From time to time, I get asked by friends and family members
to help them understand all this internet security stuff. They think that
because I’ve worked with computers some, that I actually know something about
this and therefore would be a valuable resource. Hmmmm.
One of the unfortunate realities of our technological age is
that with all the wonderful conveniences and pleasures, there are countless
dangers and difficulties. One of these dangers is the whole having a thousand
different passwords for computers, web sites, company networks, email, etc.
etc. We love internet banking BUT most of us naively hope, that by god someone
on the other end of these things really, really knows what the Hey is going on.
Well, it turns out that sometimes they do, sometimes they don’t, but there ARE
some things that you can do to enhance your personal security online. One of
these things is learning how to create a strong password.
In many of the
security autopsies done on the more famous security snafu’s in the last several
years, one of the consistent and disheartening discoveries has been the
incredible ease in which common password-cracking software programs can chew
through millions of stolen accounts, in minutes, even seconds. In the famous
Sony online attack, something like 94% of the 25 million or so stolen accounts
were unscrambled in hours- primarily due to the lack of strong passwords on
these user’s accounts. In every major data breach, an extremely high number of
user accounts are easily cracked because either the company or website failed
to enforce a strong password, or the users themselves chose weak, relatively
easy to decode passwords.
You goal in cyberspace is not to become invincible...that’s…impossible…but
to make your accounts more difficult to crack then the next persons. Most
hacking attacks are targeted towards the lowest hanging fruit...that is, they
attempt employ well known and not technically difficult password cracking
scenario’s to gain access to users accounts. If the software employed discovers
a strong password- it often skips over this account and moves to the next one.
Hey, when you’ve captured millions of accounts, you can afford to pass over a
few when so many easy one’s are there for the taking. Your goal is to become
one of the problem children that gets skipped over.
While there are a lot of web sources for this kinda thing, I
thought I would throw out there some material that I have compiled and used.
Read and follow at your own discretion.
Strong passwords need to be at least 10 characters. So what
we need to do is create a password that is at least a 10 character mix of
numbers, upper and lowercase letters, and symbols. Due to how passwords are stored and
mathematically encrypted, the more characters, the better. You should be aware that some systems- some
banks, agencies, etc. restrict which special characters are allowed. If you
find yourself in one of these places, adapt as needed.
1. For the first
step, let’s create the letters, and make them a mix of upper and lowercase.
There are several ways to do this.
a. you could use the name of a
favorite pet, your first school, or a child. This could be a five or six letter
word. This creates an easy-to-remember root word, but is generally less secure than…
b. creating an acronym from an easy-to-remember sentence. Because this
is not a “word” or a common sequence of letters, this is considered more secure.
Let’s create our root letters using each method.
a. A
favorite pet, my dog “fluffy”.
I’ll make the VOWELS UPPERCASE and leave the consonants lowercase, so I get:
flUffY (6 characters)
I’ll make the VOWELS UPPERCASE and leave the consonants lowercase, so I get:
flUffY (6 characters)
b. “I really love working at Enron”
I’ll take the first letter of each word: irlwae and what the hey, let’s make the consonants UPPERCASE
iRLWae (6 characters)
I’ll take the first letter of each word: irlwae and what the hey, let’s make the consonants UPPERCASE
iRLWae (6 characters)
2. For the second
step, let’s add some special characters to our examples.
a. flUffY becomes:
!flUffY% (adding an ! and the % signs)
b. iRLWae becomes:
!iRLWae%
any of the following characters would work for this step:
` ~ ! @ # $ % ^ & * ( ) + = , ? / “ ‘
` ~ ! @ # $ % ^ & * ( ) + = , ? / “ ‘
So far, we have 8 characters, with a mix of lowercase,
uppercase, and special characters. The only thing we need to add is numbers to
complete our strong password.
3. For the third
step, we add some numbers to the mix. This will be important, because many web
sites require you to periodically change
your password. Using a two-digit number combination makes this pretty easy, you
can “count up” or “count down” to create a new password from your root
password.
So again, building on our previous example, let’s put a
favorite number -something that makes sense to you, into our previous example.
I will use #24, my age when thought I reached nirvana. It doesn’t really matter
where you put the numbers in the sequence.
SO,
a. !flUffY% becomes
24!flUffY% OR 2!flUffY%4 OR !flUffY%24 (ten characters)
b. !iRLWae% becomes:
24!iRLWae% OR 2!iRLWae%4 OR !iRLWae%24
(ten characters)
So, when I’m forced to change my password, I increase my #
by 1:
25!flUffY% or 2!flUffY%5
26!flUffY% or 2!flUffY%6
27!flUffY% or 2!flUffY%7
26!flUffY% or 2!flUffY%6
27!flUffY% or 2!flUffY%7
25!iRLWae% or 2!iRLWae%5
26!iRLWae% or 2!iRLWae%6
27!iRLWae% or 2!iRLWae%7
26!iRLWae% or 2!iRLWae%6
27!iRLWae% or 2!iRLWae%7
Easy-speasy, huh? The important thing to remember is that
your password should be at LEAST ten characters (it could be more) and a
combination of upper and lowercase letters, AT LEAST ONE symbol, and AT LEAST
ONE number. Starting with an easily recalled number makes the password change
process easy- so if you start with a two digit date that’s meaningful (birth
year, high school graduation, longest steelhead caught, anniversary date…if you
remember it… ) THEN when forced to change, add or subtract 1 to the previous
number.
(or if you’re a math geek, use something like a quadratic equation to come up with your numbers…)
(or if you’re a math geek, use something like a quadratic equation to come up with your numbers…)
A good reminder here is to set up a schedule for yourself to
change your passwords frequently- especially for your most sensitive data.
Having a number sequence like the above makes this process much easier to do
and easier to recall.
It’s also important to remember that a strong password is
ONLY ONE aspect of staying safe in our new electronic world. More to come on
this….
No comments:
Post a Comment