Password Security

Here now is something that has irritated all of mankind since the dawn of time. Or at least ever since privacy was invented. Sit down old bean and let me tell you a story.

A long time ago, back when school still had lockers, a boy had received a place to store his books and school supplies. He was given a padlock combination thingie and a locker#. But this boy was paranoid, he went out to the hardware store and bought a super cool and secure 50$ digital Combination lock and set a good password. But the next day when he went to go get his stuff, everything was missing! Did his padlock fail? No the hinges on the locker where popped.

This situation is the exact same thing in the IT world, well not really, we don’t mean they’re out to steal lunches, I mean when they steal our valuable info, data, bits, and ones and zeros.

You all have an email or a facebook or some sort of password that you use everyday! Otherwise you would not be reading this. Think about the kind of passwords you have, are they all the same? Usually not. Are they all similar? Usually yes. Is that bad? Stop asking so many questions! Let’s make sense.

The basic rule of thumb according to “Compmaster” is KISS, Keep It Simple Stupid. He said that, not me. But despite the rudeness of the statement, it applies to password security. No way, Yes way. See look at things logically. Let’s say you have a password for email or Facebook, and it asks you to make it really complicated. Why? so you can forget it later on? Maybe. What’s the danger of keeping it simple? Well people may hack into it. So they say. But really?

Many people recommend or exalt the security of making complicated password such a P@$$w0rD or N00bH@cker but nowadays there are brute force cracking programs that know to look for this and alternates ‘S”0’ ‘a’ to common characters they may be replaced by, and this is very effective. So am I saying that even complicated passwords like those are still not secure enough? Look at it from a computer’s perspective, if your where a PC, what would be easier to crack? 101010101010 or 101010101010010101010101000101010111001? The longer one obviously! But the first one contained really complicated letters and #’s! The last one only had a really long password.  See? Makes sense, because as a matter of fact longer passwords = safer (most times) and easier to remember than complicated ones. But this is not the only security measure you should take.

(Update) OK so apparently there is a program that take long passwords up to 55 characters into account now. http://hashcat.net/oclhashcat-plus/) Thanks a lot.

Let’s look at it from a hacker’s perspective now. Many of you may have heard about the SONY break-in, and when many hackers stole passwords. Notice I said “hackers” and not “crackers (people who crack codes)” So those people who had super secure passwords for their Playstation Network, did it help? Not really. Does this mean that I should ignore everyone else and use an easy to guess password like “password”? No. Even though most of the methods of hacking into your “Whatever” is NOT through your password guessing methods, rather through other methods I will mention later on, it is still a method that can be used to hack into your stuff, a small percentage, but there nevertheless. So before I stop making sense let’s recap.

Complicated passwords will help 10% prevent hacking attempts. I made this number up. They help, but not much. However, if you are high up in the food chain, like a boss or an important person in a company that holds valuable data (like Information Technology!). Please use a complicated strong password. In that case, 10% matters a whole lot. For the rest of us, no one cares about brute force cracking our stuff, stop being so paranoid. There are programs that scans a hard drive for every character and uses that to crack your password. This methods breaks more that 50% of passwords no matter how complicated your password is. (True Number), but! But most cracking programs that do this kind of work require physical access to your hard drive or computer! So unless you have a serious problem of expert crackers running around your neighborhood breaking into your home and stealing all your family pictures from your PC. You don’t need a super secure Windows logon password. So please just make my job easier and don’t forget your password.

IS there ways companies can make their passwords more secure? One guy said that delaying log on time will prevent most brute force cracking since it would go about the speed of 1 passwords per 4 seconds or so, and to crack a password that way would take too long. (Linux does this.) What I always encourage is long easy to remember passwords. Companies should not force complicated passwords rather they should have IT department make use of good security practices,  because most of the password break-ins and not the password’s fault, most times they are caused simply by having them stored in a notepad, or by exploiting security holes in your system.

But one method I admire is telling your customers or users that you have been hacked and their accounts may have been compromised, then prompting them to change their passwords. Read here, http://forum.winehq.org/viewtopic.php?t=13709 to see how it’s supposed to be done. Even though chances are the the accounts were not compromised, it’s always grateful and mature of a company to let people know as soon as they find out they have been breached instead of hiding it. Comparing WineHQ to SONY here in case you did not notice.

But what is the point of this article? Basically to inform you to take it easy on your passwords, it’s always wise to follow the recommendations people give to use “secure passwords”, but highly impractical in real life. I mean come on! let’s see the rules we are supposed to follow.

  • More than xx Characters
  • Use one Capital, one lowercase, one Special character, and one number
  • (some sites) No more than xx characters
  • Must change every so often.
  • Don’t use the same password for different sites or accounts.
  • cannot contain part of your first or last name.
  • No sequential numbers or letters like 123abc (There goes my yahoo account)

Really? I would have to memorize like 20 completely different and complicated passwords? So is it worth it? No! It’s even hilarious how some sites like (no names) technical information site for research, will ask for a super secure password, when it really doesn’t matter who logs in since anyone can make account there and access the same information. In the end, you decide. I stopped caring since the “Guy” holding your passwords, may one day say oops! And lose your passwords to some hoodlum.

One more thing. Something that I would recommend for most people is this. Have 3 emails Minimum.

1. The Target Email. Imnoob@yahoo.com. This one can have an easy to remember password. Use this email to create accounts on websites you don’t care about, like online shopping registrations and forums. Just make sure not to put your easy password with an account that has access to your bank account info. Such as having Password as your Amazon Password. See Tip #3 for suggestions on that. (Example. 123imcool)

2. The Social Email. Imcool@hotmail.com. This one can be used to keep all your friends emails and give to all the people you really don’t want to give your real email out to. Medium password. (Example. 123I’mcool)

3. Personal Private email. Imnormal@gmail.com. This one can be used for everything else. Sending emails, family, banking. Make sure to have a good password that is changed often on this one. I usually use the same password for banking and important ones like online shopping accounts with my bank info already tied in there, and change it often. It seems to work well and doesn’t cause forgetting issues without have to write them down on a piece of paper (Example. !@#I’msoCool)

And finally, to keep track of all these emails, use Thunderbird, with one click it will check them all and provide an easy to maintain User Interface for your email accounts. Sure the case turns around if someone has physical access to your computer, but if a hacker ever does have physical access to your computer, you’ve got bigger problems than passwords.

By the way, if you’re bored check out this site.

http://www.howsecureismypassword.net/ It’s not exact, but let’s you know more about passwords too. you type in a similar password to yours and it let’s you know how secure it it. Sort of.

Thanks for reading all this, I know I hadn’t posted in a while, still working, I was just angry at Intel for forcing me to change my complicated password every now and then.

Advertisements

About Zerin

But can you show me the source code?

Posted on October 18, 2011, in Computers and Internet and tagged , , , , . Bookmark the permalink. 1 Comment.

  1. Dude you forgot one thing many people do! Many use pet names as passwords… still not a good idea, just adding to your post! :D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s