Password Security – You Need To Care
04/21/2011 7 Comments
TOAST.net recently began requiring our customers to use a minimum 8 character password due to security enhancements we’re implementing. When contacting our users that were sporting such classic passwords as “abc123“, “fred“, or my favorite: “none“, I was a bit surprised at some of the responses we were receiving. People seem to be reluctant to choose a better password for strange reasons:
- I’ve been using the same password for years!
- I can’t remember another password!
- I don’t care about my password, there’s nothing important in there anyway!
I thought I would take some time to explain why password security is critical on any Internet account, despite it’s importance.
With Great Power Comes Great Responsibility
The Internet is a powerful tool. Any person can say anything and interact with anyone, anywhere. The more it’s used, the more seemingly unrelated items get tied together. Most don’t realize this…they just check their email, see if anyone posted anything funny on Facebook, maybe play a quick game of FarmVille, and then go about their business.
Now, let’s set up a scenario where an evil hacker cracks your email password of “qwerty“, then logs into your email account:
- With access to your email account, the hacker can learn your name via your email settings, and then find your Facebook account.
- Next, the hacker can request a password reset on Facebook, and have the confirmation sent back to your email account.
- The hacker can then gather personal information from your Facebook profile.
- With access to Facebook, the hacker can get to your FarmVille account. If you’ve ever made a purchase in the game, information on your payment methods will be available. This may reveal what bank you use, partial account numbers, names and billing addresses on your credit card, etc.
- Finally, the hacker can contact your bank pretending to be you and request your online bank password be reset. The reset password is sent to the email account, and a spending spree commences.
In five steps, our resourceful hacker person gained access to your bank account due to a weak password. It’s almost like playing Six Degrees of Kevin Bacon with your bank account. Granted this is an extreme case, but some version of it happens thousands of times a day to people with weak passwords. Leaving poor safeguards on any Internet account invites abuse.
They’ll Never Figure This One Out!
A lot of people I know picture Internet hackers as fat kids with pimples and glasses, wearing a black concert t-shirt and tapping away cryptic codes while swigging Mountain Dew. Yes, 20 years ago that might have been the case (I don’t think I wore black concert t-shirts though). Today’s hacking crowd is a much more sophisticated and greedy bunch. Often they’re groups based out of chaotic areas like Nigeria, China, and Russia, and if they’re attacking someone’s account, there’s a payoff attached to it. These guys know a thing or two about human behavior and computer practices, and if you fall into their guidelines, you’re vulnerable. How do they “guess” passwords for accounts? There’s many different techniques:
Social Engineering- One of the top ways of getting you password stolen is caused by you giving it to the hacker. Those seeking your password might find it on a piece of paper you have on your desk, or even going as far as going through garbage bins and dumpsters to find login information. Sometimes they’ll even find personal information about you to guess potential passwords. If they see a website that lists your daughter’s name as “Samantha”, they may try variations of that name to gain access.
Intercepting Data- A keylogger is a small program that gets installed on your computer and records your keystrokes. These are then sent to hacker’s computer, and they’ll be able to see anything you typed. These programs can be installed via “trojans”, or programs masquerading as legitimate software.
Cracking– Cracking involves trying to guess a password by using common words, phrases, and names. More sophisticated attacks involve using “brute force” software. This involves using a program that generates every possible combination of letters, numbers, and characters. Passwords with names and words found in the dictionary are usually found rather quickly, while capital letters, numbers, and special characters add complexity. With enough time, any password can be discovered with this method, but every character added can change the cracking time from hours to weeks.
Theft- If your password is secure, that doesn’t mean that the sites that require it are secure. Hackers often target corporate databases to gain usernames and password for accounts. Cracking a database often has a large payoff, but also has the most risk of being caught.
Password Recovery– People have a hard time remembering their passwords, and rely on password recovery systems frequently. Unfortunately these are a weak link in website security. If an email account is compromised, any site that sends a “reset your password” link to your email account is also vulnerable.
Put Some Muscle In Your Passwords
OK, you’re now convinced that you need to use more secure passwords, but how? Simply changing your password from “dave123” to “dave1234” isn’t going to cut it, so you’ll want to follow these quick tips to keep prying eyes out of your business:
- Your password should be a minimum of 8 characters in length. Ten or more is even more preferable. The longer the password is, the longer it will take to crack it.
- Add complexity. Common words and names can be quickly found with brute force attacks. A way to make easy to remember passwords is to start with a name or word you’re familiar with, add at least one capital letter, then substitute numbers or symbols for one or more letters. For example: “dave12345” is not a strong password, but “d@V3!2345” is excellent.
- Change your passwords every few months. If you use the same password over and over, it makes it more likely that someone will find it.
- Try to use unique passwords for every site. You can make small changes in your current password to make it easy to remember. Make a system to remember these changes. For example, you could type a capital A in front of your password if using Amazon.com, a W if logging into WordPress, a B if logging into your bank, etc.
- Be private! Don’t write your passwords down, as this invites problems. Also don’t type while someone is looking over your shoulder- especially you hunt and peck types that make it easy to see what you’re typing.
- Be cautious about typing your password into a computer that does not belong to you. Make sure there are no “save password” features turned on when using a foreign computer. Also be sure to sign out of anything you sign into.
This should minimize the possibility of your accounts being compromised. It’s also important to run excellent AntiVirus software on your computer to prevent keyloggers and other types of programs that can collect personal data. One compromised account can bring down your house of cards, but keeping your information secure is your ace in the hole.
People with weak passwords tend to get made fun of in Mel Brooks movies, so keep that in mind as well: