DDG Advises on Password Security

04/22/11

At Dorey Design, we’re always looking for ways to build security into the various websites and applications we build. Every day it seems like the newspapers are detailing the latest identity theft scam, national security breach or website hacker. If you use a computer, credit card or cell phone --and who doesn’t? --these news reports should make you think about your own security vulnerabilities.

 
While there are many different security concerns --and it would take days to discuss them all -- by far the most common security breaches stem from something we all use every day: our passwords.
 
An example: a recent news story concerned a large company that considered itself a leader in data security. The company President --now ex-President -- openly boasted that his security systems could not be hacked. But a group of hackers did just that, and it was easy. How? By emailing the head of IT, posing as their President and persuading IT to email them the company server’s root password.
 
No word yet on which ocean that IT guy is currently floating in.
 
While most people in non-technical professions don’t need to worry about roots and server security, we all can be vulnerable to security breaches in our email, online banking and social media accounts.
 
Although there are billions of possible passwords, hackers, law enforcement agencies and other snoops have gotten incredibly sophisticated at getting them. There are three basic ways they do it: “brute force,” which means trying every possible combination until one of them works; “guessing” which is similar but uses some educated guesses to significantly narrow the possible choices; and “social engineering,” which basically amounts to tricking a human being into voluntarily sharing the password --as happened to our security company, for example.
 
Pros estimate that they can crack most passwords within a couple of days, if not hours. Following a few simple steps is the best way to slow them down.
 
1. Choose a password that’s hard to guess.
 
This sounds easy but it’s actually hard to do in practice. It seems to be a trait common to all of us to overestimate how good we are at this kind of thing. Everyone I consulted for this article thought that they could invent something really hard to guess. They’re probably wrong.
 
Never use real words, especially words like children’s names, pet names, birth dates or “leet speak” (words that substitute special characters for letters, like “@we$ome”). In fact, never use real words at all, even if you put a “1” at the beginning or a “%” at the end. These kinds of passwords are extremely easy to guess because they lower the number of possibilities from billions to mere hundreds of thousands, and in the process they can turn three weeks of hacking into a few hours.
 
Good passwords should always use random characters and should mix upper- and lower-case characters and punctuation. And longer is better, a lot better. Eight characters is a minimum.
 
Something like “4so*t?Uv8F&h” is incredibly difficult and time-consuming to guess. Something like “$usiesMom” is incredibly quick and easy.
 
2. Don’t use the same password for everything --especially not for the important stuff.
 
This is hard, because long, random passwords are hard to remember. As a result, many people come up with one great password and then use it forever for everything. The problem, of course, is that once somebody gets that one great password, they are in a position to wreak havoc on your life.
 
So what to do? Experts are divided on whether it’s better to use many hard-to-remember passwords that are stored or written down somewhere, versus using passwords that can be memorized and running the risk that they’re easier to crack.
 
One option is to use one of the password encryption applications that are out there. Our Creative Director Jason Diersman loves a program called 1Password, which he says is one of the best things in the world.
 
The consensus around here is that it’s probably fine to use one easy-to-remember password for things that wouldn’t be too damaging if they were hacked, but keep a few important ones complicated and written down someplace very safe. As in, NOT on a post-it stuck to your monitor.
 
3. Trust but Verify
 
A very common scam is called “phishing,” in which someone sends out an email pretending to be from a trusted source, but it’s really a hacker trying to gather personal information, including passwords. If you get an email that directs you to a website that looks like your bank or an online service like ebay or amazon, and it asks you to “verify” your login or password, there’s a pretty good chance you’re being phished for information. Never enter personal information into a site like this, and when in doubt you can always call the purported source and ask whether they’re collecting information this way. It’s highly unlikely they are.
 
This is one way to trick you, but there are plenty of others. You wouldn’t let a stranger rummage around in your closet, so don’t click on links you don’t recognize, don’t give your passwords to people whose identity you can’t verify, and don’t open attachments from people you don’t know.

 

Profile picture for user johnmulvey
Name
John Mulvey