Secure passwords guide
A password is a form of authentication represented by a string of characters that the user can easily provide, but it is hard to guess. In front of the registration form people use obvious passwords such as the names of their children or their house number in order not to forget them or simply because they can't come up with a better one. Their importance is often ignored - at least until the account gets hacked. This guide will show you how to choose secure passwords and still be able to remember them, you'll find links to software that might help and hopefully you'll be determined to change your passwords to more secure ones.
What makes a password strong?
The answer is length, complexity and randomness. The common way to crack passwords is by using a brute force attack. The attacker attempts to crack passwords by trying as many possibilities as time and processing resources permit. A related but much more efficient method is a dictionary attack. Words in one or more dictionaries and lists of common passwords are tested. A long password, composed from multiple types of characters in a random order will be hard to crack.
Guidelines for creating a good password:
To achieve such complexity while still being able to remember your password you can use mnemonics.
Example:
"My favorite song is Led Zeppelin - Stairway to Heaven". This phrase is easy to remember (especially if this is your favorite song). It is a phrase with a question and an answer. I can convert it to a password like this:
Test your passwords: Link 1, Link 2, Link 3.
Using your passwords safely. Software that you might need.
Making a good password is just the beginning. In the beginning I've mentioned dictionary attacks as being the most used method to crack passwords, however it is easier to steal passwords from unaware users and this is why you should exercise caution when using them.
Guidelines for using passwords securely:
Credit to MalwareTips.com
A password is a form of authentication represented by a string of characters that the user can easily provide, but it is hard to guess. In front of the registration form people use obvious passwords such as the names of their children or their house number in order not to forget them or simply because they can't come up with a better one. Their importance is often ignored - at least until the account gets hacked. This guide will show you how to choose secure passwords and still be able to remember them, you'll find links to software that might help and hopefully you'll be determined to change your passwords to more secure ones.
What makes a password strong?
The answer is length, complexity and randomness. The common way to crack passwords is by using a brute force attack. The attacker attempts to crack passwords by trying as many possibilities as time and processing resources permit. A related but much more efficient method is a dictionary attack. Words in one or more dictionaries and lists of common passwords are tested. A long password, composed from multiple types of characters in a random order will be hard to crack.
Guidelines for creating a good password:
- Minimum length of 8 characters. Actually the longer they are, the better. Length is the most important factor when it comes to strong passwords.
- Passwords should use all of the following four types of characters:
- Lowercase
- Uppercase
- Numbers
- Special characters such as !@#$%^&*(){}[]
- Don't use passwords that are based on personal information because it can be easily accessed or guessed.
- Do not use words from dictionaries (English or foreign), names or places.
- Even if you slightly misspell words, spelled them backwards or used 1337 speak your password is not secure.
- Do not use consecutive numbers or letters such as “1234” or “abcd”.
- Do not use adjacent keys on your keyboard such as “qwerty” or “asdf”.
- Do not repeat the same character in your password such as “aaaa” or “2222”.
To achieve such complexity while still being able to remember your password you can use mnemonics.
Example:
"My favorite song is Led Zeppelin - Stairway to Heaven". This phrase is easy to remember (especially if this is your favorite song). It is a phrase with a question and an answer. I can convert it to a password like this:
- Using the first letter of every word, while keeping cases and punctuation: MfsiLZ-StH
- Adding a special character between the question and the answer: Mfsi/LZ-StH
- Adding numbers to my password by converting L (the first letter in the answer) to 12 (L being the 12 letter in the English alphabet): Mfsi/12Z-StH
Test your passwords: Link 1, Link 2, Link 3.
Using your passwords safely. Software that you might need.
Making a good password is just the beginning. In the beginning I've mentioned dictionary attacks as being the most used method to crack passwords, however it is easier to steal passwords from unaware users and this is why you should exercise caution when using them.
Guidelines for using passwords securely:
- Don’t write down your passwords on paper or inside a non-encrypted file. Instead of using weak passwords, it might be better to use strong ones, even if you have to write them down. Fortunately you can do so in a secure way by using a password manager.
- Do not use the same password for all accounts such as additional email accounts or other log-ins you may have on the Internet. To keep track of all passwords you'll have to use a password manager. A password manager encrypts all your passwords using a single password that you’ll have to remember.
- Use a password manager (It should be obvious by now). I use LastPass browser plug-in (the free version). It offers support for all major browsers and the free version is sufficient for even the most demanding users. Furthermore it works as a cloud service - your passwords are sent encrypted and through a secure connection on their servers. As a result they are available everywhere, even on multiple devices. If you would rather use a stand-alone application instead of a plug-in, try KeyPass (open-source). It doesn’t include a cloud service (and some might appreciate that) but it offers a portable version that you can carry everywhere on a USB stick. Both can also be used to create strong passwords so next time when you’ll be facing a registration form you won’t have to spend time creating a strong password.
- Do not share your password with anyone. Anyone includes your friends and family. First of all, passwords are private and second you don't know if the person your are sharing the password with will take necessary precautions to safeguard it.
- Watch for attackers trying to trick you into revealing your passwords (phishing attacks). Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Do not reply to phone calls or email messages requesting that you reveal your passwords. Legitimate websites or organizations will never ask you for your user name and password. To protect from malicious websites, I recommend using a browser add-on that warns you when you try to visit such a site: Web of Trust (all major browsers) / Norton Safe Web (Firefox and Internet Explorer).
- Be aware of when a password is sent securely across the Internet. Sites that begin with “https:/” rather than “http://” are secure for use of your password. Most sites offer https connection, but unfortunately they use http as default or fall-back to http immediately after the log-in. I recommend using a plug-in that enforces a secure https connection: HTTPS Everywhere (for Firefox and Chrome). NoScript for Firefox can also force https connections (Go to NoScript Options -> Advanced -> HTTPS).
- Secret questions are vulnerable to guessing attacks. Most websites offer this method as a way to recover your lost password. Choose answers that are hard to guess and if you fear you might forget them, use a password manager.
- Do not use the "remember my password" feature offered by many programs. These programs have varying degrees of security protecting your passwords. Some store the information in clear text in a file on your computer or with a weak encryption. Software tools that can retrieve passwords in all major browsers, instant messengers and e-mail clients are available.
Tip: Firefox can protect your passwords with a "master password". If you plan on letting it store your passwords you must enable this feature. Go to Tools > Options... > Security, check Use a master password. A window asking for the master password will pop-up. This password will be used to encrypt all your other passwords so make sure it is strong and remember it.
Note: Latest versions of most IM clients (ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype) do not save the password itself, but its hash that is used for authentication. Even so, if an attacker gets a hold of that file he can use it to log-in into your account.
- Keep your PC malware-free. Make sure the security software you are using is up-to-date and offers protection against key-loggers. A key-logger is a type of malicious software that runs on your computer logging every keystroke. If your security software doesn’t offer this kind of protection, I recommend installing Keyscrambler Personal (IE and Firefox add-on).
- Don’t type your passwords on someone else's computer. If possible, don't use someone else's computer that you don't trust to log-in to any website, especially to very sensitive websites such as your banking account. That PC might be infected with a key-logger or other types of malware that can steal your passwords. Public PC-s are highly insecure, it is best to avoid them altogether but if this is not possible consider using multiple factor authentication. For example, Google users can opt in to the Google Authenticator service. When you log in from a device that is not trusted, you will be asked for your password (something you know) and a code, provided by Google via your phone (using an app or a simple SMS) (something you have). This way, even if your password is compromised, no one will be able to log in into your account without your phone.
- Secure your wireless connection. Using a non-encrypted wireless connection or a WEP encrypted one (WEP is flawed by design and easily breakable) exposes you to a man-in-the-middle attack. An attacker can easily connect to your network, intercept transmitted packets and possibly steal your passwords or hijack your session. Use WPA2 or WPA encryption (if you own devices that can’t use WPA2) with a strong pass-phrase to protect your wireless connection. Be aware that most public hot-spots don’t offer a secure wireless connection.
- Change passwords immediately when they are compromised. Even if you have the slightest doubt that one of your password was stolen, change it immediately.
- Change your passwords regularly. Changing you passwords twice a year ensures you that a persistent attacker won't have enough time to brake them by using brute-force.
Credit to MalwareTips.com