by Bud Parr on July 01, 2010 | permanent link
Most passwords suck. They're often based on things like kid's names or so short and simple a hacking program could figure them out in no time flat.
I understand the need for simplicity when we have so many log-ins for so many Websites. I have about 200 different log-ins, so I've have had to deal with this issue. But it doesn't have to be hard. Here are some simple strategies:
First, let's look at what the National Cyber-Security Alliance suggests and then we'll put them into a couple of easy, usable rules.
-
Use passwords that have at least eight characters and include numerals and symbols*.
-
Avoid common words: some hackers use programs that can try every word in the dictionary.
-
Don't using your personal information, your login name, or adjacent keys on the keyboard as passwords.
-
Change your passwords regularly (at minimum, every 90 days).
-
Use a different password for each online account you access (or at least a variety of passwords with difficulty based on the value of the information contained in each.
The one rule here I concede to the needs of simplicity is the second, using common words. However, what I do to is to combine two words so that together they make one non-word. I typically add a non-alpha character between them and, if I want to be difficult, I'll make one random letter uppercase. Here's an example to show you that this is easier than it sounds:
Say I like elephants. And say when I think of elephants I think of their big trunks. So maybe a good password would be
elephantrunks
That's a start, but maybe I can make it better. I'll make "trunks" into "chunks" since chunks don't go with elephants, but is close enough in sound to remind me what it might be.
elephantchunks
Nice, but let's complicate it just a bit.
I find the * symbol easy to type, so I use that.
elephant*chunks
You could stop there and have a pretty secure password, but if you wanted it more secure, change p to P
elePhant*chunks
Now, that's a secure password. I read this technique somewhere and the author figured it would take billions of years for a bot to figure it out, and his was simpler than mine.
If you don't want to go through those creative hi-jinks, you could also break words up in unexpected ways, by putting a hyphen or other character in-between words.
This is an even more secure password: elePhant*ch-nks But could be many variations.
The key is to figure out words that are not directly related to you (I use animals) but you'll remember. I find the funnier the better, but I won't reveal to you mine!
The Cyber Security Alliance also has a suggestion that is worthwhile:
"One way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, "How much wood could a woodchuck chuck" would become HmWc@wC."
Equally good. These are all tactics to help bridge memorability and security, so whatever works for you personally is best.
The last two rules the CSA gives are pretty difficult to do, but here I use priorities. The passwords you have for more critical functions, like on-line banking, should never be the same that you'd use for something like signing up to a magazine's Website.
The reason might not be as obvious as it seems. First of course, you don't want to compromise banking passwords in any way (these too are the ones you should certainly change periodically), but not all password storage is the created equal.
Lastly, there are good ways to manage passwords. My favorite (seems like I couldn't live without it) is "1Password" by Agile Solutions, but I think that's a Mac only application.
*8-12 characters is usually a good length, although 12 seems to be a sweet spot for hacking difficulty. Some programs don't allow for very long passwords, although very often you can go as high as 32.
Helpful Links
http://gmailblog.blogspot.com/2009/10/choosing-smart-password.html
http://www.staysafeonline.org/content/top-cyber-security-practices-tip?page=5
http://www.dhs.gov/files/programs/gc_1158611596104.shtm
As we live more of our lives online it’s easy to get lost in all the passwords we’re forced to carry in our heads and it’s tempting to settle on something memorable that we can use for a lot of sites/accounts. But the following should come as a real
read more »
by Bud Parr on September 19, 2008 | permanent link
As we live more of our lives online it’s easy to get lost in all the passwords we’re forced to carry in our heads and it’s tempting to settle on something memorable that we can use for a lot of sites/accounts. But the following should come as a real warning:
“Yesterday, it was reported that wannabe VP Sarah Palin’s Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just inthe same way as Paris Hilton’s T-Mobile account was hacked some time ago: by guessing the answer to the respective owner’s security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, ad where she met her husband.
How hard is it to learn somebody’s zip code? Not that hard.Try the whitepages. Date of birth? Easy for a public figure – try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be “Wasilla High School”. All in all, it took the reported hacker less than 45 minutes to break into the account. In fact, using your pet’s name appears more security conscious than using zip code, date of birth and where you met your spouse.”
- IT World
This goes for personal as well as professional accounts. We suggest using long, non-word passwords, which may even include characters like ^#& and odd, perhaps even incorrect answers to security questions. These of course are not memorable, but there are many programs out there that will store them for you and your Web browser does too; Firefox is particularly good with handling passwords, although I’d suggest keeping them in another secure program as well (if you want suggestions for password storage programs, just drop me a line and be sure to mention if you’re on a mac or pc). Also think about changing your most important passwords from time to time. Organizations should have a formal protocol for this.
There is hope for our increasingly overloaded info-age life. Standards are being created to both increase security and make access easier. Some of those are very high-tech, but one standard, OpenID seems to be catching on widely. OpenID, according to Wikipedia is a a service that “allows Internet users to log on to many different web sites using a single digital identity, single sign-on, eliminating the need for a different user name and password for each site.” I’ve been using it for a year or so at least and like the layer of security and relative simplicity, but it takes adoption by myriad Web applications and Web sites to be useful and we’re not there yet. Some of the services that use OpenID are Blogger, a free blogging service (owned by Google) and Basecamp, a project management system.
Google reports today that they are rolling out offline access for their Google Docs application and that will be just the first as they utilize their Open Source browser extension Google Gears to download and upload data from your hard drive to the Web in the background. This will allow you to
read more »
by Bud Parr on March 31, 2008 | permanent link
Google reports today that they are rolling out offline access for their Google Docs application and that will be just the first as they utilize their Open Source browser extension Google Gears to download and upload data from your hard drive to the Web in the background. This will allow you to use Google docs (and in the future other apps, I’ve already seen it in use on a nifty to-do app called Remember the Milk) whether or not you’re near an internet connection.
According to Macworld “Google has lofty aspirations that Apps – with Docs in tow – will extend its reach into medium-size and large companies, and to that end has been boosting its security and administration features, particularly in its fee-based Premier version.”
This is good news because I believe one of the major hurtles Web-based applications have to overcome is availability (at least until every corner of the earth has Wi-fi or its next iteration). Although the aggressively functional Zoho suite of online apps offers offline access, it’s Google’s success that will drive the industry toward Web apps. As offline access becomes a typical feature, adoption of online apps will widen and developers will be able to create better and more varied applications.
The key to Web-based applications is not just the convenience of never having to synch devices or being able to collaborate with teams (or coordinate with family), but the ease with which data can be used from one app to enhance another – say for instance, you could pull financial data in from an accounting app and manipulate it in a spreadsheet app, without downloading or synchronizing. It remains to be seen exactly how the new functionality will handle this “mashed up” data, but as with all of this technology, it’s a work in progress.
If you're new to the concept of RSS, then this might be the fastest way to figure it out...
read more »
Wired reports that Google is finally upgrading the resolution in which they encode videos. The Wired piece is geared toward viewers, but if you use Youtube to get your trailers etc out to the world it’s good news to know that you won’t have to compromise quality. Still the best bets
read more »
