You are here

Managing Your Passwords

In 2009, another blogger posted an article on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Use strong passwords to protect high-value targets.

The easiest way to create a strong password is to pick up a book. Open the book to a random page. Pick a word off that page. Now, pick a different page. Pick another word. Pick a digit, punctuation character, or other special character. Put it between the two words. If you pick longer words, you have a stronger password. If you choose words from "Make Way For Ducklings" the password won't be quite so strong. But it's going to beat "aaaaa" every time.

If the system puts constraints on passwords, change the password to comply. You can capitalize one of the words, add or remove punctuation, or stick in a digit as required.

Such passwords can easily resist one in a million attacks. Longer passwords can resist billions or tens of billions of attempts. If you need something better (and sometimes you do) then randomly choose letters and throw in some digits and punctuation.

Hacker tip: Avoid 7-character chunks

This problem is slooowly going away, but it crops up occasionally. Back in the dark days of the 1990s, Microsoft "protected" passwords with a poorly designed mechanism called "LANMAN hashing." The mechanism protected passwords in 7-character chunks. Password hacking programs exploit this by checking passwords 7 characters at a time.

If the first - or second - or third - 7 characters of your password form a word or some other easily recognizable chunk, then the cracking programs can easily find that part of your password. For example, I used to have this password:


The cracking software didn't retrieve the ";balsam" part but it retrieved the "2" at the end.


If you can't instantly memorize the password, write it down.

Most of us can't instantly memorize a strong password. If the biggest risks are on the Internet, your safest bet is to pick stronger passwords and write them down.

In some work environments, this might not be an option. For example, if you work in certain defense programs, it may be borderline illegal to keep copies of passwords. Check with your security officer.


Protect your written-down passwords

This should be obvious, but it's worth pointing out. If you store them on your smart phone, be sure they are protected if your phone is borrowed or stolen. My password storage software uses a separate password and applies its own encryption. That, of course, needs to be a strong password.

Occasionally we need to leave passwords in essentially unprotected locations. For example, my web site software insist that I embed a password in each site's configuration file. Be sure that you keep those files under control. Anyone who grabs those files can build back doors into your web sites.


Don't use passwords in unsafe situations

This is tough for most people - how do you identify unsafe situations? Here are some common places where you should not type in passwords:

  • Computers in Internet cafes, unless you would trust the owner with your money.
  • Computers that might have viruses or spyware. If you don't trust the computer's owner to keep a computer safe from viruses, and you wouldn't trust them with your money, then don't type your password into their computer.
  • Using unencrypted WiFi networks to log in to Web sites, unless the site uses "https:". Even then, pay attention to warning messages from your browser: if you're visiting an https site and some data is unprotected, the browser will usually warn you.
  • Passwords in unprotected files that others might find. This is a case where you want to use built-in encryption, if your system provides it. Unfortunately, Windows only provides it on Business and Ultimate versions. You can get other encryption packages, but they're often less convenient.
  • Web sites that you bring up by clicking an e-mail link. The link and site might look legitimate, but it's safer to find the site yourself.

Now, this can be a bit of a burden - what if you really, really need to visit a site even though things are risky? You have to decide if the risk is worth the reward. And afterward, you should change your password if you don't want to be hacked.

This, incidentally, is why you want to use different passwords for different sites, or at least for different kinds of sites. If you leak your "post comments on silly blog" password, that might not matter unless you use the same password for your banking site.

Remember: your main e-mail account is a high value target. Most web sites use your e-mail address to reset your password. If an attacker can read your e-mail, the attacker can reset your password and crack into other accounts.


Change your passwords if you think they leaked

Recently I foolishly handed over a portable hard drive that contained my "crown jewels" - configuration files for my web sites. I don't know for sure that the temporary custodian was untrustworthy, but my drive was out of sight for too, too long.

I've just finished the process of changing database passwords - annoying!

It's less annoying to change the passwords than to have someone install a back door in your blog site.

Post category: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer