June 26, 2012
Helpful hints from joeeze: Fix your insecure passwords in minutes
Farhad Manjoo's Slate article, published June 17 in the Washington Post, puts paid to the impractical instructions (above) of the grand panjandrums of tech to create different, impossible-to-remember combinations of numbers and letters for each and every website you frequent.
Here are excerpts from Manjoo's piece, which is well worth reading in its entirety.
Right now you're scrambling to change all your passwords. If you're not, you should be. In the wake of a couple of massive security breaches — one at LinkedIn that nabbed 6.5 million passwords and another at eHarmony that compromised 1.5 million accounts — security experts are advising that people change their passwords at the affected sites and at every other site where you used a similar password.
By now you've probably heard the time-worn guidelines for creating strong passwords: Don't use your name or other common words. Use different passwords for different sites. Change them often. Choose security questions that don't involve information that everyone knows about you, or stuff that crooks can easily find on Facebook.
For a lot of people, myself included, these rules are too much trouble. We've all got too many online accounts, so keeping track of different, ever-changing strong passwords for each site seems like a gargantuan task.
In 2009, I stumbled upon a foolproof system to fix all your terrible, vulnerable passwords in just five minutes. My method, which I filched from a commenter at a security forum, generates very strong passwords that are also very easy to remember. This means that you can create good passwords for every site you visit.
But now I've got a better system. This new scheme generates even stronger passwords that are even easier to remember. The one disadvantage is that it doesn't work at every site. For those places where it doesn't work, you'll have to use my 2009 method, which is still really good.
The old, still very good way to fix your terrible passwords: Come up with a short phrase you're likely to remember. Just like in school, it helps to make your mnemonic really bizarre — the stranger the phrase, the easier it'll be to remember. For example, "Kim Kardashian is the most amazing woman in all 50 states," or "Mitt Romney and Barack Obama decided to make 10 waffles." Notice that my phrases use a mix of capitalized and lowercase words, and I added some numbers as well.
To make a password, just take the first letter of each word in your phrase. The sentences above would turn into KKitmawia50s and MRaBOdtm10w. Both of those passwords are extremely strong — they're long, and they're free of common English words that can be guessed by a computer.
You can generate different passwords for different sites by varying your phrase slightly for each one. The phrase "LinkedIn is terrible at securing its passwords so it's my 10th favorite social network" will create a password for LinkedIn (LIitasipsim10fsn) as well as for Twitter (Titasipsim9fsn), Facebook, MySpace and on and on.
Note, too, that it's OK for you to keep similar passwords at similar sites. On sites where a password thief can't do much damage — say, publications like Gawker and the New York Times — you can repeat the same password. You'll want to keep your social networking accounts slightly more secure, but the passwords don't have to be extremely different; after all, if a bad guy gets into your Facebook account, he's not going to be able to do much more additional damage if he gets into your Twitter profile, too. So varying them slightly — as I did above — is perfectly OK, as long as you remember to change them after you hear about a breach like the one at LinkedIn.
You'll want to reserve the most distinct passwords for sites where breaches would cause you a lot of trouble — your financial institutions and your email accounts, which hold the keys to the rest of your online life. (If a bad guy gets into your email, he can use the password reset feature to get into lots of other accounts, too.)
The new, even better way to fix your terrible passwords (which sadly doesn't work everywhere): Start with the same method as above — choose a short, memorable phrase. And that's it. Instead of turning the phrase into a one-word password, just use the whole phrase as your password. For instance, "Mitt loves when Barack makes waffles." That's a memorable phrase. It's also an extremely strong password just by itself - stronger, even, than a password made up of that phrase's initial letters. Instead of shortening the phrase, just type the whole thing in as your password. That's easier than typing a jumble of symbols and uppercase and lowercase letters, and it's easier to remember, too.
I didn't come up with the idea of using a short phrase as a password. The credit should go to Thomas Baekdal, who runs the online magazine Baekdal, and who wrote about this method way back in 2007.
I tried this method at several of the sites I frequent most. It works at Gmail, LinkedIn, Twitter and Facebook, among others, and I encourage you to use short phrases as passwords there. But it doesn't work at my bank, nor is it allowable at the many other sites that impose a maximum length on passwords and/or don't allow spaces in passwords. Both of these requirements are pretty stupid. Limiting the number of characters in a password only makes them less secure, and a ban on spaces forces you to use special characters, which are harder to remember. I'm hoping that eventually, all sites come around to dropping their arcane password rules in favor of a much simpler password dictate: Pick a short, unique phrase.
Whatever you do, just do it — your passwords are a mess, and you should really fix them now.
June 26, 2012 at 04:01 PM | Permalink
TrackBack URL for this entry:
Listed below are links to weblogs that reference Helpful hints from joeeze: Fix your insecure passwords in minutes:
Hashed passwords are only vulnerable if they aren't properly salted (LinkedIn, et al.). Still, my haystack passwords of 13 characters or more are highly unlikely to show up in some hash table. I have a longer time to change passwords once a breach takes place (I'm talking about you, you LinkedIn administrators who lost 6.5 Meg passwords! Kiss my business subscription good bye if you can't be bothered to use a reasonable standard of care regarding account security; I can't be bothered to pay you for your negligence. Hope you end up in the Pets.Com purgatory!).
Posted by: 6.02*10^23 | Jun 28, 2012 3:30:23 AM
I'd say 1Password will change your life.
Posted by: DC3 | Jun 27, 2012 8:25:34 PM
Note that lastpass has apps for ios and android. Not free but I found it worth the cost
The main reason I use a password manager is simply because I have more accounts than I care to remember
The biggest takeaway from breaches like these is to make sure of two things:
1. Your passwords/phrases are long enough. Get into at least the 10+ character range if the site allows it. If it doesn't then the site's maximum length.
2. Each account you have has a unique password
The former protects you when password hashes have been captured to run through a cracker. The latter for when it's discovered the site stored your credentials in cleartext or forced you to enter something crackable so the damage to you is limited
Posted by: tm | Jun 27, 2012 10:03:35 AM
1. Some sites disallow special characters in passwords. Or at least they disallow the characters I was trying to use (e.g., "/"). So that leaves alpha-numeric-UC-LC.
2. PW keepers work best if you access sites from the keeper. Almost always, I go at the site from a browser, where the keeper doesn't help. I used to use RoboForm well, but stopped when I got iPad.
3. Mnemonics are the big problem. How about: A single (or a few) passwords, each modified by combining it with the name of the site? Example: "Abc123Amazon," or "AmazonAbc123," "EbayAbc123," "LinkedInAbc123'" etc? Mnemonic, unique....
Posted by: == PT | Jun 27, 2012 9:33:13 AM
Forget it. Passwords are way easier to create if you look at the problem mathematically: all you need are four random words in any type-able language. xkcd.com/936/
the real tragedy is the innumeracy of the web designers who write (or more typically blindly copy) code that forces us into bizarre yet no less guessable passwords with 'strange' characters. Don't you think the mafiaboys know those common char substitutions too?
Posted by: mrG | Jun 26, 2012 11:08:10 PM
Lastpass is a good tool! It is available here: http://lastpass.com/
I frequently find myself in locations where I must access research materials (proprietary databases) from a library computer or another insecure location, precluding my use of Lastpass.
Posted by: 6.02*10^23 | Jun 26, 2012 6:02:50 PM
I've gone all haystack over my previous choice of pseudorandom passwords. See, https://www.grc.com/haystack.htm
If I were to use a haystack password to access BOJ I would select something like this:
Alternating caps and numbers of punctuation marks / symbols is easy to remember and darn near impossible to break.
I prefer passwords longer than eight characters. I never use the same password twice. I might create a variation on a theme like: JOE__stirt\\M.d.. A 17 character password, easily remembered and immune from attack.
Posted by: 6.02*10^23 | Jun 26, 2012 5:51:45 PM
As someone who works in information security, I hate the standard "at least 8 characters of stuff you have no hope in remembering" dogma. Granted, it is well-meaning, but I think the data has shown it's an entirely ineffective means to get users to choose better passwords.
Passphrases go back much, much further than 2007, but if the site allows you to enter a space, go wild and use 3-4 words to make a nonsense phrase. Length is your ally. The longer the passphrase, the harder it is for it to be cracked when it is captured along with everyone else's passwords ala linkedin.
But even that can be too hard to remember, and most sites don't allow you to create a proper sentence or have all manner of arcane and nonsensical password "requirements". Some sites don't even tell you what's wrong with what you've typed in.
I just use a password manager to remember all of the various passwords I have. It generates pure gibberish and remembers it for me.
The one I use is lastpass, but there are many good alternatives such as keepassx and 1password on os x, and passwordsafe for windows. Lastpass has a handy tool which can analyze your stash of passwords and tell you what sites all share the same one.
For Google, which is an account many people may want to protect since many use their Gmail address as their password recovery address, you should consider using Google's two-step authentication.
Posted by: tm | Jun 26, 2012 5:43:28 PM
The comments to this entry are closed.