Monday, February 6, 2012

How to Create a Strong Password for your internet accounts


From time to time, I get asked by friends and family members to help them understand all this internet security stuff. They think that because I’ve worked with computers some, that I actually know something about this and therefore would be a valuable resource. Hmmmm.

One of the unfortunate realities of our technological age is that with all the wonderful conveniences and pleasures, there are countless dangers and difficulties. One of these dangers is the whole having a thousand different passwords for computers, web sites, company networks, email, etc. etc. We love internet banking BUT most of us naively hope, that by god someone on the other end of these things really, really knows what the Hey is going on. Well, it turns out that sometimes they do, sometimes they don’t, but there ARE some things that you can do to enhance your personal security online. One of these things is learning how to create a strong password.

 In many of the security autopsies done on the more famous security snafu’s in the last several years, one of the consistent and disheartening discoveries has been the incredible ease in which common password-cracking software programs can chew through millions of stolen accounts, in minutes, even seconds. In the famous Sony online attack, something like 94% of the 25 million or so stolen accounts were unscrambled in hours- primarily due to the lack of strong passwords on these user’s accounts. In every major data breach, an extremely high number of user accounts are easily cracked because either the company or website failed to enforce a strong password, or the users themselves chose weak, relatively easy to decode passwords.

You goal in cyberspace is not to become invincible...that’s…impossible…but to make your accounts more difficult to crack then the next persons. Most hacking attacks are targeted towards the lowest hanging fruit...that is, they attempt employ well known and not technically difficult password cracking scenario’s to gain access to users accounts. If the software employed discovers a strong password- it often skips over this account and moves to the next one. Hey, when you’ve captured millions of accounts, you can afford to pass over a few when so many easy one’s are there for the taking. Your goal is to become one of the problem children that gets skipped over.
While there are a lot of web sources for this kinda thing, I thought I would throw out there some material that I have compiled and used. Read and follow at your own discretion.

Strong passwords need to be at least 10 characters. So what we need to do is create a password that is at least a 10 character mix of numbers, upper and lowercase letters, and symbols.  Due to how passwords are stored and mathematically encrypted, the more characters, the better.  You should be aware that some systems- some banks, agencies, etc. restrict which special characters are allowed. If you find yourself in one of these places, adapt as needed.

1. For the first step, let’s create the letters, and make them a mix of upper and lowercase. There are several ways to do this.
a. you could use the name of a favorite pet, your first school, or a child. This could be a five or six letter word. This creates an easy-to-remember root word, but is generally less secure than…
b. creating an acronym from an easy-to-remember sentence. Because this is not a “word” or a common sequence of letters, this is considered more secure.
Let’s create our root letters using each method.
                a. A favorite pet, my dog “fluffy”.
                I’ll make the VOWELS UPPERCASE and leave the consonants lowercase, so I get:
                 flUffY (6 characters)
b. “I really love working at Enron”
I’ll take the first letter of each word: irlwae and what the hey, let’s make the consonants UPPERCASE
iRLWae (6 characters)

2. For the second step, let’s add some special characters to our examples.
a. flUffY  becomes: !flUffY%   (adding an ! and the % signs)
b.  iRLWae becomes: !iRLWae% 
any of the following characters would work for this step:
` ~ ! @ # $ % ^ & * ( ) + = , ? / “ ‘
So far, we have 8 characters, with a mix of lowercase, uppercase, and special characters. The only thing we need to add is numbers to complete our strong password.

3. For the third step, we add some numbers to the mix. This will be important, because many web sites  require you to periodically change your password. Using a two-digit number combination makes this pretty easy, you can “count up” or “count down” to create a new password from your root password.
So again, building on our previous example, let’s put a favorite number -something that makes sense to you, into our previous example. I will use #24, my age when thought I reached nirvana. It doesn’t really matter where you put the numbers in the sequence.

SO,
a. !flUffY%   becomes 24!flUffY%   OR 2!flUffY%4 OR !flUffY%24  (ten characters)    
b. !iRLWae%  becomes: 24!iRLWae%  OR 2!iRLWae%4 OR !iRLWae%24 (ten characters)
So, when I’m forced to change my password, I increase my # by 1:
25!flUffY%   or   2!flUffY%5
26!flUffY%   or   2!flUffY%6
27!flUffY%   or   2!flUffY%7
25!iRLWae%       or            2!iRLWae%5
26!iRLWae%       or            2!iRLWae%6
27!iRLWae%       or            2!iRLWae%7
 
Easy-speasy, huh? The important thing to remember is that your password should be at LEAST ten characters (it could be more) and a combination of upper and lowercase letters, AT LEAST ONE symbol, and AT LEAST ONE number. Starting with an easily recalled number makes the password change process easy- so if you start with a two digit date that’s meaningful (birth year, high school graduation, longest steelhead caught, anniversary date…if you remember it… ) THEN when forced to change, add or subtract 1 to the previous number.


(or if you’re a math geek, use something like a quadratic equation to come up with your numbers…) 
A good reminder here is to set up a schedule for yourself to change your passwords frequently- especially for your most sensitive data. Having a number sequence like the above makes this process much easier to do and easier to recall.
It’s also important to remember that a strong password is ONLY ONE aspect of staying safe in our new electronic world. More to come on this….

No comments:

Post a Comment