Thursday, July 12, 2012

The Last Word in Password Security

Auntie got a worried text (sms) message today... Seems someone's PayPal account was hacked.

So, I thought it would be a good time to make sure everyone knew the straight dope on password security.  Read and understand this, and implement at least one of the recommendations below, and your password protected accounts will be somewhere around... Well, ninety-nine-point-something percent safe.

First comes the reality check: Nothing online is ever 100% safe. It's just not. And, it's important you know that...

First, if you simply cannot survive the idea of some bit of information being compromised, under even the most unlikely of circumstances, then for gosh sake, don't post it online.

Second, knowing nothing is 100% safe allows us to focus with clarity and realism on making it as safe as it can be, or as safe as it needs to be.

How hacking into your account works:
(Skip to the next boldface title if you already know or don't care)

In order to get into one of your login protected accounts somewhere, someone needs two things... Your user name, and your password.

Sometimes, you choose your own user name, but other times, the user name is just a default...  If you've set up Wordpress or another CMS on your own hosting account, the default administrator login was probably "admin"...  A lot of other free web software you can install, such as forum software, does that, too.

Other times, the user name has to be an email address, such as on Facebook, Paypal, GMail, and so on.

The problem here is that if someone has your email address - which can be pretty easy to get - they've already got one of the two keys they need to get into your account.

Next, they point a computer program at the login-page of the service they want to hack into... It puts the already know bit in the "user name" field, and then starts guessing at the other part, like the miller's daughter trying to guess Rumpelstiltskin's name, but many, many times per second.

This is why many sites will lock you out after so many tries of getting the password incorrect... You'd be surprised, though, how many accounts one can get into just guessing the most common passwords... 'password', for instance - no really. Most common password in the English speaking world.  Or the person's first name, or 123456, or qwerty, dragon, pussy, baseball, football, or letmein.

And, not every site has a lock-out for too many guesses... For those, the program can start by guessing within certain rules.  Suppose the site in question requires passwords with at least 4 but not more than 8 characters.  The program could start with 1111, then try 1112, 1113, 1114, and keep going until it gets to zzzzzzzz.  Your password is in there, somewhere... And at over 1000 guesses per second, it won't take long to find.

So, unless you can hide that first key - your user name - really well - more on which later in this article - you better make sure the second one is really well hidden.

The old way to make a strong password.
(Skip to the next boldface title if you already know or don't care)

Of course, first and foremost, don't use anything anyone might guess... Not your name, your birthday, your favorite passage from the bible, your daughter's name, your dog's name, or that really perverted sexual kink you think nobody knows about (we all know about it.)

By now, most all of us have heard from some expert or another that we should choose passwords that are impossible to guess or even decipher - something like GX4d%Nk1t6#!  This suggestion is a good one because it's uncommon, probably unique, and very difficult for a computer or person to guess.

By the way, you're not going to have any problem remembering that... Right?  Because if you wrote it down somewhere, guess what...?  It's no longer secure.

A better way to make a strong password.
(Skip to the next, larger boldface title if you already know or don't care)

As Randall Munroe rather famously pointed out in his web comic XKCD, four fairly random words would be much more secure, and much easier to remember.

Make it random, but memorable... If you're going to create a new one for each site, and not follow the advice below, avoid making it something you think is memorable now, like your four favorite restaurants or vacation destinations.  When you come back to Wholesale Widgets dot com to buy another five years worth of widgets, chances are you won't remember what your four favorite restaurants were this week.

"What do you mean 'If you're going to create a new one for each site...'?" I hear some of you asking...  Problem is, a few of you are horrified because you'd never use the same password for two sites, and the rest are horrified because you always do.

Here's the full disclosure, safety first, glimmering caveat... Using the same password for more than one site is a bad idea, generally.  Not because now the evil admins at Wholesale Widgets dot com now have your password to Shaved Lemur Sessions dot com - they (probably) don't... Usually, a password is passed to the database in encrypted form, so even the database doesn't really know what your password is... It just knows if what you typed in matches it.

Confused? Don't worry. Doesn't matter.  Suffice it to say, this is why most sites can renew your password, but can't send you the old on. (if you pretend to lose your password and they send it to you, that's a tell.)

An even better way to make a strong password.

padlock image
Lock it down.
"If only I could use the same password everywhere, and still have it be wicked secure!" I hear you lament (Don't lie to your Auntie... I heard you.)

Well... You can. Almost. Kind of.

Step One: Choose a string you'll never have to write down, you'll always remember, and nobody else could guess...  Fish Bike Molecule Sandwich.  I'm The Queen Of The Wine Rack.  Hamsters Love Wild Lettuce Salads.  Whatever... Just pick something.

(Picking something like "Now is the time for all good men to come to the aid of their country" or "We the people in order to form a more perfect union". is technically slightly less safe, as it violates the rule in Step One - Someone can guess it.  Still 99.995% safe, with the other measures that follow, though.)

Step Two: chop it down to password form... No spaces, no punctuation. "I'm The Queen Of The Wine Rack" becomes "imthequeenofthewinerack".

Step Three: Now, due to the way some sites set up their password requirements, trying to be helpful, you might want to add an uppercase letter, a number, and a symbol...

They have conditional rules in there that only consider things from one simplified point of view... "Does it have the kinds of characters I want? Does it have both upper and lower case characters? Does it have a number and/or a symbol?  If not... Well, it must be weak, right?"

Even if you enter the entire text of War & Peace (in lower case with no spaces) as your password, some snippy little line of script that doesn't know any better is going to think it's weak because it doesn't contain special characters and then not let you use it...  So much for remembering it, if a few sites force you to use a different one, right?

You can get ahead of this problem, as well as preventing those condescendingly 'helpful' programs from being snippy with you, and telling you your amazingly strong password is "weak" by adding a capital letter, a number, and a symbol.... Maybe "imthequeenofthewinerack" becomes "Imthequeenofthe$3winerack" and gains some memorable humor value at the same time. ;)

Step Four: And this is the magic step where it becomes universal, but not universal... Add a site-specific variable.  If it's for Facebook, add the word Facebook as the first or last word.  If it's for Twitter, PayPal, etc... You get the idea.

Your core password - imthequeenofthewinerack - becomes "imthequeenofthewinerackfacebook" for Facebook, "imthequeenofthewineracktwitter" for Twitter, and "imthequeenofthewinerackpaypal" for PayPal.

Good, but not perfect... Unless you're the only person who read this essay, and I just read it.

So, you customize the customization... Instead of adding the site name in all lowercase, maybe you add it in all caps, or in 'leet (1337, that is... But make sure you can remember your substitutions) or with just the first letter capitalized (Facebook instead of facebook), or backwards - koobecaf - or french, or babytalk, or whatever...  It just has to be a scheme only you know, that you will remember, and that you follow every time (make it different for that one site, and you will forget, I guarantee it.)

The Result...  Follow these rules, and you haver a password scheme that gives you the benefits of using the same password everywhere - i.e: you remember it - while giving you the benefits of using a different password everywhere - because it is - and a password that nobody's going to hack by brute force, unless they have thousands of computers working on it, and hundreds of years to dedicated to the problem.

(And they might have thousands of computers... That's what those viruses your less savvy friends get all the time do... They make your friends CPU available to hackers as a mindless zombie slave, for brute force attacks and denial of service attacks.)

That's it. You're pretty much safe.  You can stop now... Unless... Do you want your logins to be even more secure? Like crazy levels of Spy vs Spy secure? Easy enough... Hide the other key.

The Cherry on Top - Secure & Unique Login Names

This part isn't as easy, and not everyone is going to be able to do it...  But, if they wanted to badly enough, they could.  You can do a cheap version for free, or a perfectly functional iron-clad version for about $6 a month.

The problem, as mentioned early on, is that anyone who has your email address already has your login for lots of different sites.  Granted, if your password is as secure as the ones above, you can pretty safely just laugh at them.

But... You could take it to the next level.

What if you had a unique email address that was used for, and only used for, logging in to each specific site?

Well, you could go to the various free email services, and set up free email accounts for that purpose... But, that's a pretty fair amount of work.

You could also have your "real" email address - I suggest Google's Gmail - and then have all those unique, specialized email addresses forward to that one.

Lots of web hosting companies give you 20, 50, 100, or unlimited email accounts - "real" POP3 email addresses, or forwarding addresses, when you keep a domain name hosted there.  So... The cost is maybe $7-15 a year for the domain name, $3-10 a month for hosting,

Dreamhost, for instance, offers unlimited email addresses, and the hosting cost gets cheaper, the bigger a time span you buy at once... Add to that a great back-end and wonderful tech support, and you have an awesome hosting company.

Then, for each site you need a login for, you create a unique forwarding address... For Facebook, you create the email address (or some such thing) and then have it forward to your "real" email address...  This process is simple and takes about two minutes with every hosting company I've used... And I've used a lot of 'em.

Now, each login is a unique email address, but you only ave to check one email address... Plus, you can easily track which sites have either compromised or sold your email address and let spammers get hold of it.

"But what would I ever do with a domain name and web site?" you ask...?  Well, for one thing, keep all of your login's as close as humanly possible to perfectly secure. Get your last name as a domain name, and you can offer all your relatives free custom email addresses - or something... Just make them forward to their "normal" address, easy as pie, and you're the tech genius of the family. :)

For another... Heck, install Wordpress and have a personal website!  You've got hobbies, interests, opinions, or cats who's pictures you can post, right?  It's easy - like almost as easy as email - flexible, powerful, and there is lots of learning material free on the web... And I can help you with questions you might have, as well.

No comments:

Post a Comment