Link to Main Site

Click here to visit our main site

Wednesday 18 May 2011

How to generate and remember secure passwords

How many websites do you login into?....5...10....15....more?

Start counting, there's the supermarket (3 or 4 of them), your online clothes shops (lots), forums, tax returns, banks etc...

Some sources suggest that on average we have 20 passwords that we need to remember.  I'm betting that this is slightly out of date and that some of us (me included) have to remember many more.

So how do we do that?

Well, recent hacking activity has exposed some interesting data.  When analysis of leaked passwords posted to hacking sites is undertaken some shocking truths are uncovered.

Most of us use simple names, or worse passwords like "12345" or "password".  Others use names followed by a number.  There are dictionaries of these weak passwords that hackers can use to greatly speed up attacks.

The best passwords are those that are random, comprising upper and lower case letter, numbers and symbols !"£$%^&*():? etc.  The longer the password the better.  A good password might look like  !Whd%59doPS2mj.-K4G, but how on earth are you going to remember that!

Well there are some letter tricks that can be used and there are some technical solutions too.

The letter tricks first.

Obfuscate letters and numbers - transpose 5 for S 3 for E, 1 for L etc.  Using that technique the word password can become Pa55w0rd which reads easily and is quite straightforward to remember.  However, don't be tempted to try this one as it will be in the hackers dictionary already! 

Try choosing a location or memorable event, take the first one or two letters of a memorable sentence and use the obfuscation above.  So "Mum was born in London and Dad was born in Glasgow" can become MwbiLaDwbiG.  Adding the obfuscation it becomes Mwbi1aDwbiG.  It's still not long enough and doesn't contain symbols.  So add year of birth with the corresponding symbols above the numbers on the keyboard: "Mum was born in London in 64 and Dad was born in Glasgow in 62" becomes Mwbi1i^$aDwbiGi^" . Now, that is looking better.

Great, so we have ourselves a strong password, but should we use the same one on all our sites?  No, you don't want you banking passwords mixed up with forum passwords that are often stored unencrypted and sent over plain text links: did you know the default login on Facebook is over an unencrypted link that anyone can intercept.  Use the same email and password on that as your bank and you are asking for trouble.

So personlise each password to the website.  Perhaps take the first and last letter of the website and add them to you password as first and last characters: Facebook could be FMwbi1i^$aDwbiGi^"k, while the bank HBOS might be HMwbi1i^$aDwbiGi^"S.  You have to be careful with this technique, but it can be used effectively.

Now to the technical measures  - Password Managers.

There are several relatively cheap password managers that you can purchase.

The best ones are those that allow you to generate truly random passwords of variable length, that store these in an encrypted form on your system or over the internet.  For those on the move, look for programs that have natching apps for your smartphones.

Some suggestions in this category are iAccounts/iBackup for smartphone and PC, KeePass, LastPass and Roboform.

My personal choice is iAccounts backed up with iBackup.  With this very inexpensive app, I can have all my secure details in an encrypted database stored on the iPhone behind a very secure password.  If I get the login password of the app wrong 5 times in a row the database is destroyed.  Using iBackup, I can sync the database with my workstation over the air.  Opening iBackup, I can copy and paste from the database to login boxes on the workstation whenever I need to.  To further backup the database on the workstation, I export a csv copy of it every time I add a new password.  The csv is in plain text, but I export it to a TrueCrypt container file which is AES encrypted.  Better still that container file is in a folder that goes into the nightly backup of the entire system.  This way, if the phone is lost I can be safe in the knowledge my credentials are safe and if i have finger trouble with the PC, I can recover the database from any day over the past year.

More about TrueCrypt in another post.

No comments:

Post a Comment