Wednesday, June 9, 2010

A Strong Password Creates a Secure Foundation

The vital importance of good computer password “hygiene” is something that I take for granted now that I work for the US Government, but it wasn’t always so. Whenever I read articles such as How I’d Hack Your Weak Passwords I realize that heading out onto the Internet without a strong password is like heading into Times Square wearing a T-shirt that says, “Please pick my pocket.”

But how to begin? Not everyone agrees with this advice (and the ones who don’t probably never lose their car keys either), but I believe in writing down passwords in a small notebook where they can be corralled in one place but easily hidden in a drawer, file cabinet, etc. Remembering where you hid it?  Priceless! 
One of the most important keys to password protection is not to use the same password for all of your online activities. Hackers and thieves count on us to be creatures of habit. They search for a vulnerability in an unprotected account that we don’t think matters much (like e-mail), use that to figure out a user’s standard password and then “bank” on that knowledge to hack into better-protected sites like online banking or credit card accounts.

And if you are thinking that you won’t be needing multiple passwords because you don’t have multiple accounts, think again. As you become more involved with social media, trust me, you will be opening more than one account. Accept multiple accounts as a necessary evil and be prepared and organized in your approach. One unexpected benefit is that you’ll never have to click on that Forget Your Password? link ever again.

Now, it’s on to picking a secure password. Remember that the worst password of all is the one you can’t remember! Your goal then, is to pick a password that is memorable without being easily guessed by either a human or computer-based hacking effort. Listed below are two possible approaches:

1. The National Cyber Alert System of the US Government provides excellent cyber-security recommendations regarding passwords and other topics of interest such as firewalls, phishing attacks, etc. However, since the US Census Bureau uses far stricter guidelines than the Government as a whole, I am going to recommend their approach as the gold standard:

Passwords must have at least 12 characters
Passwords must contain at least 3 of the following different character types:
 - Lower case characters (a-z)
 - Upper case characters (A-Z)
 - Numeric characters (0-9)
 - Special characters (@, #, *, !, etc.)

Passwords must NOT contain:
- A word found in the dictionary
- A word found in the dictionary spelled backwards
- Any common sequences such as 123 or abc
- Any 2 consecutive characters from the user’s full name or username
- Four (4) or more of the same character

2. Now, if you’re not ready to join the CIA and the above approach seems a little daunting to you, Microsoft recommends a method of password creation that relies on creating a mnemonic password derived from the first letters of a sentence that is meaningful to you. For instance, you could choose the sentence, “I wouldn’t remember my password if Jack Bauer from 24 were torturing me personally.” Your password could then become “IwrmpiJBf24wtmp.” You could then add special characters, punctuation and other layers of complexity as described on the Microsoft site.

3. Microsoft then recommends that you test your creation at the site’s Password Checker and protect your password in  low-tech ways by not sharing it with others and avoiding “shoulder surfing” from others at public computers, ATM’s etc.

By using these tips, you and your data should remain safe and secure no matter where your future social media adventures may take you.

Other great sites to check out for password generation and protection tips:

Buckeye Secure:  The Ohio State student cybersecurity Website, which is uncommonly thorough and user-friendly.

How to Steal a Password:  Know the enemy so you can spot a trojan horse when one gallops up to your in-box.

How to change your Gmail password now that you are a cybersecurity convert.

Yahoo SSL (secure socket layer) encryption for e-mail log-ins:  This is quite a feature.  Log-in takes longer, but seems well worth it.

1 comment:

  1. Eek! I'm totally screwed - 12 characters and mixing up the letter case? You make a great point though, there is such a small amount that I DON'T put in cyberspace so this is a great post for people who need to keep the importance of security in mind

    ReplyDelete