Tag Archives: Passwords

Another Perspective on Passwords

The standard advice for creating passwords has long been this: use a long string of completely random letters (upper- and lowercase), numbers and special symbols. Make it so long and complex that nobody is able to guess (or remember) it, and it would take a computer billions of years to crack.

But recently a different perspective has emerged: what if those passwords were still long enough to foil a brute-force, script-based hacking attempt for long enough to make the attempt non-worthwhile, but made of words you might actually be able to recall without logging into your password manager app or plugin? What if you used something like a string of four random words?

Let’s look into a few options. I’ll be using the website How Secure Is My Password? to compare. Results on the site are given in the form of “It would take a computer about [length of time] to crack your password” (or “Your password would be cracked INSTANTLY” if you put in a real clunker like “abc123” or “password”). The results from this site are simply an estimate (not a guarantee), but it is useful in determining whether a password is lousy, decent, or excellent.

First, an example of the old random-string-of-characters method:

84xNMat88xy4TkVTE^5!UQty: 1 OCTILLION YEARS

Yeah. That is an unfathomably long time. Written out, that’s 1,000,000,000,000,000,000 years. If the universe is 13.82 billion years old, it would take a computer almost 72.5 million TIMES that long to crack your password.

In other words, that’s a very strong password. But now try to memorize it.

Now let’s try a string of four random words (“wheel,” “grout,” “oyster” and “button”), no spaces, all lowercase:

wheelgroutoysterbutton: 11 TRILLION YEARS

Now, technically, that’s not as secure as 1 octillion years. But on a practical level, we’re still in “might as well be forever” territory. You’re going to be pretty well-protected against a script-based hacking attempt.

What if we add a number, or a number and a symbol, or capitalized the words, or added dashes or spaces (not all online accounts allow this) between the words?

wheelgroutoysterbutton7: 494 QUADRILLION YEARS
wheelgroutoysterbutton7%: 76 SEXTILLION YEARS
WheelGroutOysterButton: 45 QUINTILLION YEARS
wheel-grout-oyster-button: 17 SEXTILLION YEARS
wheel grout oyster button: 169 SEXTILLION YEARS

They’re all fine options, and you’ve actually got a fighting chance of remembering them if needed, and an even better chance of actually typing them correctly if your password manager app/plugin isn’t available (or playing nice with a website, which does happen).

So it’s really a matter of what you’re comfortable with and what the website you’re using requires (some force you to use at least one uppercase letter, number and symbol).

However, bear in mind that this type of brute force hacking is probably not even remotely the biggest threat to your online accounts. It doesn’t matter HOW many octillion years it would take a computer to guess your password if you fall for a phishing email and type it into a compromised website, or if the company that owns the website keeps its list of logins and passwords in a plain-text file and experiences a data breach.

Your best practice, regardless of the type of passwords you use, is to regularly change them, avoid reusing them across different sites, and to know how to recognize a phishing attempt.

If you use LastPass, it’s time to change your Master Password

I’ve been encouraging people to use password vault tools like LastPass for years. These browser plugins are great for keeping track of dozens of strong passwords (the hard-to-hack kind that nobody can remember) across all the websites you log in to.

However, LastPass recently announced they had discovered and blocked suspicious activity on their servers; “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Now, this could be bad, bad news IF users’ master passwords had been accessed in plain text form. However, LastPass uses some pretty robust encryption (that’s what that business about salts and hashes in the quote is about). They don’t keep your master password in plain text anywhere. In other words, even with the information that may have been compromised, thieves would have an awfully hard time using any of the information.

Still, the company is encouraging users to change their master passwords as soon as possible. This will make it impossible for the hackers to log in using the information they took, even if they managed to un-encrypt it (the chances of which are near zero).

I also encourage you to make your master password a strong password. You may have to write it down and keep it somewhere safe, but encrypted or not, a brute-force attack will plow through “password1” in well under a second. A strong master password can be irritating to type in, but it’s worth the trouble.

Strong Passwords: They’re Not Just for Online Banking Anymore

I’ve talked about the importance of strong passwords many times before. You can find several articles with this site’s search feature, or you can just read this quick rundown:

  1. Short, single word or short-word-and-a-number passwords are bad
  2. Passwords like “123456” and “password” are very, very bad.
  3. Passwords that are over 16 characters and consist of garbled strings of letters, numbers and special characters are good (“*#&uE9efh09efIUN98E(Ubdf%%23r” for example)
  4. Never use the same password for more than one website, and use a password storage program like Lastpass to help you maintain your sanity

Whenever I bring up passwords, though, I’m almost always talking about things like online banking, social networks, email accounts, and other websites where your credentials need to be kept confidential. What I don’t often bring up are all the THINGS that are now Internet-enabled.

Things like thermostats, interior lights and security cameras. Hot tubs, televisions. Garage door openersrosie

The idea, of course, is to bring the vision of The Jetsons into the real world. We want to walk into a room and have the thermostat know we like it to be 73 degrees during the afternoon but 76 at night. We want to be able to check our security cameras from our phones while we’re on vacation. I personally want a black ’82 Trans Am with a self-aware cybernetic logic module (and a snarky sense of humor) that can jump over walls from a dead standstill, so I can go around punching out bad guys in tan leather jackets who have been poisoning horses or whatever.

But when your THINGS are connected to the Internet, you might face some new security and privacy issues. Many of these devices are pre-set with a default password (or have a username and password as an OPTION, in the case of older products), and if you don’t change the default (or set a password in the first place), anyone who knows the default password could manipulate them remotely. They could run up your utility bills or open your garage door from the other side of the globe. If your security cameras are remotely accessible and you don’t set a password, or leave it set to the default, someone could spy on you in your home. Or set up a website collecting hacked cameras from around the world so anyone on the Internet can watch.

So what applies to websites applies to your Internet-enabled appliances and other devices: use a good password for everything, and never leave a new device’s password set to the factory default (or neglect to set one up, if it’s optional). There are too many people who know how to access them.

Aaaaaand it’s time to change every password in the universe again…

Have you ever experienced déjà vu?

Have you ever experienced déjà vu?

Sorry. Couldn’t resist.

ANYWAY, doesn’t it seem like not too long ago that I told you to go ahead and change all your passwords, because data breaches (like the ones that hit Target Sally Beauty Experian) will be a common thing for quite some time?

Oh yeah. It was.

So now we have the Heartbleed bug, which affects websites running certain versions of OpenSSL on their servers. I won’t get into the technical details, mostly because I don’t know one thing about OpenSSL, but the effect for you, the Internet user and person-who-logs-into-websites, is this: about two-thirds of the entire Internet is/was affected by this vulnerability, and your login/password information could have been stolen over the past couple years or so.

Yes, this is very, very big.

So whattaya do about it? You change passwords after sites patch its OpenSSL software. Most sites are moving pretty quickly to install the patch, but some haven’t been as forthcoming when it comes to telling their users to change their passwords. Right now, this moment, go change the following passwords, if you have accounts there:

  • Facebook
  • Google/Gmail/YouTube
  • Yahoo!
  • OKCupid

Those are the big ones that were definitely using the vulnerable version of OpenSSL, and have now been patched. Change ’em now!

Amazon, Twitter, and some other big sites, however, are safe. They were never running the vulnerable software.

Of course, there are also countless other websites that were, so you need to check those out as well. You can enter a web address at https://lastpass.com/heartbleed and find out if it a site is affected. If you get anything but a “No” on the result page, you need to change your password, but try to find out if the site has been patched first. If you change it before they patch it, your account could still be vulnerable (and, if the site forces a password change later, you’ll just have to do it all over again).

And use strong passwords, too. I don’t have to tell you that, though, do I?

Just change all your passwords this weekend, okay?

The place I am typing this from is predicted to get yet another pile of snow and ice dumped on it this weekend, and I’m guessing most of the people who read this site are in the same situation.

There are some things to do right now to prepare for the impending Snow Event: make sure you’ve got some salt for the driveway, buy seven dozen eggs and a 55-gallon drum of milk (because, you know, you might not be able to leave the house for a whole 30 hours), and get your snowbound entertainments all lined up (The Shining is fun if you’re brave, or you could splurge on kind-of-expensive board games—Settlers of Catan is awesome if you’ve got three or four players available; I’ve heard there’s a football game on Sunday that a few people are interested in, too).

There are some things you can do while you’re stuck indoors, too, and this weekend, make changing every password you’ve got one of them.

See, there’s been another data breach, from Yahoo! this time. They say an “unspecified” number of accounts have been compromised, which probably will end up meaning all of them. Remember how the Target thing went from 40 million to 110 million? So you need to change your Yahoo! passwords, but there will be more major security breakdowns in the near future. There always are. So even if you’re not going to be stuck inside due to inclement weather this weekend, even if you don’t have a single Yahoo! account, it’s time to just change all your passwords.

Make all your passwords long, very random, don’t use real words, use numbers, upper- and lowercase letters, special characters, and do not use the same password for more than one account. Here’s a quick primer that should teach you everything you need to know about choosing a good password:

Bad Password: 123456
Bad Password: password
Bad Password: trustno1
Good Password: 6ZUNFPtjaWZPk$eAafBt8YhP
Good Password: KjV7$y!92#MqKS&YYSaW3MjtRmSPxR

Now, it’s going to be impossible to remember twenty different passwords (or even one) that look like those last two, so you’re going to have to find a way to record them, whether by carefully writing them in a notebook (that you keep in a different room than your computer), or by using a password manager like LastPass or Keeper (both of which will generate those stupid-long passwords for you). It doesn’t matter what method you use, just do it.

It’s a good idea to change passwords regularly, too. I’m even pretty bad about remembering to do it, but it’s a good idea to at least do it a few times a year. Even a super-strong password that would take a brute-force password guessing script a quadrillion years to guess might as well be “123456” as soon as some goofy company decides to keep its entire database of usernames and passwords in plain-text, unencrypted form, and somebody breaks in and gains access to it. This has happened in the past.

Stay vigilant. And warm.