Skip to main content

The latest dos and don'ts of online passwords

There are a lot of things about cybersecurity you can't control.
You can't prevent a Target. You can't know how well websites protect your info. You can't predict where the next attack might come.
You can, however, control the quality and security of your own passwords. And if you're like me, you're probably not doing it as well as you could.
There are a lot of rules about password security. The closer you abide by them, the more likely you are to forget them. Or to have to write them down somewhere. That, itself, creates a vulnerability. Which leads you to want to just use the same password across all sites. Which, in most cases, is the worst thing you can do.
It's time to take passwords more seriously. Pay someone else to help you manage them. Or, take time to think up your own password creation, recall and secure storage system.
No more using "Password" or "Pa$$w0rd." No more six- or eight-character passwords. Best avoid, also, words found in a dictionary.
"The only reliable rule is: 'The more unpredictable, the better,'" says Saranga Komanduri, a doctoral student at Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory.
Why?
According to Chuan Yue, assistant professor of computer science at the University of Colorado at Colorado Springs, a desktop computer can attempt a password crack every billionth of a second. Computing power available for rent from Amazon can do it six times faster.
That more robust system can crack your typical 8-character password in 15 hours. "This kind of system nowadays can be easily used by attackers," Yue said.
Hackers can try even more efficient password-cracking methods using so-called dictionary attacks. For this, they use a database of already known passwords harvested and published from breaks into other large websites. The largest was the 2009 hack of the RockYou.com gaming website, which resulted in more than 14 million unique plaintext passwords being posted publicly online.
The database might also include common password-picking methods, such as replacing the letter o with the number 0 or using the key directly above the letter of the word you recall in your head as the password.
Last year, the online tech publication Ars Technica (owned by Advance Publications, Oregonian Media Group's parent company) asked a developer of cracking software, a security consultant and an anonymous cracker to hack away at a file of 16,000 encrypted passwords. The least successful of the trio cracked 62 percent of the passwords in an hour. The most successful had 90 percent hacked within 20 hours.
Password Don'ts

Let's go over the newer dos and don'ts of password use. I'm skipping obvious ones like: "Don't write them down in an obvious place" and "Don't use 'Password' as a password."
Don't store passwords in your browser. Yue and his students reported in a study last year that passwords stored by Firefox, Opera, Google Chrome, Internet Explorer and Safari can be easily decrypted or used, once stolen.
Don't reuse passwords to sensitive sites. At minimum, you should have separate, secure, difficult-to-crack passwords for your e-mail account, your bank, online shopping and work, said Michael Bazzell, a computer crimes specialist and author of "Personal Digital Security." You'll probably also want a different password for social networks.
Protecting your e-mail account is especially important. It's usually how you reset all other passwords. If a thief cracks your email account, she can then use it to reset many of your other passwords
If you choose weak passwords for other sites, simply to remember them, at least give them the strongest ones you can recall.

Avoid dictionary words and common passwords. Hackers using available computer power and programs can easily search dictionaries of many languages to guess passwords. They can also use variations often found in cracked password lists
A description of password-creation policies tested by Carnegie Mellon researchers.
("Pa$$word," for example). And they can include other commonly used items: zip codes, popular baby names and common misspellings.
"Pretty much anything that can be remembered can be cracked," writes Bruce Schneier, chief technology officer for Co3 Systems, a Cambridge, Mass., firm that helps organizations protect against and respond to security breaches.
Don't save password lists in a password-protected Microsoft Office file. It's just not safe enough. Look at Bazzell's site, where you can download a program to crack Excel and Word passwords. Bazzell says he's used a $39 downloadable software to crack such passwords "in seconds."
Password Dos

So, what will keep you safe? Even if you can't do all of them, start incorporating some of these best practices into your password use.
Use two-factor authentication. If a site offers it -- as Google , Facebook and Bank of America, do -- there's no good excuse not to use it. This security feature requires users to provide something they know (password) and something they have (usually, a phone).
Such sites, in most cases, will send you a random, temporary code to your phone after you've entered your password. You then punch the code into the site when logging a computer or browser that the site doesn't recognize. That way, if you lose your passwords, a thief will still need your phone to get a text to let them in on a computer that you've never used.
Use 12 characters or more, with numbers, caps and symbols, if the site allows them. In the United States, keyboards have 95 printable characters in all, Komanduri said. Making a password 12 characters long, with each character coming from a field of 95 possibilities, gives you more than 540,000,000,000,000,000,000,000 (540 sextillion) possible passwords, he said.
Even if a supercomputer could guess 1,000,000,000,000 (1 trillion) passwords a second (that would be about 1,000 times faster than they can now), it would take more than 8 years, on average, to guess all possible passwords combinations, he said.
"It's really not that hard to remember passwords like this," insists Komanduri. "It just takes practice."
Pad them. The folks at Avalanche Technology Group in Australia, provider of shouldichangemypassword.com, recommends "padding" shorter passwords at the beginning or end with extra characters to make them longer. In its example, "Axis#47B" becomes "Axis#47B/\/\/\/\"
Use phrases. Researchers at Carnegie Mellon, in a study published in 2011, found that requiring long passwords with no other restrictions are more resistant to cracking and more palatable to users than other requirements, such as rules requiring a capital letter, number and symbol. Five-word phrases from your favorite song or poem might just do the trick.
Just don't use a common phrase such as "Oh say can you see." And "no matter what you pick, be sure to make it abnormal in some way," recommends Jeremy Duffy in The Geek Professor, a site about online security. Use a character instead of spaces, for instance. As in "0*say*can*U*sea."
Use patterns. Another trick, promoted by Schneier, is to use an easily recalled phrase to create a password that appears randomized.
Think of: "You owe it to yourself to be safe." Start your password with the first letters of each word: "Yoitytbs."
Next, add a number and a symbol in a place you'll remember. Perhaps: "You owe it to yourself @ 1nce to be safe." So the password would now be: "Yoity@1tbs."
Carnegie Mellon researchers in a study last year found that passwords with more digits, symbols and uppercase letters are harder to crack, but less so if the digits are placed at the end of the password or if capitalized letters are placed at the beginning.
So, move the capital letter to the middle in a word you'll recall, such as Yourself. Now it's "yoitY@1tbs."
My example above got you 10 characters. You could grow it to 12 by adding a space somewhere and a period at the end. Or pad it with brackets: "\yoitY@12bs/." Looks pretty random.
Test it. Komanduri helped Microsoft researchers develop a web tool called Telepathwords  aimed at helping users improve the unpredictability of their passwords. The site tries to guess the next character you're going to type in your password before you type it, using databases of common passwords, phrases and password-picking methods.
You can Google other password testing sites (security software provider Intel offers one), but I'd be sure to use Telepathwords, too. If you worry about typing your real passwords into these sites, then don't. Try something similar.
Use a password generator. Janice, a reader in Portland, uses Norton's Password Generator to come up with her passwords. You can set the length and type of characters you want used when it creates the password. Many password managers do the same
Save it safely. With the length and complexity requirements, some experts say it's OK to write down clues for your strongest and most sensitive passwords and put them in a safe at home or somewhere not obvious. But that's not very practical if you enter password-protected sites often. You'll be tempted to leave it by your computer.
You could make your own encrypted storage vault stronger than Microsoft Office's on your computer using disk- or file-encryption software. KeePass (free), Trucrypt (free) or Norton's Identity Safe are examples.
Macs come with an encrypting feature called DiskUtility in their Utilities folder. To use, open it and click on New Image. Give this disk a name without the word "Password" in it, and be sure to check 256-byt AES encryption under the Encryption menu. And, as Komanduri said, give it a strong password, but one you'll remember.
Use a password manager. If all this sounds too complicated, password managers will make life much easier. They take a bit of time to set up, and most cost money. They're not a sure thing, either. Yue and his students found vulnerabilities in two commercial password managers. But they're likely more secure than anything you're doing now.

Popular posts from this blog

Best Webcam Modeling Websites Where You Can Make Money 2018

So you want to be a webcam model, huh? Maybe you are not sure and just want to find out more information. Either way, you have come to the right blog! This post will tell you how you can become an online webcam model, making cash amounts that many only dream about. Yes, you can make some SERIOUS cash with webcam modeling, but we will get into that soon.

I. What is webcam modeling
II. Why you should be a webcam model
III. Requirements
IV. Pay
V. Studios and cam sites
VI. The decision

I. What is webcam modeling
Webcam modeling is basically the online version of video pornography, except for the fact that people are watching what you do LIVE. The typical webcam performer will dress herself up in sexy clothing, put on some pretty makeup, sit down and talk with a few potential customers, then when she is taken into private, she will perform sexual acts for the customer. That's where the term webcam actress comes from. During private chat, the performer will do as the customer reque…

Phone Apps That Can Help You Make Money with top webcam modeling website

Earn Money From Blogging

Remember when phones were a convenient way to talk with friends and family from your home? If you’re not that old, maybe you can recall when you used your cell phone just to talk to people from any place you happened to have service. No? Well, it really doesn’t matter; if you’re like most people (but not all), you use your smart phone for everything from time management, to navigation, to entertainment. Wouldn’t it be nice if you could use it to make a few extra bucks? Here’s a list of apps that can help you do just that.

Field Agent

This popular app utilizes crowdsourcing to gather data for businesses who register as clients. The “agents” use their phones to provide photos, scan barcodes, verify locations, complete surveys, mystery shop, and perform other useful services. Agents generally earn from $3 to $12 per job and funds can be withdrawn from the agent’s account directly to PayPal. Unfortunately, this app appears to be available only for iPhone, iPad and…

How one of the world's biggest investors is navigating this market

Talk about the land of confusion. The VIX is at eight-year lows, despite a slew of geopolitical concerns. Stocks are at record highs. Spanish debt yields less than Treasurys.
How, then, is one of the world's biggest investors navigating this market?
Dan Morris is global investment strategist at TIAA-CREF, the asset management company with $569 billion in assets under management, sat down with Talking Numbers for an exclusive interview.

The Low VIX

"A very low reading on the VIX is kind of reflecting on the relatively benign environment for equities generally," Morris said. "We think it's too low, just if you look at the historical numbers. It's going to go up but not in a way that we see as really threatening at all."

Also Read: What Lies In Your Debt?Credit Repair Magic Tools

"Even if the VIX does go up [and] even if we do get some type of correction," added Morris, "the market has been a bit too smooth. If you look at the lo…