Officially, I’m the Technology and Information Resources
Librarian. Unofficially, to both staff and patrons, I’m “the computer guy.” One
patron brought in his broken VCR and asked me if I knew what was wrong with it.
One of the most common questions I get is about computer
security. A staff member received a phone call at home from a scammer who
claimed that her computer would break irrevocably if she did not immediately
follow his instructions. A patron was being stalked on Facebook. Patrons whose
email or social media accounts have been hacked ask about how to make a
password strong enough so that it can’t be guessed. And our website has been
subject to a variety of attacks
.
.
The most popular questions are about passwords. How do you
make a good one, and if you aren’t supposed to use the same password for
everything, how are you supposed to remember all of them?
Your password should be hard to guess. This is actually a
trickier requirement than it might seem. An attacker has two ways of breaking
your password. The first is through research and social engineering. The
attacker might, for example, guess or find out where you went to high school or
what your mother’s maiden name is and then use these secondary passwords, often
called “secret questions,” to gain access to your account. The second method an
attacker may use is a computer program that can quickly guess thousands or
millions of possible passwords.
It is against this second type of attack that password
strength matters. Attackers guess using long lists of dictionary words. They
also may guess common ways of making variations of these words, so the password
“pr0t0type” is probably not much stronger than “prototype.”
One way of making difficult to guess passwords is to string
random words together. There is a famous cartoon by web comic author Randall
Munroe in which he shows that the password “correcthorsebatterystaple” (simply
concatenating the four random words “correct horse battery staple”) would take
an attacker more than 60,000 times longer to guess than the password
“Tr0ub4dor&3” (deliberately misspelling troubadour, substituting letters
for numbers, and appending punctuation and a number). Correct horse battery
staple is also a lot easier to remember. Since people aren’t so good at
inventing random words, you might want to get yours by randomly opening a book
or dictionary and pointing blindly.
Once you have a password, you have another problem: one isn’t enough. Even if
you’ve created a password which is extraordinarily difficult to guess, there
might still be a vulnerability in the website you’re using. If you use the same
password for everything, if someone gets your social media password they also
have your bank password. A solution to this problem is to create four or five
passwords, one for each level of security. You might make one for throwaway
accounts, one for social media, one for email, and a couple for finance.
There is another way though. Consider an analogy. Imagine that you have fifty
safes with combination locks in your house. The safes are of inconsistent
quality. You know which kinds of safes tend to be of higher quality and which
lower. You could give them all the same combination. This would be like having
the same password for all of your accounts. A safecracker could target one of
the weaker safes in order to find the combination for all of your safes.
A second alternative is to use several different combinations. This would slow
the safecracker down. Sure, she could probably break into one of your weaker
safes, but learning that combination would only get her into the other weaker
safes. This is better than one combination, but it’s not perfect. We want a
solution that will slow the safecracker down even more.
The core of the problem is emerging. The more combinations we use, the less
likely it is that our safecracker’s first successful cracked safe will lead to
further cracked safes. On the other hand, the more combinations we use, the
harder it is for us to remember them all.
One solution is to give each safe a different combination. You can’t remember
all these combination, so write them all down. Then find one of your strongest
safes, and lock all of the combinations in that safe.
There’s a way to do this in computing. Rather than creating a complex but
recallable password for each of your accounts, you let software create a
password that you don’t need to remember. You then store it in a virtual safe.
If one of your accounts gets cracked, none of your other accounts is
vulnerable. Of course, if your password safe is cracked, then the attacker has
all of your passwords, so it’s extremely important to store them in a safe way
with a secure password.
Three of the more popular software programs for doing this are KeePass,
LastPass, and 1Password. Each stores passwords and can generate random
passwords for you. KeePass is for the truly paranoid, but it’s a little bit trickier
to use than the other two options. You don’t store your data in the cloud. You
store it locally in an encrypted container. It can autotype your username and
password for you in other programs. KeePass is available for most operating
systems, including mobile devices, for free.
LastPass stores your passwords on LastPass’s servers. This
means that you can access your passwords from a web browser from any
Internet-connected computer. They also have great add-ons for popular browsers
to automatically enter usernames and passwords for you. To use it on a mobile
device costs $12/year. However, allowing web access to your passwords and
giving your passwords to a third party increase your vulnerability to
attackers. It may, however, be the most convenient option.
1Password was originally designed for Mac. It’s expensive
but pretty. It’s $50 for use on a computer and $18 for your iPhone or iPad. If
you like the user interface, you may want to take a look at it.
Remember, whatever
you choose to store your passwords must be secure because you’ve created a
single point of failure. Make sure that password is extremely difficult to
guess.
