Better Passwords

Revision as of 21:52, 28 May 2014 by Ben (Talk | contribs)

Step 1: Keep your computer clean and protected

Before we begin talking about strong passwords we must make sure that our computer is protected from spyware (that could leak your passwords) and unauthorised remote access. This is part and parcel of everyday computing but is especially pertinent to keeping your passwords secure from theft. Most hacking attacks happen by stealing your account password through the installation of spyware on the computer. You must install and maintain up-to-date (and legitimate) anti-virus and firewall software. You should also ensure that your operating system and all applications on your computer have the latest updates. These steps are the precursor to all secure computer operations.

Exercises: Protect your computer from malware and unauthorised remote access by installing and configuring an anti-virus and firewall from https://securityinabox.org/


Step 2: Always be vigilant and cautious

The Internet is rife with cyber criminals creating scams that trick you to reveal your password or inadvertently install a piece of malware that will leak them (especially if you skipped Step 1 above). You must be extra vigilant when clicking on links sent to you in an email or chat message. Avoid installing pirated software and browsing to websites whose identity, authenticity you cannot be sure of. Don't use Internet Explorer to browse the Web, run Firefox with the No-Script extension or Chrome with extensions that forbid webpages to execute code on your computer.

Media: Read this account from a Wired journalist on how hackers compromised his entire digital life, and how he managed to restore it. Lots of good tips and advice.

Exercise: Firefox users install the http://noscript.net/ extension; Chrome users install NotScript extension.

Step 3: Prevent profiling

Many people find it difficult to remember passwords and end up creating something that is related to their personal life or interests. For example, a user in New York City might choose 'manhattan' or 'yankees2012' as their password. Perhaps they will use their child's name and year of birth or the name of their pet dog.

Media: A study of the most commonly used passwords and one covering password hacking techniques

A common tactic in password hacking is called profiling – finding out personal details that may have been used as your password. By mining your Facebook, LinkedIn and other public profiles the attack will learn a lot of information about your identity and begin to guess and figure out your passwords.

Step 4: Prevent brute force attacks

Computers can figure out your password by trying all possible combinations of letters and numbers. A brute force attack usually begins with a dictionary attack – the computer tries every word in the dictionary as your password. This would take a human a long time to attempt, computers can do it at speeds of up to a million passwords per second. Should a dictionary attack prove unsuccessful, all possible combinations of letters, numbers and punctuation is attempted as your password. This method would inevitably find your password sooner or later, the only barrier is time.


Length/Variations 26 36 52 68
3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds
5 1.98 minutes 10.1 minutes 1.06 hours 4.0.4 hours
8 24.2 days 10.7 months 17 years 1.45 centuries
10 44.8 years 1.16 millennia 45.8 millennia 45, 582 millennia

Here's a rough guide to how how much time a relatively simply laptop will require to brute force your password. The top row indicates the pool of variation in your password (small letters, small letters and numbers, small letters and capitalisation, small letters and capitalization and numbers and four signs of punctuation). The left hand column indicates the length of your password.

Media: http://www.decryptum.com/ can decrypt your word or excel document online. http://www.elcomsoft.com/aopr.html is a software you can download to 'recover' access to protected MS Office documents.

Step 5: What is a strong password?

A password should be difficult to guess or for a computer program to workout.


  • Make it long: The longer a password is, the less likely it is that a computer program would be able to guess it in a reasonable amount of time. You should try to create passwords that include ten or more characters. You could also try using a whole sentence as your password.
  • Make it complex: In addition to length, the complexity of a password also helps prevent automatic 'password cracking' software from guessing the right combination of characters. Where possible, you should always include upper case letters, lower case letters, numbers and symbols, such as punctuation marks, in your password.
  • Don't make it personal: Your password should not be related to you personally. Don't choose a word or phrase based on information such as your name, social security number, telephone number, child's name, pet's name, birth date, or anything else that a person could learn by doing a little research about you.
  • Keep it secret: Do not share your password with anyone unless it is absolutely necessary. Often, there are alternatives to sharing a password, such as creating a separate account for each individual who needs access.
  • Keep it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to even more of your sensitive information.
  • Keep it fresh: Change your password on a regular basis, preferably at least once every three months. Some people get quite attached to a particular password and never change it. This is a bad idea. The longer you keep one password, the more opportunity others have to figure it out.

Media: Check how strong your password is http://howsecureismypassword.net

https://www.youtube.com/watch?v=3DKff6sFm1c

http://dotsub.com/media/07471d2f-2a20-4661-9208-f3394b1c219b/e/m

Step 6: How to create and remember strong passwords

Mnemonics can help you create and remember a strong password. Since it is easier for us to remember a phrase rather than a random combination of letters and number – you could create your password from a sentence or even a paragraph. Let's take the following as an example:

Will you still need me, will you still feed me when I am 64?

Now, lets take the first letter of every word. We get Wysnm,wysfmwIa64?

Alternatively, lets take the last letter. We get lulde,luldenIm64?

Both of these passwords are long and complex enough to keep the computer busy for thousands of years. Now the trick is not to remember the password itself, but to keep the sentence in mind as well as your rule for withdrawing the password from this sentence. From now on, picture the sentence in your mind and extract your password from it.

Exercise: Create a password using mnemonics and test yourself from memory

Media: Password creation advice from the Godfather of computer security

Step 7: Using software for password creation and storage

As an alternative, you can generate random, complex passwords for all of your accounts in a portable, encrypted secure password database, such as KeePass. Whenever you need to enter a password for a specific account, you can look it up in KeePass. Using the copy/paste functions you can withdraw the passwords from the program to the screen where it is required.

The KeePass program stores all of your passwords in a secure database, protected by a master password (this one you have to remember!). You can store hundreds of different passwords and relevant notes in the program, without having to remember them.

Exercise: Install and start using https://securityinabox.org/en/keepass_main