Passwords

  • Making your passwords more secure now will save you hours of headaches later.

    Every week we see more and more news items of websites being hacked and system security breaches leading to sensitive information being stolen.

    Regardless of the sophistication of the system being used, if there is an element of human interaction then vulnerabilities are created.

    Weak passwords are the cause of system breaches in most instances, and like a weak link in a chain, once a system has been breached it can open up vulnerabilities across a whole range of other sites and systems.

    In light of this you might think that people would take their online security more seriously, but surveys of website users habits show that nearly 70% of people share their passwords across multiple sites and create woefully inadequate passwords in the first instance.

    As the average Internet user now uses more than five passwords daily, memorability of passwords becomes a trade off with password strength.

    Here we look at some ideas and solutions to enhancing your Internet security without compromising functionality and ease of use.

    Don't be obvious about passwords.

    We know that using obvious passwords like 'qwerty', 'password', '1234567890' are the equivalent of not using a password at all because they are so common (despite this more than 80% of people surveyed felt that their password security was good)

    Likewise using names of relatives, pets or dates of birth or even using any complete word, however obscure, is also to be avoided. This is because the first level of attack to break into a site or system via passwords will invariably utilise a dictionary attack.

    A dictionary attack is a method of hacking into a password-protected computer or server by systematically entering every word in a dictionary as a password.

    The software to do this is widely available on the internet for free, and it only takes moments to break most passwords that can be found in a dictionary. Again the shorter the word the easier it is to break.

    If the dictionary attack fails then a brute force attempt will be made using a combination of every available character and symbol. This type of attack takes much much longer, and if the password is long enough (aim for above 8 characters) then the time required to crack the password can become ridiculous - extending into years for good random passwords with a mixture of upper and lower case characters interspersed with symbols.

    How do I choose a strong but memorable password?

    Perhaps the easiest way to create really strong memorable passwords is to first think of a phrase that you can easily recall, or a positive affirmation that you will repeat every time you use the password.

    eg. for your Amazon account:

    Amazon is home to monkeys parrots and tribesmen but I love to buy the shoes that I can find there

    Now just take the first letter of each word:

    A i h t m p a t b i l t b t s t i c f t

    Now add extra complexity by adding/substituting some additional characters. eg substitute the word 'to' for '2' and use upper and lower case letters. Also remember that spaces can also be used as a 'character' in most sites

    Amazon is Home 2 Monkeys, Parrots & Tribesmen (but I Love 2 buy the shoes that I can find there)

    Now you might have:

    A i H 2 M , P & T ( b I L 2 b t s t I c f t)

    Now you have a strong password that can be recalled with a phrase.

    The more personal the phrase is to you, the more memorable it will be and consequently easier to extract your password from it.

    Managing your passwords

    Of course generating and remembering these passwords is difficult, especially given the sheer number that are required if you spend any time at all on the Internet.

    Password managers are the obvious answer as you only need one really strong password to gain access to the manager.

    Password managers can be divided into two classes: local programs installed on your computer, and internet based systems. Both types will present the password required for the site being visited and therefore make it unnecessary to remember or even know the password for the site.

    The manager can generate very secure complex passwords of incredible length for maximum protection, and it is very quick and easy to change passwords at the click of the mouse.

    Some people argue that keeping passwords in a manager itself represents a security risk, especially online types, but they fail to consider that any computer or device connected to the Internet is itself vulnerable. Having an encrypted password manager is far more secure than storing unencrypted passwords in text files on a local drive, or even worse - allowing your Internet browser to save the passwords.

    Two managers that we highly recommend are KeePass and LastPass.

    KeePass is an excellent open source password manager. Passwords are stored in highly-encrypted databases, which can be unlocked with one master password or key file.

    The generation of the key file and linking to the KeePass database means that the password manager cannot be opened without without it, thus allowing the storage of the key file on a separate device such as a flash drive to further enhance security.

    You can download KeePass from http://keepass.info/http://keepass.info/

    A KeePass plugin for all major browsers provide additional functionality by matching the visited site to the relevant password entry in the password database.

    LastPass is an online password manager and therefore provides an even higher level of flexibility than Keepass with the ability to access your passwords from any browser or mobile connected device. The Enterprise version is ideal for businesses to centralise their password management and thus maintain cross company security policy standards.

    To further enhance the security level of your LastPass database it is recommended that login access is restricted to the Countries that you work from (available in the settings section) and additionally two factor authentication is enabled.

    You can start using LastPass right now by visiting https://lastpass.com/

    If you would like advice from Starwood Systems or are thinking of updating your website, please contact us today