Wednesday, October 01, 2008

Keeping Passwords Safe

Keeping your information safe and private in today's online, information hungry world is no mean feat. Give your telephone number to one company and within a year or two you find yourself receiving calls about insurance almost every day.

Give a company your email address and you'll find your inbox stuffed full of recommendations for cheap medications, Russian/Indian business partners, dating websites and of course porn. (At Horizon Web Development we never pass on your email address).

Unfortunately, short of changing your telephone number and email addresses regularly, there is little that you can do to prevent the two above situations from occurring. 

There is however some information that you absolutely should keep private and safe, no matter what - your Internet passwords.

Memory Aids

We all have them, we all have to in order to access the countless websites that we need to use and we all have our own memory aids to track the countless PINs and passwords, simple memory aids so that we can remember them all.

The simplest is of course to use the same password for every site; this is also the most foolhardy.

Many users, when they set up a new account online, will give their email address and a password, those that use just one password will have therefore given the same password that they log into their email with.

While this isn't in itself to much of a concern, should the website ever get hacked, the criminal would not only have access to the unfortunate users email account, but they wouldn't have to be a criminal mastermind to work out their password for shopping or banking websites too.

A recent example of this is the hack of US political commentator Bill O'Reilly whose website was hacked and a list of users, their email address and passwords was published online.

"A case in point is Carolyn Carpenter, 68, of Henderson, Nevada. The list showed she used a six-letter word from the English language to access her account. Early Friday evening, when told she should change all accounts that used the password, she replied: "Oh damn, I use it all over the place."
The Register | Bill O'Reilly's website hacked

No doubt she spent most of the night changing all of her passwords to another six-letter word from the English language, but hopefully she learnt her lesson and used a different password for each.

Other tricks to remember passwords are to use birthdays, a mother's maiden name, football teams or pet's names.

Sadly this is also bad practice as the first technique a would-be hacker would try is, is to go through all the words in the dictionary.

The experts warn us that to combat this, the best passwords are those that are not found in the dictionary, those that combine letters and numbers so rather than Horizon - H0r150n. It just gets a little tricky to remember what letters were substituted for what. Also after a few words, it becomes impossible to keep track.

Password Manager

Another option is a password manager. There are plenty of them around, such as Keywallet, Passpack and Keepass.

These programs create random passwords for you, and more importantly store them, along with the website and username so that they can be retrieved easily. Such programs make it easy to go from using passwords such as rover, to fS8cSh;o.sPiiMGBuZoqmRgdBotS9N which no one is going to guess, or even crack easily.

The ability to have completely random and also unique passwords for every website is extremely reassuring and one of the best ways to stay safe online. Should one password be compromised somehow, all your others are perfectly safe. You just have to remember the Master Password that accesses all of your other passwords in the program.

There are however downsides to password managers; should you decide that you current password manager isn't for you, well changing it may not be easy. Some like KeePass have the option to import and export passwords to and from other programs, however compatibility between programs is patchy.

Even two programs that import/export in the same formats, won't necessarily understand each other's password lists. Which means if you use one, it is best to use it on all your PCs and laptops.

Portable Use

Another drawback of password managers is apparent when out and about and struck by the need to check your email. fS8cSh;o.sPiiMGBuZoqmRgdBotS9N is not a password that is remembered off by heart, especially when you have 30 or more similar ones.

Some password managers, such as KeePass have portable versions that you can use on a USB memory stick. The safety of this however is debatable. The master password has to be something memorable because if forgotten, there is no way to access all those other passwords.

This of course means that the master password tends to be something like a birthday, a mother's maiden name, football teams or pet's names. Which, as mentioned earlier, is easily guessed or cracked. Carrying around a USB stick crammed with passwords, as well as the corresponding usernames and website addresses, would seem a little risky, especially as they are only protected with a simple password.

Web Based Password Manager

There is however another way of generating random passwords, whilst also getting away with using simple, easy to remember memory aids and passwords. Password Chart offers the ability to create long and seemingly meaningless passwords from simple everyday words.

For example, Horizon Web Development would be:


Easy to remember, whilst also being a strong password. Of course this has its drawbacks too, if the site is offline, or Internet access is not available, you're completely lost unless you printed out the chart.

The best solution is probably to use a mixture of passwords and memory aids, and not rely too much on one product, because if that fails, there will be lots of clicking on Forgotten Password links and waiting for the emails, assuming that you haven't lost access to your email too.


Labels: , , ,