Use Strong Passwords; Write Them Down or Use an Encrypted Password Database.   Consider Using Two-Factor Authentication Instead of Passwords.


Why bother doing this?
    First, hackers can instantly get just about anyone’s humanly generated password containing less than 8 characters with widely available shareware cracking tools:  even the most rudimentary of these tools now contain 99% of the English alphanumeric password combinations (Source: Mandylion Research Labs).
    Second, badly-chosen passwords can significantly reduce the amount of time it takes for hackers with up-to-date programs to guess them:  c|net reported that it can take less than a minute for hackers to crack most passwords, since so many users share the same habits when it comes to choosing them.
    Third, a truly strong password is just too difficult for most of us to remember.  So, we either convince ourselves that our password is so "clever" that no one can break or guess it, that what we are protecting has little value, or that we're so insignificant no one would bother to target our computer.


There's a lot of information about passwords on this page: please don't be intimidated.  Some of the information you may already know, or you may feel it is restating the obvious, but it could just be the first time someone else has ever seen that bit of advice.


For more than 20 years, most authorities have advised that passwords should be hard-to-guess but should never be written down.  Recently (May 2005), a Microsoft security expert made the news when he advised people to write down their complex passwords rather than try to remember a simple one.

   This advice has been echoed by other security experts: Bill Schneier, the Founder and CTO of Counterpane Internet Security, in his July 15th Crypto-Gram Newsletter; and in a personal communication with Joe Grajewski, the President of Mandylion Research Labs.
 

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet...  writing down your impossible-to-memorize password is more secure than making your password easy to memorize." (emphasis mine) Bill Schneier

   So, I'm going to throw in my lot with these experts and recommend that you create a strong password, write it down on a slip of paper, and apply a bit of disguise like changing 1 or 2 characters and writing something unrelated on the note.  Don't include your user ID on the same piece of paper, and keep it handy in your wallet or purse.

   What's the downside of using a long randomly generated password and writing it down?  You could forget to put it back in your wallet or purse and leave your passwords exposed on your desk, but like Bill Schneier says, most of us are pretty good at securing small pieces of paper.


Don't reveal your password to anyone: Many security attacks are possible simply because someone revealed their password.

   Never share your password with anyone, even someone who claims to be with the technical support group for your internet service provider or bank:  if they are following accepted industry best practices, they should NOT ask you for your password.

   If someone claiming to be a system administrator does ask for your password, it is more likely to be an attempt to gain unauthorized access to your account through a process called "social engineering".  Social engineers exploit the natural tendency of a person to want to be seen as helpful and to trust that someone is telling the truth.

   A recent survey by Infosecurity Europe 2004 revealed that 71 percent of employees were willing to give out their password for a chocolate bar.


Don't leave your password anywhere near your computer.

   If you feel that you need to keep a written or electronic record of your passwords, it would not be advisable to keep it on your computer in a file called "Passwords", or on a Post-it™ note stuck on the side of your computer display.

   You might consider storing your current strong password on an inexpensive USB flash drive that supports encrypted partitions, such as Imation Swivel Flash drives or Sony Micro Vault™ Storage Media.  Keep the flash drive in a secured location at your home, or place a printed copy of the password list in your office or home fire safe.  This creates an "air gap" between the passwords and the places where they can be used (your computer and the internet).


Passwords should contain at least 8 characters using a mixture of upper case, lower case, numbers and other symbols:  the more characters the better, because longer passwords require more time to crack using brute force methods.

   Avoid using any common word in which you have simply replaced letters with numbers or symbols that look like the letters, such as M1cr0$0ft or P@ssw0rd.  These methods are well known to Hackers and already built into their password cracking tools.

   Some web sites or online services impose a maximum limit on the number or types of characters you can use in a password.  If you must use such sites, I recommend that you contact the customer support department for that company, ask to speak with the supervisor, and explain your concern about password security to them. Urge them to escalate this issue within their company so that longer and more secure passwords can be used.  If you don't feel like they are taking your concerns seriously, ask to speak to a more senior supervisor, or to the company's Privacy Officer, explaining that they may be putting their company's positive public image at risk.


Passwords should not be words found in any dictionary in any language.

   Many password cracking tools now contain pre-computed password tables containing trillions of password hashes (the industry-standard encoded version of passwords that are sent through the network to the authentication server), and the potential encryption "seeds" used to encode passwords are finite and commonly known to hackers.


Passwords should not use consecutive letters or numbers, or letters in the order they appear on your keyboard:

   lmnopqrs, 12345678, qwertyuiop, qazxcdew, and similar sequences are all well-known to password hackers.


Passwords should not be easily guessed or associated with you:
   Avoid using names of your children, spouse, or pet
   Avoid using names of your favorite sports, teams, musicians, or TV programs
   Never use birth or anniversary dates


Passwords should be changed at least every 3 months.

   Do not continue to use a default password that came with the installation CD for your Internet Service Provider: even though it looks complex yet easy to remember, the same password may have been packaged inside several installation CD kits.


A relatively strong password can be created by combining a memorable 6 or 8 word phrase with a four or seven-digit PIN from a random number generator that you commit to memory.  (The use of the Random.org number generator assumes that a hacker is not already sniffing traffic on your network.)  CAUTION: DON'T use your ATM PIN for this!  Use at least one uppercase letter somewhere in the resulting string of characters, and add or substitute at least one symbol, avoiding the "obvious" first or last positions.

   Since it started out as a phrase or saying, you should remember it more easily than a completely random set of letters, numbers and symbols.

   Since your PIN has the same number of digits as a phone number, you'll be able to use the same "3 plus 4 rhythm" of a local phone number and may actually remember it more easily than shorter or longer strings of digits.


Password creation example:

    The phrase "it's a long walk home from here" becomes   i a l w h f h

    The randomly generated PIN or "phone number" might be   276-5895

    Combined, they become:
      i a l w h f h 2 7 6 5 8 9 5   or
      2 7 6 5 8 9 5 i a l w h f h

    Alternatively, interleave the letters and numbers:
      i 2 a 7 l 6 w 5 h 8 f 9 h 5

    Capitalize several but not all of the characters:
      i a L w H F h 2 7 6 5 8 9 5   or
      2 7 6 5 8 9 5 I A L w H f h   or
      i 2 A 7 L 6 W 5 h 8 F 9 h 5

    Add or substitute symbols (occasionally you may find a site that will not allow you to use all possible symbols: they may be using some symbols as an internal field delimiter, or a combination of characters in your password is a unicode sequence):
      i a L w - H F h ! 2 7 6 ) 5 8 9 5 &   or
      i 2 A % 7 L 6 W + _ 5 h 8 F ~ 9 h 5

    The passwords resulting from this scheme are not truly random, but they are relatively long and have some pseudo randomness from the inclusion of the randomly generated digit string.  Try not to put all of the special and Upper-case characters at the start or end since password cracking tools may try those locations first when attempting to decode your password.



If you prefer to maintain unique password logon ID pairs, you may wish to consider the use of an encrypted password database, such as Password Safe (version 2.11), a free Windows utility designed by Bruce Schneier, the creator of the Blowfish encryption algorithm.  The program's security has been thoroughly verified by Counterpane Labs. An older (but fully functional) version is available for PocketPC, and work has started on porting PasswordSafe 2.x to PocketPC platforms.

   What's the downside of using an encrypted database to store your strong passwords?  Conceivably, someone could find and exploit a vulnerability in Bruce Schneier's Password Safe or a similar program, but I believe that he and the rest of the SourceForge project supporting Password Safe are as dedicated to maintaining the integrity of this program and the security of the Blowfish encryption algorithm as any commercial security software company.




As you can see from the example password above, creating a strong password can be done but the result will require either commiting the password to paper or else significant effort to remember it.  Security is always a trade-off between convenience and the risk of events that result from not being inconvenienced.

If you feel that the inconvenience of creating and remembering a strong password is too much, or that the risk of losing the written copy of your strong password is unacceptable, you may prefer to invest in a biometric or 2-factor authentication system.

Some new notebooks even have an integrated fingerprint scanner that restricts unauthorized access to the computer:

    HP Introduces nx6125 Biometric Laptop - Five models available on-line from CDW include 2.0GHz AMD Turion 64 ML-37 based PZ118UA#ABA and PZ092UA#ABA, 1.8GHz AMD Turion 64 ML-34 based PZ222UA#ABA, 1.6GHz AMD Turion 64 ML-30 based PZ221UA#ABA, and 1,6GHz AMD Turion 64 MT-28 based PZ220UA#ABA.

I am currently researching affordable biometric and 2-factor solutions for computer log-on, VPN, and other kinds of authentications where passwords have traditionally been used.  I will be updating this section with product recommendations in the future. (A password is an example of 1-factor authentication: something you know which is needed to grant access. In contrast, 2-factor authentication involves something you know (your logon ID and a multi-digit PIN) plus something you have (like your fingerprint, or a one-time numeric code which is periodically generated by a device called a token):  knowing or having just one factor but not the other will prevent a successful break-in.

    Sony Puppy FIU-810 combines solid-state capacitive (non-optical) fingerprint recognition technology with a 62MB portable flash memory drive in a convenient form factor. It can be ordered online from sites like Dell, Buy.com, and PC Mall for approximately $160.

    LaCie 40GB & 80GB SAFE Mobile Hard Drives utilize solid-state TouchStrip Fingerprint Authentication technology from UPEK, Inc. in a compact form factor USB2.0 drive which supports both Mac OS X (10.2 or higher) and Windows 2000/XP.  The device can be configured for 5 user profiles and 10 fingerprints. Active capacitance fingerprint recognition technology is not subject to image problems that can affect optical recognition systems. List price for the recently introduced drives range between $149 & $199 depending on capacity.

    SwivelSecure offers some unique advantages in the 2-factor authentication field by using a tokenless approach.  A token is a device that generates one time codes that are combined with a PIN you have memorized to create the equivalent of a logon password, but one that changes each time you log in.  When I supported large enterprise networks, I frequently had to use a physical token to gain access to network devices. One of the biggest costs and headaches associated with a physical token is when the display breaks or the token expires (many brands are valid for only a few years before a new token has to be purchased).  SwivelSecure's PINsafe tokenless two-factor authentication solution eliminates the need for a separate token:  instead, you can use several types of devices that you may already own, including your cell phone!  Check back soon for more info.

Next...

top