Everyday User Security 1: Keep your passwords strong

By: Tim Teatro

April 29, 2010

Security isn’t just having antivirus software. It’s also a habit and a pattern of thinking. Today more than ever, the average web-connected computer is under attack. Despite the risks, our social and professional lives continue to diffuse into the digital domain. With so much at risk and identity theft gaining momentum as the fastest growing crime in the country, it has never been so important for every day computer users to be aware of the dangers, and the fundamentals of protection.

In this series, I’ll explain some of the potential dangers implicit in daily life, and the habits and precautions every user should take in order to reduce the risks. By introducing basic security measures into your daily activities, you can become more aware of the risks you take, and perhaps the risks you don’t want to take.

In the first installment of our series on user security, I’d like to start with one of the most basic and important security measures you can take.

STRONG PASSWORDS

Passwords are keystones in the structure of our security. They are the most basic elements of authentication, allowing you to rope off areas of your digital domain to which you alone should have access. Like any keystone, once compromised, your entire security structure can come tumbling down. Strong passwords are the difference between an easy hack and a difficult one. The average user’s passwords are relatively weak. In some cases, having strong passwords is adequate to send a would-be attacker looking for an easier target. But what makes a password strong?

There are two factors that generally characterize the strength of a password and those are length and entropy. Passwords should be no less than eight characters in length, but more is encouraged. Entropy, is a concept of randomness, the same as you may remember from grade 10 science. A typical US keyboard is capable of entering four classes of characters: uppercase, lowercase, lastpass2numbers and symbols. A strong password should contain characters from all four of these classes. Use the whole keyboard, not just the areas you usually visit for typing a letter to mom.

Passwords should be generated automatically and randomly. Anything less could be considered insecure. A typical password should be a minimum of 8 characters in length, but more is encouraged. I personally use passwords with no fewer than 16 characters. There are many tools to help you generate such passwords. I will include a brief section at the end with suggestions. Also, you should use a unique password for every site/computer/server you use. Do NOT use the same password for everything—or a single hacked password then exposes your entire digital life. You can check your passwords using this handy site from Microsoft.

Passwords that meet the above criteria are quickly problematic when combined with the limitations of human recall. Seriously,  I’m a physicist, I’m around crazy business like this all day, and I certainly can’t remember dozens of combinations of random characters. If this seems impractical for you too, then check out LastPass. LastPass is a password manager for web browsers that keeps your passwords encrypted, and allows you to substitute one main password in place of the many passwords that you would otherwise have to remember. This way, you can make all of your passwords very strong, and only have to remember one of them. You’d just better be sure that your single password is a good one! It’s an instant 1up for security. I use it, and so should you. LastPass is cross-platform to an extreme, working on Windows, Mac, Linux, Android, iPhone, Blackberry, Windows phone and Symbian using Internet Explorer, Firefox, Chrome and Safari.

How to generate strong passwords?

Look around for tools. If you’re using LastPass, it has a generator, and will suggest a random password when it detects that you’re at a page allowing a password change. For me, I need a lot of passwords that aren’t just for websites, so I need a more general application. I’m a Linux user, so I use the below suggestion under the Linux heading. But there are many good tools out there; the ritual of choosing a password is many years old. Here are a few, just to get you started:

For Linux, if you’re using a Debian or Red Hat based distro, use your package manager to install pwgen. This awesome tool generates passwords which are as complex as possible, but have a phonetic continuity to make them easier to remember. It can also do completely random passwords.

For Windows users, I found this neat little open-source app: http://pwgen-win.sourceforge.net/. Use with caution, since I haven’t tested it or looked at the source code. But given the fact that it’s hosted by sourceforge, and receives positive feedback, I would be inclined to trust it.

For Mac users, I found this, which appears to be a port of Linux’s (GNU?) pwgen: http://pwgen.darwinports.com/. Use with caution, since I haven’t tested it or looked at the source code.

For more information on security, look out for future volumes of this series. Feel free to visit www.grc.com for tips, tools and of course, the Security Now! netcast from the TWiT network.

The Everyday User Security series:

5 comments

  1. Punam says:

    It’s a nice to know about our pc’s security. thanks for increasing my knowledge.

  2. Tim Teatro says:

    Here’s a neat article on just how easily passwords can be hacked:
    http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

    And here’s some research out of Georgia Tech Research Institute via MSNBC stating that 8-character random passwords are no longer adequate and that passwords should be at least 12 random characters:
    http://www.msnbc.msn.com/id/38771772/ns/technology_and_science-security/?ocid=twitter

  3. Shawna says:

    Great tips. I prefer using Mitto (http://mitto.com) over vs Lastpass but both are good alternatives for managing passwords from different computers and different browsers.

    -Shawna

  4. Andy says:

    Thanks for all of these great tips on creating strong passwords. Who knew that there were so many handy tools to increase one’s online safety! Keep up the great posts!

    Andy
    Windows Canada

Leave a Reply

Your email address will not be published. Required fields are marked *