7.6.12

The Secret to Creating a Strong Password

Are you on LinkedIn?

Are you worried about the recent hack?

Should you be?

Absolutely.

And when you are done worrying about your  account being hacked, then get ready for an even scarier thought.

Consider this quote from Tom's Hardware blog:
"Last year, a major security breach at RockYou.com resulted in the release of 32 million passwords. With such a large data set available, security firm Imperva Application Defense Center (ADC) analyzed and found that, when given the chance, most users will choose a simplistic password."

The most common password? Over 290 thousand users had the password "123456".  Almost 62 thousand used the password "password".

I'm not a psychic, (which would make me tele-"pathetic") but I would guess that of the millions of passords on LinkedIn accounts, there were millions of other online accounts that used the same password.

You know we all do it.  We create these "utility" passwords that we use in multiple online accounts.  Being human, we generally gravitate toward the path of least hassle - and hassle in this case is remembering multiple passwords.

As we move toward tablet and mobility computing, many of those wonderful apps we download require us to create accounts. I'm guessing that many people reading this will use the same password for all of the accounts they use, as well as those apps we quit using. As a CIO who allows tablets and mobile devices on my network (ala bring your own technology), this IS an issue to address.

LinkedIn's recent unpleasantness is a great reminder to review our password policies, as well as an opportunity to educate our users around privacy and protection.

Let's start with passwords.  Simply Google (or Bing) "creating easy to remember secure passwords" and you'll see a number of bloggers and sites that provide great ways to create strong passwords that you will actually remember but are really hard to guess.   My very favourite advice article is from LifeHacker - Geek to Live:  Choose (and remember) great passwords.

Secondly, as you create these online accounts, use a utility account from Live.com, GMail, etc.  NEVER use your work email or personal email account.  If the hackers get your email and password (as in LinkedIn's case) then the problem is isolated.

So why would I take the time and space to blog to a bunch of IT professionals about such rudimentary security issues?  There's the old maxim about the Plumber's pipes, the Mechanic's car, etc being neglected and in disrepair since s/he was busy fixing everyone else's problems.

Let's hope they don't start a maxim about the CIO's network security.

UPDATE: The comic strip XKCD has come out with the ultimate password generator.  See below:

Source: XKCD.com/936
As long as we are lazy with bad memories, passwords will be insecure.  People will do the right thing as long as it's the easiest thing to do.  While the XKCD comic is a bit strange, perhaps modifying our password policies to accommodate 4RW (Four Random Word) passwords might be a solution.

.

4 comments:

  1. I think the passphrase idea is great! Also, Jeff Atwood has a great post on enabling 2-form-authentication on your email accounts. Another great idea.

    http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html

    ReplyDelete
  2. An additional suggestion is to modify your password slightly for each service, using the name of the service. For example, if your standard password is 12345678, you might use 12345678f for Facebook (or 1f2345678) or 12345678t for Twitter. This way, automated attempts to check your password against other services will fail. You can also use the second (or later) letter of the service (ie 12345678a and 12345678w) for additional security.

    Personally, I'm working on implementing the 4 random word solution at my school, but I'm not having a lot of luck with my network security guy, who basically doesn't believe me that the passwords tend to be more secure.

    ReplyDelete
    Replies
    1. David,

      You've identified the gatekeeper to why the 4RW solution can't be implemented. Many password policies enforce a combination of letters, numbers and characters.

      I wasn't about to tag my Network Admin as the culprit in order to avoid random peculiarities with my network connection... not that he would ever do that of course...

      Delete