Monday, March 18, 2013

Survival Planning: Passwords and online security

Chances are, you regularly visit many places online where you need to use a password, from social sites like Pinterest, Facebook and Twitter to your online banking or weblog.  

If you have an online business, identity theft is probably the most catastrophic thing that could happen to you, even worse than simple fraud.  It can destroy the brand and online personality you've spent years building literally overnight.  A strong and secure password is the only thing standing between you and anyone who wants access to your Facebook or Twitter account.  You may think you don't have a high enough profile to be a hacking target, but there are a lot of bored teenagers in the world with computers, so it's better to be safe than sorry.

What makes a good password?

Firstly, there's a few things that a good password shouldn't include; anything that could be easily guessed, like your postcode, town of birth, or your pets name.  It also shouldn't be something obvious like 12345 or 'password' (don't laugh, 'password' is unfortunately an extremely popular password choice!)

A really strong password should include a mixture of letters, numbers and special characters such as & and %, and ideally it should be at least 20 characters long.  It shouldn't include any common English words, or obvious variations like replacing the letter 'e' with '3'.  An example of a good password would be something like '/,Q>A6KicZ3tWg7$f7EPWn'.  Unfortunately this sort of password is quite impossible to remember, so most people opt to either use a simpler password, or have a single strong password that they write down somewhere near their computer, and then use for everything. 

But a strong password is not enough

OK, so now you have an idea how to create a strong password, your online activites should be safe and secure, right?
Well, unfortunately it's not that simple.  Even if you use a hard-to-guess password, there's still a chance that a bad guy will get hold of it, most likely through no fault of yours.  Every few weeks, it seems, a different high-profile website gets hacked, and the stored passwords for the site are posted online.

Ideally this wouldn't be a serious problem on its own, as the passwords are kept in an encrypted form by the website's owner.  This means that you can't work out what the actual passwords are without knowing some additional secret information.  In practice though, many websites don't do as good a job with this encryption as they could, and the passwords end up in the open as a result.

Now usually the hacked site will notice what's happened fairly quickly, and notify its users to change their passwords.  This limits the amount of direct damage to the hacked site, but now your super-secret password is out in the open.  Even if you change your password for the hacked website, any other site where you've used the same password will be at risk. Even worse, since these other sites don't have to be hacked for the bad guys to get in because they already have your password, it's quite likely that no-one will even notice that anything is wrong at first.

So what's the solution?

So given that even a strong password alone may not be enough, what else can you do?  The best advice here is to create a separate, strong password for every site you use, so that even if one site is hacked, at least there's no way a black hat can get into any of your other accounts with the compromised password.  But if you do this, and follow the guidance above for good passwords, you're going to end up with dozens (or maybe hundreds) of unpronounceable passwords to try and keep track of.  Luckily there's an easier way than generating and tracking these manually, called a password locker

NB: A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005). Source: Wikipedia 

Software Password Lockers

A software password locker mimics a common security practice used to keep track of physical keys, which is a lockable box, or key locker, that is used to store other keys.  Only a select few people have the master key to the key locker, and if one of the stored keys goes missing, only the locks for that key need to be changed.  So long as the master keys are kept safe, all is well.

I use a password locker called 1Password.  It's available for Windows, Apple Mac, iPhone/iPad and Android devices.  It also includes a handy web browser plugin which makes both generating and automatically entering website passwords extra-simple.

A single master password is used to control access to the program, and once it's unlocked you can quickly log into any site, or generate a new secure password with a few clicks.  It automatically associates each password with the website it was generated for, so it can enter your username and password for you next time you visit the site.

1Password has a number of other handy features, such as storage for credit card numbers, WiFi or modem logins, or any other general notes you need to keep secure.  It's also able to synchronise all of this information between devices, so you can have all of your password stored securely on your phone as well as your computer.

So there you have it.  There's really no excuse to be using weak or recycled passwords, so do yourself a favour and invest in a password locker application.  If you ever have a password compromised, you'll be very glad you did.

Further Reading:  

Brett, aka Mr {CHA}, is married to Christine (CHA's editor) and together they have 3 loud and energetic children.  Brett is an Electronic Engineer, who specialises in test and measurement systems.  He has a passion Macs and War Hammer.  He also suffers in silence with his wife's crafty adventures. 

You can follow Brett on twitter or follow his blog Lonely Ant.

The opinions expressed by the author and and those providing comments are theirs alone. The CHA is not an affiliate of 1Password. 

No comments:

Post a Comment

Thank you for commenting on the {CHA}