Thursday, February 18, 2010

Harden Your Passwords

Today's post is all about passwords and it's my fourth in a series of four about DIY identity protection.
make your passwords stronger to prevent internet crime
In the first post of the series, , research revealed that most peoples' passwords were extremely easy to hack.

Well, last December, 32 million passwords belonging to a company called Rockyou were breached by a benevolent hacker who turned the passwords over for study.

A firm named Imperva  on the stolen passwords and found, "Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among account owners is '123456'."

According to that same study, a hacker with a decent DSL connection and a list of the top 5000 passwords (the top 20 of which are pictured below) could "gain access to one new account every second" and take "less than 17 minutes to compromise 1000 accounts."

make your passwords stronger to prevent internet crime
Believe it or not, NASA actually publishes recommendations regarding password security and they say your passwords:
  1. Should contain at least eight characters.
  2. Should contain a mix of four different types of characters.  If there is only one letter or special character, it should not be either the first or last character in the password.
  3. Should not be a name, slang word, or any word in the dictionary and should not include any part of your name or your email address.
I recently hardened 104 of eM and my passwords.  I'll lay out how I did it and invite comments on any flaws that I may have overlooked.
  • I divided our passwords into two groups; those that hold personal information that could lead to identity or other resource theft (like bank accounts) and those that I've "scrubbed" and hold absolutely no personal information (like an account with a news site).   For the purposes of this example I'll call the first group critical and the second group non-critical.
  • I created an easy to remember short password to be used with all of the non-critical sites.  I use the same password for all of these sites.  If this password were to be hacked, there wouldn't be any information the hacker could gain from these sites that could be used to crack our critical accounts.
  • I created an Excel spreadsheet as my main repository for all of our passwords and I store that file on the desktop of our home PC.  This file is never moved from the PC with the exception of backed up files stored in another secure location (i.e. it's never placed on a thumb drive or CD, it's never moved to a lap top, it's never placed in a shared network file).
    • Security questions used for password recovery are only found in this file.
    • The file itself is somewhat hardened and I used, among other things, a password to protect the workbook from being viewed (that's a feature that comes with Excel).  If someone were to get ahold of the file they would need to crack the file's password before they could view our information.
    • The PC where the file is stored is also password protected.  If the PC were to be stolen, the hacker would first have to crack the PC's password before they could see the Excel file.
  • I like the idea of a master password and a password vault service like but what I don't like is the idea of a third party controlling the information.  In place of a KeePass-like service I use several web based components but no one party has access to all of our credential information (all components run on https connections).  
    • One entity holds user names, one entity holds passwords, another entity holds a list of the sites we use and eM and I hold a key for piecing them all together.  I know it seems like a pain in the ass, but eM and I have gotten use to viewing all three entities and using a key I developed to figure out which password goes with which user name.
So that's how we roll.  It took me about a day to execute the plan but we feel much more secure.

For some additional reading I recommend you visit a site put together by the FBI and a partner organizations the National White Collar Crime Center and the Bureau of Justice Assistancer.  There you'll find a comprehensive list of 17 current internet and identity crimes and .

The other three postings in the DIY identity protection series:


    No comments:

    Post a Comment