Let’s be honest. Passwords are a pain. We all know that it’s important to have different passwords for different places and we all know that they need to be fairly complex. We also know that remembering numerous passwords, especially strong passwords, can be a challenge. So what’s the best strategy?
In this article, I’ll talk about how to create memorable (but strong) passwords and suggest a tool that will make constructing and remembering strong passwords easier.
In general, the strength of a password depends on two factors: length and complexity. Although there’s some disagreement, length is more important than complexity. (For a humorous illustration of password complexity, read the XKCD comic at http://xkcd.com/936/)
Increased complexity makes it more difficult to create a password that you can remember. The idea of a long complex password may be overwhelming. However, increasing password length alone can result in a password that’s memorable and stronger. Because of the way Windows stores some passwords, the “magic number” is 15 characters or more. A traditional complex password of 15 characters might look like this: “qV0m$$#owc2h0X5”. I don’t know about you, but there’s no way I’m going to remember a password like that. You COULD write it down and store it securely, but it’s not the easiest password to enter on a keyboard, and storing passwords in a browser or in a desktop application is insecure.
Here are a couple of strategies for strong passwords.
Strategy One: Use Passphrases
Because length is more important than complexity, using a passphrase, even if it’s relative simple, provides a sufficiently strong password.
For example, you may have heard of the Bulwer-Lytton Fiction Contest (bulwer-lytton.com). Bulwer-Lytton was a novelist whose opening sentence, “It was a dark and stormy night,” was immortalized in a Charles Schulz Peanuts cartoon where Snoopy was typing a novel. With a few modifications, that phrase makes a pretty strong password: “ItwasaDark2&StormyNight” That’s a 23-character passphrase that most of us could remember. If you need to change the password, you could do it by incrementing the number. I recommend choosing the first line of a book or song and turning that into a passphrase.
Strategy Two: Use a Password Safe/Vault
You’ll find that you may need quite a few different passwords. Creating different passphrases is a great way to create strong passwords, but you would still need to remember quite a few different ones. A good way to manage multiple passwords is by using a password safe or vault. A password safe stores multiple passwords and may be configured to prompt you with the needed password when you visit a password-protected website. You may want to use a password safe called LastPass. LastPass provides browser plugins for multiple browsers and there’s a version that will work with smartphones. LastPass will generate one of those long complex impossible-to-remember passwords on command and store that password for you. You should protect your password safe with a long passphrase constructed as described above. LastPass is just one example of good password safes. Other popular password safes include Password Gorilla, KeePass, and RoboForm.
A strong password is a key component in protecting information and unauthorized access. I hope you find these recommendations helpful.
This article was submitted for publication in the RIT IACA Quaestor Newsletter.
Did you know you’re a target every time you go online? Did you know that cyber criminals are targeting social networking sites? Do you know how to recognize a phishing attempt? Following these tips will help make your use of social networking sites safer. (Unfortunately, there’s no way to guarantee that you can use them safely.)
Tip #1: Use strong passwords/passphrases.
It’s important to use strong passwords because automated “cracking” programs can break weak passwords in minutes. At a minimum, you should use 8 characters (preferably 15 or more), mixing upper and lower case letters and numbers. Many websites also allow the use of longer passwords and special characters. Incorporating special characters into your password will make them more difficult to crack. You’ll also want to use different passwords on different accounts. Using a password safe such as LastPass will help you manage these passwords by generating strong passwords and then supplying them when needed.
Tip #2: Keep up to date.
Attackers take advantage of vulnerabilities in software to place malware on your computers. Keeping up to date with patches/updates helps thwart attackers from using “exploits” to attack known vulnerabilities. It’s important to keep both your Operating System (Windows, Mac OS, linux, etc.) and your applications (Microsoft Office, Adobe, QuickTime) patched.
Tip #3: Use security software.
It’s a good practice to follow the requirements of the RIT Desktop and Portable Computer Security Standard on personally-owned computers. Among other elements, the standard requires use of a firewall, antivirus, and anti-spyware programs. Many security suites contain all of the elements needed to protect your computer. (Your Internet Service Provider may also provide security software.)
Tip #4: Learn to recognize phishing attacks.
You’ve all seen phishing attacks. They’re typically emails that appear to come from a financial institution that ask you to verify information by providing your username and password. Never respond to these requests. Your financial institution should not need your password.
Tip #5: Think before you post.
Don’t post personal information (contact info, class schedule, residence, etc.) A talented hacker can see this, even if you’ve restricted your privacy settings! Don’t post potentially embarrassing or compromising photos. Be aware of what photos you’re being “tagged” in—don’t hesitate to ask others to remove photographs of you from their pages.
Tip #6: Remember who else is online.
Did you know that most employers “Google” prospective employees? Have you seen the stories of people’s homes being burglarized because they’ve posted their vacation plans online? Many people other than your friends use these sites.
Tip #7: Be wary of others.
You can’t really tell who’s using a social network account. If you use Facebook, you’ve certainly seen posts by your “friends” whose accounts have been compromised. Don’t feel like you have to accept every friend request, especially if you don’t know the person.
Tip #8: Search for your name.
Have you ever done a “vanity search?” Put your name in a search engine and see what it finds. Did you know that Google allows you to set up an Alert that will monitor when your name appears online? Setting this up with daily notifications will help you see where your name appears.
Tip #9: Guard your personal information.
Identity thieves can put together information you share to develop a profile to help them impersonate you. Be especially careful of Facebook applications. They may collect information that they sell to marketing companies or their databases could be compromised. Do they really need the information they’re requesting?
Tip #10: Use privacy settings.
Default settings in most social networks are set to sharing all information. Adjust the social network’s privacy settings to help protect your identity. Show “limited friends” a cut-down version of your profile. Choose the strongest privacy settings and then “open” them only if needed.
- Parenting in the Cyber Age: A Parents’ Guide to Safer Social Networking (benwoelk.wordpress.com)
- 7 Tips for Creating a Secure Online Password (money.usnews.com)
- Tips To Defend Your Personal Privacy Online (mylookout.com)
This post provides an update to last year’s Choosing the Safest Browser post. Let’s take a look at what’s changed since June 2010.
Last year, we looked at the following browsers to discuss which would be the safest:
Number of Vulnerabilities
How do you decide which browser is the safest? One way is to look at the vulnerabilities that were disclosed for each one. Attackers may exploit these vulnerabilities to place malicious code onto your computer.
In Spring 2010, my Cyber Self Defense class ranked the browsers in the order below according to which ones they thought had the most vulnerabilities:
- Internet Explorer
According to the Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:
- Internet Explorer
The class was really surprised by this ranking.
Let’s see how the rankings look from the Symantec 2010 Internet Threat Report. Here’s the 2010 list of browsers and number of vulnerabilities:
- Google Chrome–191 vulnerabilities
- Apple Safari–119
- Mozilla Firefox–100
- Microsoft Internet Explorer–59
I was surprised by this order. Ranking browsers by vulnerabilities reported, Chrome appears to be the worst and Opera the best. (In the 2008 report, Chrome had the fewest vulnerabilities!)
Average Time to Fix a Vulnerability
Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?
In the 2010 report, Internet Explorer had an average patch time of 4 days. Opera, Safari, and Chrome were each one day or less. (In the 2008 report, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.)
Patch time alone doesn’t appear to be a factor when choosing the worst browser.
Safe browsing is important because the majority of attacks are web-based, peaking at almost 40 million per day in September 2010.
Does Your Browser Choice Really Matter?
In my opinion, not so much. Internet Explorer vulnerabilities are targeted more because it’s the biggest target. However, all of the browsers mentioned have vulnerabilities and all are patched relatively quickly. Many attacks actually target applications such as Adobe Flash, QuickTime, and the like. Malicious PDFs have also become a huge problem in the last year. What matters are safe practices!
Check your Browser Security Settings
How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.
Use Security Software
Your security software should include an antivirus, anti-spyware, and a firewall.
Keep your browser and applications up to date. If you’re prompted for an update, accept it.
Use Strong Passwords
Use a strong complex password or passphrase. Consider using a password vault such as LastPass to generate and store your passwords.
Install Browser Tools/Add-ons
Current browsers all provide some protection against phishing. There are also browser tools that you’ll find helpful.
- The Netcraft Toolbar is a browser plug-in available for Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.
- The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.
- WoT (Web of Trust) provides color-coded ratings of the safety and reputation of websites.
Limited Account Privileges
Limiting account privileges (WindowsXP) provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).
Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)
Threats have doubled since 2009 and the threat vectors have increased. Vigilance is even more important.
One thing hasn’t changed. The key to safe browsing is not which browser you choose. It’s following safe practices.
Please comment on the post and let us know some safe practices you recommend.
- McAfee announces Internet Security, Family Protection for Mac(macworld.com)
- Gadgetwise: A Tool to Help Secure Your Browser (gadgetwise.blogs.nytimes.com)
- Avoiding Phishing (benwoelk.wordpress.com)
- The weakest link in computer hacking? (deurainfosec.com)