Friday, July 26, 2013

Creating and Remembering Secure Passwords

Read Brian Samek's column in the July 26, 2013 edition of the Norwood Transcript and Bulletin.

Officially, I’m the Technology and Information Resources Librarian. Unofficially, to both staff and patrons, I’m “the computer guy.” One patron brought in his broken VCR and asked me if I knew what was wrong with it.

One of the most common questions I get is about computer security. A staff member received a phone call at home from a scammer who claimed that her computer would break irrevocably if she did not immediately follow his instructions. A patron was being stalked on Facebook. Patrons whose email or social media accounts have been hacked ask about how to make a password strong enough so that it can’t be guessed. And our website has been subject to a variety of attacks

The most popular questions are about passwords. How do you make a good one, and if you aren’t supposed to use the same password for everything, how are you supposed to remember all of them?

Your password should be hard to guess. This is actually a trickier requirement than it might seem. An attacker has two ways of breaking your password. The first is through research and social engineering. The attacker might, for example, guess or find out where you went to high school or what your mother’s maiden name is and then use these secondary passwords, often called “secret questions,” to gain access to your account. The second method an attacker may use is a computer program that can quickly guess thousands or millions of possible passwords.

It is against this second type of attack that password strength matters. Attackers guess using long lists of dictionary words. They also may guess common ways of making variations of these words, so the password “pr0t0type” is probably not much stronger than “prototype.”

One way of making difficult to guess passwords is to string random words together. There is a famous cartoon by web comic author Randall Munroe in which he shows that the password “correcthorsebatterystaple” (simply concatenating the four random words “correct horse battery staple”) would take an attacker more than 60,000 times longer to guess than the password “Tr0ub4dor&3” (deliberately misspelling troubadour, substituting letters for numbers, and appending punctuation and a number). Correct horse battery staple is also a lot easier to remember. Since people aren’t so good at inventing random words, you might want to get yours by randomly opening a book or dictionary and pointing blindly.

    Once you have a password, you have another problem: one isn’t enough. Even if you’ve created a password which is extraordinarily difficult to guess, there might still be a vulnerability in the website you’re using. If you use the same password for everything, if someone gets your social media password they also have your bank password. A solution to this problem is to create four or five passwords, one for each level of security. You might make one for throwaway accounts, one for social media, one for email, and a couple for finance.

    There is another way though. Consider an analogy. Imagine that you have fifty safes with combination locks in your house. The safes are of inconsistent quality. You know which kinds of safes tend to be of higher quality and which lower. You could give them all the same combination. This would be like having the same password for all of your accounts. A safecracker could target one of the weaker safes in order to find the combination for all of your safes.

    A second alternative is to use several different combinations. This would slow the safecracker down. Sure, she could probably break into one of your weaker safes, but learning that combination would only get her into the other weaker safes. This is better than one combination, but it’s not perfect. We want a solution that will slow the safecracker down even more.

    The core of the problem is emerging. The more combinations we use, the less likely it is that our safecracker’s first successful cracked safe will lead to further cracked safes. On the other hand, the more combinations we use, the harder it is for us to remember them all.

    One solution is to give each safe a different combination. You can’t remember all these combination, so write them all down. Then find one of your strongest safes, and lock all of the combinations in that safe.

    There’s a way to do this in computing. Rather than creating a complex but recallable password for each of your accounts, you let software create a password that you don’t need to remember. You then store it in a virtual safe. If one of your accounts gets cracked, none of your other accounts is vulnerable. Of course, if your password safe is cracked, then the attacker has all of your passwords, so it’s extremely important to store them in a safe way with a secure password.

    Three of the more popular software programs for doing this are KeePass, LastPass, and 1Password. Each stores passwords and can generate random passwords for you. KeePass is for the truly paranoid, but it’s a little bit trickier to use than the other two options. You don’t store your data in the cloud. You store it locally in an encrypted container. It can autotype your username and password for you in other programs. KeePass is available for most operating systems, including mobile devices, for free.

LastPass stores your passwords on LastPass’s servers. This means that you can access your passwords from a web browser from any Internet-connected computer. They also have great add-ons for popular browsers to automatically enter usernames and passwords for you. To use it on a mobile device costs $12/year. However, allowing web access to your passwords and giving your passwords to a third party increase your vulnerability to attackers. It may, however, be the most convenient option.

1Password was originally designed for Mac. It’s expensive but pretty. It’s $50 for use on a computer and $18 for your iPhone or iPad. If you like the user interface, you may want to take a look at it.

Remember, whatever you choose to store your passwords must be secure because you’ve created a single point of failure. Make sure that password is extremely difficult to guess.