Dangers of Passwords
Passwords have been used since ancient times by sentries to allow a person or group to approach or “pass” by. Today, passwords are still the most common form of authentication to prove identity. Usernames and passwords are commonly used in the login process for computers, applications, websites, and ATMs.
However, we face many challenges using passwords. One is keeping them a secret. Employees have been known to share their passwords, post them on monitors and under keyboards, and use easily guessed words such as “password” or a family member’s name.
Computing power continues to increase, which improves the effectiveness of automated password cracking programs. Passwords are often encrypted and stored as part of a cryptographic hash on the systems we access. If the attacker can gain access to the hash file, they can use automated password crackers such as John the Ripper in an attempt to discover the password. Password crackers work best for short passwords or those that use common names, places, and dictionary words. Also, lists of common passwords are readily available to improve efficiencies for these programs.
We must also consider how many applications and websites we use that require a password. (Last time I checked, I had over 45 and have probably forgotten many.) As a result, it is common to reuse usernames and passwords. So what happens when a site is exposed where you use the same credentials you also use for PayPal, electronic banking, or other financial services sites? Hardly a day goes by without a data breach that doesn’t expose user passwords.
Many devices come with default passwords that are overlooked and do not get changed. They are commonly used when you install network devices such as wireless access points, routers, firewalls, and multifunction copiers. A recent news story covered a wireless baby monitor that was compromised. Default passwords are easy to discover with a simple Google search on the device. They can allow anyone connected to the internal network access to the configuration settings using a Web browser.
What Makes a Strong Password?
The challenge: Passwords that are easy to remember are often easy to guess. Conversely, strong passwords are difficult to remember and are often written down. The security of a password depends on several factors. Characteristics of a strong password include length and the required character types (uppercase, lowercase, number, and special characters). Most experts agree that a strong password includes at least three of the four character types.
So how do we create strong login credentials but still remember them? Here are some guidelines for creating and managing passwords.
- Password complexity and length are important (character minimum of 8, but 12 is recommended).
- Use a passphrase rather than a password. For example, you might create a passphrase such as, “I went to the market on Thursday the 3rd.”
- Consider using the first letter of a song or rhyme such as, “Jack and Jill went up the hill to fetch a pail of water,” which becomes “JaJwuth2fapow.” (If you see your coworkers mumbling to themselves when they login each morning, they are probably using this method.)
- Another strategy for creating a strong password is to substitute numbers for letters. For example, “1” for “L,” “3” for “E,” or “5” for “S.” (N0v3mber 1s fa11). You may want to use this for only one or two characters.
- Avoid programs that remember your passwords so that they automatically authenticate. Many Web browsers offer this feature. This may allow anyone who uses the computer or mobile device access to these systems. These programs can also develop vulnerabilities that may disclose your credentials.
- Avoid using the same credentials for multiple systems or websites. If you must, periodically change your password for financial sites or those that store your credit card information.
- Create a common username and password that can be used for websites that are not associated with financial systems or other transactions that include personal information. This can reduce the number of credentials you need to remember. I use this method for sites where I subscribe to e-mail newsletters and other sites that don’t involve personal information.
- Use a password manager. These programs can be installed on workstations and mobile devices using strong encryption. And they are protected by (guess what!) a password. There are many of these programs available. I use mSecure, which is an app I have installed on my iPad and smartphone. There are many password managers commercially available. The mSecure software replicates the updates so my credentials are always current on each device. It also has a password generator. But beware: Once you've put a password manager in charge of your passwords, it holds the keys to your kingdom.
- Avoid writing passwords down, but if you do, store them securely.
- Change the default password on your network devices such as wireless access points, routers, firewalls, multifunction copiers, etc.
Strong passwords are important but not foolproof. Key loggers and sophisticated phishing attacks can circumvent password authentication. For systems that maintain critical information, additional layers of authentication should be considered, such as tokens or other methods using multifactor authentication. The great news is that technologies which are making biometric authentication easier and more difficult to impersonate are being developed. In time, we may see this type of authentication as a conventional method.