10 Keys to Password Security

Everything you need to do for the strongest password security: Internet Scambusters #509

With more and more online activity, matched only by the alarming rise in identify theft, malware and data breaches, password security is on every Internet user’s mind.

Or at least it should be. But as studies have shown, many people don’t know how to create a safe password, or even that they need one.

In this week’s issue we have all the basic information you need to put your passwords virtually out of reach of the crooks.

Let’s check out today’s…

10 Keys to Password Security

Looking for total password security? Sorry, you’re out of luck. There’s no such thing.

For a start, crooks might hack their way into a site where you use your password and steal it from there — like they do somewhere around the world virtually every day.

A couple years back, they stole 32 million from a single social networking site and posted the whole lot online.

Or you could come up with a clever jumble of letters and numbers but, using what law enforcement calls a “brute force attack,” the criminals could employ automated password software to make a billion guesses a second until they get the right one.

But here’s the good news: You can take action right now that will virtually eliminate the risk of your password ever being guessed and limit the chance of it being stolen.

And it’s not as hard as you might think.

We’ve drawn up a list of 10 rules to safeguard your password security, drawing on the advice of experts — with a good dose of common sense mixed in.

Here they are:

1. Make them long. It used to be that a password of, say, eight characters was considered safe enough but with the increasing power of computers, those brute force attacks can run through billions of possible combinations in minutes.

Each character you add increases the number of possible combinations astronomically.

Here’s the simple explanation: A one-letter password would only take a maximum of 26 guesses — right? — but two letters would create 26 x 26 possible combinations = 676 guesses. One more letter would require 26 x 26 x 26 = 17,576 guesses, and another would need 456,976 guesses.

Get the picture?

But, as we said, computers can run through that number of guesses in a fraction of a second, so we recommend at least 12 characters, which would take billions of billions of guesses — and that would take centuries to do!

2. Don’t make sense. In other words, don’t use actual words, combinations of words, place names, slang, names and nicknames, birth dates, meaningful abbreviations (like “ILY” — “I Love You”), your email address or the name of the website you’re visiting.

The first thing hackers do is run what they call a “dictionary attack,” which does what its name suggests — it checks every word in the dictionary AND then every possible combination of words.

Some words are particularly dumb password favorites; for example in the hack attack we mentioned earlier, almost 62,000 victims had used the word “Password,” while another 51,000 used “iloveyou.”

3. Use the strength of characters. Don’t just use letters; use numbers and symbols — those characters you mainly get using your “Shift” key and a number (though there are other symbols on the keyboard too).

Also, use both upper and lower case letters since most logins are “case sensitive” — they require you to type the letter in exactly the case in which the password was set up.

By using these additional combinations of characters, you are once again multiplying vastly the number of guesses a hacker would have to make.

4. Don’t use sequences. In some ways, sequences of consecutive numbers and letters are even worse than using whole words.

Again, referring back to that big hack attack, the list of passwords published on the Internet showed that nearly 300,000 victims used “123456.”

Even a keyboard sequence of “qwerty” — the first six letters on your keyboard — had more than 17,000 password users.

5. Use a different password for each site. Once they’ve got your password, crooks will try it on any number of sites, using automated programs.

So, if, for instance, you use the same password for Amazon and your bank account, if they get one, they’ll be able to access both.

You may consider using the same password for sites where you think your security is unimportant if it’s compromised, but that’s a potentially dangerous practice because criminals can piece together the information about you that they obtain from multiple sites if they can log on to them all.

At the very least, don’t use the same password/username combo.

6. Change them regularly. As we said at the outset, even if you do all the right things, you password could still be stolen, both by hackers and by malware on your PC.

Make it a habit to change them all regularly, especially those connected with banking and online purchases.

Yes, we know it’s tiresome but, with some of the techniques we discuss below, it can be done.

7. Make them easy to remember — for you. With seemingly unpredictable mixtures of letters, numbers and symbols, how are you going to remember them?

A couple of tricks can help you call individual ones to mind more easily.

For instance, security expert Steve Gibson was quoted in a recent Yahoo! report as explaining that a password using a repeated pattern of symbols could be harder to guess than a random mixture of characters if it actually has more characters and a higher total of symbols.

He says D0g!(!(!(!(!(! would be easier to remember but tougher to crack than PrXyc5NFn4k77.

Another possibility is to turn a memorable sentence into a single password, substituting letters, symbols and numbers.

For instance, remember this statement from John F. Kennedy?

“Ask not what your country can do for you, but what you can do for your country.”

That could become “A-?urCcd4u,b?ucd4urC.” In this case the dash represents a minus for “not” and the question mark replaces “what”; “ur” is “your” and “4” is “for.” Upper case “C” is used for country just to ensure a good mix of upper and lower case.

8. Store them safely. Now that you’ve got all those passwords buzzing around in your head, how are you going to remember which goes with what?

You might be able to think of a clever way of linking a particular site name with a password, but a more reliable bet is to use a password manager which encrypts them — stores them in a way hackers can’t read.

Some Internet security software comes with built-in password savers but you can also download or buy dedicated programs, some of which will actually generate random passwords for you (4u!). They require a master password (which should be really tough!); don’t trust one that doesn’t.

Alternatively, some security experts say you can write your password sentence (not the actual password) or a clue to it on paper and store it in your wallet. Frankly, we don’t think this is a good idea.

Our best advice: Use a good password manager like LastPass, KeePass or 1Password. Create one very strong password you can remember to access your password manager. Then, you can let the password manager create strong random passwords for each site you visit — and you don’t have to remember them since they are stored in your password manager. We find that works really well.

9. Don’t share them with anyone. Just don’t. Well, maybe your “significant other” — but that’s your call.

10. Check the security of sites you use. As we’ve explained, there are some things you just don’t have any power over — like the security of organizations that store your password.

But you can take the time to check what they do to keep it safe. Do they encrypt them? The big hack victim we’ve referred to didn’t. How many login attempts will they permit before blocking access?

Ultimately, your security is in their hands, so you need to know.

All of this may seem like a challenge but look at it this way. In 10 years, the Internet has moved from a peripheral activity for most of us to a central part of the way we run our lives.

What will it be like in another 10 years? So, think about your password security now.

Follow our 10 golden rules and you’ll get close enough to achieving that password security — so you can comfortably get on with the rest of your life!

That’s all for today — we’ll see you next week.