Passwords and Encryption
Another important technique to protecting your privacy and your documents is the proper use of passwords (and possibly encryption). I know that sounds a bit like James Bond and you're thinking that what's on your computer is hardly the nation's secrets, but have you stopped to think what would happen if someone were to gain control of your computer?
Passwords: Your Electronic Signature
Protecting Your Passwords - Remembering Passwords - Password Software
As you set up accounts on Hotmail, Yahoo, and Ebay you are asked for a user name and password. Someone having both the user name and the password can do anything you can do with those accounts, even make a purchase agreement for an expensive item on Ebay.
The password serves the same purpose as your signature does on your cheque or credit card purchases. You need to protect it with just as much diligence as you do with your credit cards.
"Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective." - Stanford Security Lab
Windows Especially Vulnerable
Windows computers are particularly vulnerable. One study found that "Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes...in 13.6 seconds...." Another source indicates that passwords with only alpha-numeric characters can be cracked in less than one second.
Return to Passwords Introduction
Protecting Your Passwords
Here are some rules that will help you to maintain security of your various passwords:
Make Sure Your Passwords Are Difficult To Guess
- Passwords should be at least 6 characters long.
- Passwords should not be easily discovered words such as your family members' names or defaults such as "password" or "1234" (yes, some people do use those).
- They should contain a combination of letters and numbers and other characters where possible.
- You should preferably use mixed upper and lower case letters if the particular site supports that. This gives you effectively 52 letters to work from instead of 26, plus 10 digits (numbers) and the various other legal characters (such as the pound key and the underscore) which may vary by site.
- Some ISPs will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.
Automated Password Generators
Using a program or site to generate passwords can help avoid making them too repetitive or simple.
- Gibson Research Corporation provides an Ultra High Security Password Generator on their site that generates a new set of passwords every time the browser is refreshed.
- See PwdHash (further down this page) for another alternative.
Vary Your Passwords
- Use a different password for every site that requires one.
- You don't want all your accounts vulnerable if one is compromised.
Regularly Change Passwords
It is also a good idea to change passwords on a frequent basis (every few months) or when you feel a password has been compromised (such as when you have to give it to the computer repair shop).
You might find several discussions on passwords on Security Now! useful. (This is a security podcast available in audio or transcribed in several formats.)
Return to Passwords Introduction
Remembering Passwords
If you have difficulty remembering your passwords there are some things that will help you:
- Don't use PostIt notes on your monitor. You can disguise a password within a list of waybills, invoices or any other logical listing of random characters near your computer that could logically be found in a similar setting.
- You can use the first letters of a phrase that makes sense to you. For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.
Just remember that if a pattern is evident in how you compose your password (e.g. if you the site name or address as part of the "recognition" pattern), then your lessen the security of the password. Dates are generally not a good idea as they follow consistent patterns (some variation of MMDDYY or MMDDYYYY, etc.).
Return to Passwords Introduction
Password Software
There are various pieces of software that will help to remember your passwords and to create secure passwords for you. Remember, there are differing levels of security in these methods and all are subject to the vulnerability of the master password.
Web Browser Capabilities
You can use the password-remembering capabilities of the various Web browsers, including Firefox (Tools - Options - Privacy - Saved Passwords) and Internet Explorer 6 (Internet Options - Content - Personal Information - Autocomplete - user names and passwords on forms).
- Ideally, this should be used on a single-user computer with a secure password. If there are multiple users, each person should have their own log-in identity, protected with secure passwords.
- Because there is the potential for such wide-spread tools to become compromised, you should not use this feature for on-line banking and other similarly critical sites.
- An external program like AI Roboform Toolbar for Firefox provides the same convenience but, by separating the program from the actual browser, reduces the risk of compromise.
Password Safe
Password Safe is a free secure password storage utility designed by Bruce Schneier using the Blowfish algorithm for encryption. This software keeps all your passwords secure with access protected by single password and provides several methods of adding and extracting your passwords.
KeePass
KeePass is a free (open-source) password manager or safe which helps you to manage your passwords in a secure way using AES and Twofish encryption. Versions are available for Windows and Linux.
PwdHash
A new password generating software, PwdHash, by Collin Jackson (Stanford University) uses a general password to create a secure password for each site based upon a 'hash' of the site domain and your chosen master password. This password will help protect against phishing (fake Websites designed to capture passwords or private information) since it will generate the wrong password if you are not on the proper Website.
Encryption
In addition to the use of passwords, you might want to consider the use of encryption to protect your data, e-mail and other information.
Pretty Good Privacy
Phil Zimmermann's Pretty Good Privacy (PGP) gave the average user access to this technology and there is support for a large number of applications.
- Pretty Good Privacy (now owned by McAfee).
- PGP Tools from Net Services offers a front-end for PGP
More About Encryption
These sites have useful information on encryption:
- Security and Encryption Resources from Data Recovery Labs.
- Peter Gutmann's Encryption and Security Tutorial.
- Matt Blaze's cryptography resource will give you more insight to this technology and the various issues, including legal issues.
More About Security Issues
The following related pages offer more information about security:
- Security Basics—Preventing Unauthorized Access
- Firewalls—Your First Line of Defense
- ZoneAlarm Security— Recommended Firewall Products
- Your Privacy At Risk—Spyware Detection & Removal
- Internet Security Vulnerabilities—Weaknesses in Windows & Internet Software
- Anti-Virus Protection—Current Alerts, Strategies, Hoaxes & Software
- Avoiding Spam & Copyright Abuses—Promote Responsible Net Commerce
PDF Documents
Several documents on this Website are labelled as PDF. You will need the free Acrobat® Reader® to view and print the PDF documents. Get the free Acrobat® Reader®.
www.RussHarvey.bc.ca/resources/passwords.html
Updated: October 2, 2009
