Get Serious About Password Security

I wish my clients didn’t keep telling me their wife’s, kids’ and pets’ names.

login fieldsDon’t get me wrong. We ARE best friends from day one. No, my concern is that photographers seems to take an astonishingly lax attitude to password security. Yet as small business owners they have so much to loose should things go wrong. By using their wife’s name as their password, they are playing Russian roulette with their online photo archives, their client list, their website, their bank accounts, their reputation and more.

Put simply, family names, dictionary words, countries, “123456”, “password” and “qwerty” don’t make good online passwords. Even simpler: if your password is easy to memorize it’s probably a bad one. My advice: use specialized software to generate strong passwords and store them securely.

Brute Force Attacks

There are many technological and non-technological ways an ill-intentioned person can get hold of your login credentials. One of them is known as a ‘brute force attack’: an automated process of trial and error used to guess the “secret” protecting a system. Picture a powerful computer entering every word in the dictionary, every first name and then variations on them in your account login form. This is (probably) what happend to Twitter in 2008 when 750 user accounts were hacked.

Password reminders or so-called “security questions” can make it even easier. According to the Web Application Security Consortium:

(…) if the personal detail is “favorite color” then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color (…).

1password strong password generatorNeed more? A recent study of a 32 million user password breach at RockYou, a Facebook application developer, found that the most common password, by far, was “123456”, followed by “12345”, “123456789”, “password” and “iloveyou.”

The Basics of Password Security

  1. Use different passwords on different sites. If you use the same login for multiple sites as soon as one gets compromised, they all are.
  2. Don’t use common words or sequences. Instead use at least 8 characters and 3 of the following character types: upper-case letters, lower-case letters, numbers and special characters. There are 26^8 possible permutations for an 8-character lowercase password, but 94^8 possible permutations for an 8-character password that cambines mixed-case letters, numbers and symbols. That’s over 6 quadrillion more possible variations.
  3. Don’t base passwords on personal data — we share these bits of information with others more routinely than you think.
  4. Don’t leave your passwords somewhere visible. Take that post-it off your monitor and if you keep a list of passwords in a file on your computer, call it something a little less explicit than “passwords.”
  5. Make sure your password recovery questions are also secure and not based on common-knowledge personal data either.

Use Specialized Tools

There are tricks to make secure passwords memorable but I find they require more work than suits my brain. I much prefer to use a specialized password management utility.

1password icon
There are a number of them. I use 1Password (Mac/Win, $39.95) and I highly recommend it. It’s simple and intuitive to use. It stores your usernames, passwords and other sensitive information on your computer, not on a remote server. It constantly gets great reviews).

And disable password storage by your browsers. As practical as it is to let your browser store your login info, they are very vulnerable. Even if the application encrypts the account information, it does so with a static key that can be easily deciphered. So turn it off and let 1Password or whatever tool you choose do the work.

There is plenty more you can do to secure your accounts but this is a good start.

*** UPDATE May 4th, 2015 ***

Your Password Should Be At Least 12 Characters Long

In an interesting blog post Jeff Atwood explains that massive computing power available to those who want to crack passwords means that longer passwords are safer and that “safe” starts at 12 characters.

Here are the results of a cracking scenario he tests:

8 characters 1 minute
9 characters 2 hours
10 characters 1 week
11 characters 2 years
12 characters 2 centuries