess your password, but the real threat comes from systematic, automated computerised attacks, which are not selective about who or where they strike and don’t discriminate about their victims.

 

The goal of these attacks is simply to find a weakness, then exploit it.

 

An automated process (sometimes called a “bot”) running on any computer that your computer connects to (be it a server at work or even a friends laptop) can potentially make millions and millions of attempts to access information on your computer, or on computers that store information about you, in a matter of seconds. It will use lists of known common passwords and combinations of letters and numbers that it derives.  Once it works it records that successful piece on information, with your account name, looks around for more useful information and moves on, with those credentials in mind, and tries thousands of other accounts using it’s newly found account name / password combination.

 

Remember too that once an account has been compromised, much more information can be harvested, very quickly, depending on the nature of the account. Many basic websites will record address and phone number information – great for building up identity details which fetch good money on the black market. Heaven forbid some site stores your credit card information. Some may also store date of birth – more identity stealing gold! As the profile on you builds, other accounts become easier and easier to crack. Also, an identity can be built which has more value on the black market, the more information it contains.

 

So now that you’re sufficiently scared about all the horrible threats floating around us in cyberspace, understand one simple fact…. following the much touted basic password rules will help you avoid a huge percentage of these threats. (Keeping you Windows PCs up to date will also help a lot – see this article if you don’t know what I’m talking about!) Not only that but following these rules will also help you avoid the knock-on effect should one account be compromised, outside your control.

 

Bearing in mind what I said at the start, that the main threat here is not from a person like you or me sitting in a dark room trying to hack your Facebook password, but a process running on a computer that you have nothing to do with, making millions of attempts at some password on some account of yours, here’s some simple rules that will help avoid the problems and contain the damage and the rationale behind them.

 

1) Use letters, numbers and symbols (and it must be 8 characters or more) ! Why?

We are all told it’s important to have long, complicated passwords with upper and lower case letters, numbers and symbols…but why? Not because it’s harder for the guy sitting next to you at work to guess! Following this rule makes it infinitely harder for an automated process to “guess” your password by what is called “brute force”. Imagine adding one extra character to a 7 character long password. Assuming you’ve chosen from the characters easily found on a keyboard (upper and lower case letters, numbers and symbols), there are conservatively, 72 possibilities for each character. 

 

Adding one character to the end increases the possible combinations of characters from 10,030,613,004,288 to 722,204,136,308,736. I don’t even know what those numbers are, I just copied them from my calculator, but they’re big.  That’s 72 to the power of 7 vs 72 to the power of 8! Any that’s assuming the process knows how many characters you’ve used, in actual fact, it will be more than that.

 

2) Don‘t re-use passwords (especially on email accounts)! Why?

If you use the same password everywhere then lost or cracked in one places, opens the whole kingdom! As I mentioned before compromised credentials will be stored and they’ll be added to the list of “things to try first” next time, so if you keep using the same password everywhere, it won’t take millions of tries, it might take dozens. And computers can do dozens of things, mind-blowingly quickly.

 

 

3) Change your password regularly!  Why?

Because even lost or cracked passwords are useless once they’ve been changed, especially if you’re already following the rule above – not re-using it elsewhere.

 

4) Don’t write it down!  Why? (not)

Take this one with a grain of salt. “Really, you’re telling me I can write down my password….” well I’m not recommending it, but I do concede that recording it is going to be necessary. And if you’re trying to secure something and you don’t have physical security in place, then you don’t have any security really do you?  What isn’t smart, is writing it down on a post-it note, stuck to your computer monitor. It’s obvious what it is and could be lost or copied very easily. Recording it in a secure place, away from prying eyes and unlikely to be recognisable by intruders isn’t the greatest security threat in the world, especially if you follow the above rules; Not re-using passwords and changing them regularly. (There will be some strong exceptions to this rule, particularly in workplaces dealing with securing other people’s private data.)

 

Now I can hear everyone screaming that different passwords for absolutely every account, changed every month, that are all 12 characters long and aren’t recorded anywhere just isn’t practical.  I agree…sort of. But please, assess the sensitivity of what you’re protecting and keep the important passwords  unique and strong. For example, you Email, Facebook and Linked In accounts ought to be different.  Just don’t make it easy!

 

One more thing; there are a few good software products out there to help with this. I can recommend KeePass. It’s a program that lets you record lots of information about all the accounts you have, including website addresses, notes, account names and passwords obviously and even expiry dates for these passwords. It allows you to create a structured “filing system” grouping together like accounts.  Android and iPhone KeePass apps available too.

 

I have been able to share my password data in KeePass, amongst all my various computers, laptops, and devices, by storing the secure, encrypted file in which it places all the information in Drop Box. That file is then shared across all my DropBox devices and I can open it, using KeePass for Windows, or Android, or whatever, on whichever device I need it….

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search