Passwords are only as safe as you make them

Let me repeat that…

* * * PASSWORDS ARE ONLY AS SAFE AS YOU MAKE THEM * * *

For those of you that aren’t aware, there was recently a rather significant security breach to Gawker Media.  Among other things, their user database was downloaded.  This contained weakly-encrypted passwords for over one million registered users of LifeHacker, Gizmodo, and other Gawker web sites.  If your account was affected, you should have received an e-mail from Gawker at your registered e-mail address.

While these passwords were encrypted, it was an old form of encryption and did not utilize an option that would have made it more secure.  This means that hackers could essentially guess passwords, encrypt those guesses, and compare them to the encrypted versions in the database.

Gawker was severely at fault in this situation.  Supposedly, this information was able to be obtained primarily because of a weak password used by Nick Denton – founder and owner of Gawker Media.  However, in my opinion, many of the users are also at fault for using passwords that are EXTREMELY easy to guess.  For example, the most popular passwords in the list were “123456” and “password” (http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/).

Nick’s weak password and the large number of painfully obvious passwords both lead me to write my own list of password best practices.  Some of these SHOULD be obvious.

Password Best Practices

  1. Passwords should be complex and not easily guessed.
    1. UNDER NO CIRCUMSTANCES should you use any of the following:
      1. Single dictionary words, including:
        1. Any language
        2. Slang
        3. Common misspellings
      2. A series of numbers (i.e. “123456”)
      3. Personal information
        1. Family member names or nicknames
        2. Identification numbers
        3. Significant date (birthday, anniversary, etc.)
    2. Passwords should contain:
      1. At least eight characters, but the more the merrier
      2. A combination of:
        1. Letters (uppercase and lowercase)
        2. Numbers
        3. Special characters (i.e. punctuation)
    3. The more random or non-sensical and harder to guess, the better.
  2. Do not use the same password (or derivation of the same password) for everything.
    1. It is highly recommend to use different passwords for at least your most sensitive accounts (i.e. financial web sites and your primary e-mail account).
  3. Do not write down your passwords.  To securely store your passwords, use an option like KeePass which creates an encrypted file for this sensitive information.  You create a (hopefully secure) password to access this file.

There are various recommendations for how to come up with a complex password, since most of us won’t remember a random string of letters, numbers, and characters that have to meaning.  Microsoft’s Online Security web site suggests a methodology that starts with a sentence, uses the first characters from each word, and adding various characters for complexity (http://www.microsoft.com/protect/fraud/passwords/create.aspx).  A similar suggestion works the same way, but uses the full sentence – not just the first letters – and adds additional characters.

Your primary e-mail account is extremely important to keep secure and different from other accounts, as it is often used to send “password reset” confirmations.  Having access to your e-mail account can allow someone to easily reset many of your other passwords.

3 Comments


  1. There has to be a better way. I understand the necessity of password security. The problem is people have passwords in umpteen different systems with different password restrictions and different expiration times. I wonder how many man hours are lost to forgotten passwords, and dealing with the constant string of password changes as different system passwords expire. Maybe biometrics will be the answer.

    Reply

  2. Agreed.

    Biometrics are probably the best option to help us get out of the mountain of passwords that are currently required to be truly secure. However, the hinderance in using it as the sole login method is that every computer, terminal, kiosk, and thin client in the world would need to be equipped to handle biometric scanning. Not to mention that there would either have to be a universally agreed upon method or all systems would need to be equipped for all of the various forms of biometric scanning (i.e. retinal, fingerprint, whole-hand, etc.).

    In my experience, there are more man hours than I would like to admit that are put into handling password issues. Not just help centers resetting forgotten passwords, but also in creating applications for users to be able to reset their own passwords (i.e. security question applications). Not to mention that the problem with security question applications is that users often do not make these questions and answers truly secure (i.e. information like the city where you were born can be easily figured out).

    It’s difficult to find a good balance of ease and security.

    For now, the better (not best) way to handle it is likely encrypted password files, like KeePass that I mentioned above.

    Reply

  3. Biometrics are all well and good until you injure the part that was used for the initial scan. Case in point, a fingerprint reader that I use scanned my finger – I managed to get a papercut along the pad of the finger – until it healed I couldn’t use the fingerprint reader. That is a problem with biometrics.

    Reply

Leave a Reply