Personal Data Security: Password Basics

securityThis post is an excerpt from my new book Understanding Personal Data Security, which covers centralized data, backups, strong passwords, and malware protection. The following is from Chapter 4: Passwords.

Also check out the previous posts in this series, including Personal Data Security: Backups, 3-2-1 Backup Rule: Get Offsite, and Personal Data Security: NAS.

curtsig2 - trans
Curt Robbins


Basic Password Rules

There are some basic rules that will help prevent hackers from stealing your passwords, gaining access to your online accounts, or stealing your identity. While following these rules doesn’t guarantee that your accounts won’t be compromised, it vastly improves the resiliency of your online accounts and protects you about as much as possible.

You’re creating what is known as a “strong password,” meaning it has a mix of letters (both lower and upper case), numbers, and symbols and is of a minimum length.

  • Make a Strong Password: Use a minimum of 16 characters that are a mix of upper and lower case letters, numbers, and symbols. Don’t use easy-to-guess phrases, such as “iloveyou” or “MaryHadALittleLamb.” While “MaryHadALittleLamb” has both upper and lower case letters and is of appropriate length, it lacks numbers and symbols. Also, hackers look for common phrases, using dictionaries and even terabytes of Wikipedia and Bible content as a “check against” list. Guess it’s time to change that “yabbadabbado123” password.
  • Change Your Password Frequently: You should change your password/passphrase every six months. This is the rule few people follow (simply because it’s a hassle), especially if all of your online accounts feature unique passwords. Nobody ever said protecting your accounts and data was a total cakewalk.
  • Use a Unique Password on Each Account: Nobody likes this because it’s such a pain (especially when you should change all passwords with such frequency). This is where password vault software comes in handy. In 2014, nearly no one has only one or two online accounts. A dozen or more accounts is not uncommon. As you’ll learn below, password vault apps that store all of your passwords in a single password-protected program or app are a solid strategy for keeping several long, strong passwords at your fingertips.
  • Tell Nobody: This means nobody. Putting effort into creating strong passwords that are difficult to crack and then simply giving them away to a friend or co-worker is stupid. Even if your friend/family member has no malicious intent, they can easily get sloppy and expose your password to others (like by writing it on a sticky note and slapping it on their computer monitor!). There’s no reason for anyone else to know your passwords. It’s simply antithetical to the cause!

Even if a hacker doesn’t get your password from you or your devices, the bad guys can compromise a password database held by a service provider (your bank, email service, large retailers like Target or Amazon, social media like Facebook or LinkedIn, etc.). Once the hacker has gotten into the password database (often by breaking its encryption), they then have to guess the passwords. Something like “P@ssw0rd1” will be guessed in mere seconds. Regardless of the quality of your home or office firewall or the security of the individual devices you use to access your accounts, the password itself must stand up to the most robust cracking attempts that will most likely be perpetrated on the organization with which you have an account.

Strong Passwords

You have already learned that the strength of your passwords is determined by their length, complexity, and lack of predictability (why you don’t want “maryhadalittlelamb” or “ILoveNY”).

The password “Tr0ub4dor&3” seems like a relatively strong password on the surface. Although it’s too short (only 11 characters), it features both lower and upper case letters, numbers, and a symbol. However, a hacker with a computer capable of producing 1,000 guesses per second (an old computer can do this) will require only three days to guess this password. Compare this to “correcthorsebatterystaple,” a passphrase that requires 550 years to crack (at the same rate of 1,000 guesses per second). And this passphrase doesn’t even include upper case letters, numbers, or symbols! By adding these elements, you would have a passphrase that, for all practical purposes, is nearly impossible to crack (unless it’s the NSA trying to get it) and relatively easy to remember.

Longer, more complex passphrases are also more difficult for others to steal through simple observation. Sometimes, passwords are nefariously obtained by the act of observing the owner type them. Short, simple passwords and passphrases can be learned by watching the owner input them only once or maybe a few times. If someone really wants your password, they may even use a wi-fi-based webcam or security camera to record your keystrokes! Don’t underestimate the lengths to which a hacker or enemy will go to steal your information, identity, or money.

One of the best ways to understand strong passwords is to consider weak examples. Weak passwords include those that:

  • are shorter than 16 characters
  • include personal details such as your name or the name of a family member, a pet’s name, your street or address, your birthday, etc.
  • include complete words or sequential number strings (like “qwerty” and “12345678”)
  • lack a mix of upper and lower case letters
  • lack numbers
  • lack symbols

Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtRobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s