Monday, May 23, 2011

SOFTWARE: Passwords

The internet runs on passwords. And you need a password SYSTEM these days, thanks to the less than stellar minds at the Sony Playstation Network. Well, Sony and the other security-challenged sites that have fallen before them.

The trick with a SYSTEM is that it has to be something you can easily remember, yet complex enough to create passwords that are hard to break. PLUS, you have to revise your kneejerk reaction to answer so-called security questions with the truth.

So, let's dive in. The first thing you need is a nub. A small set of characters you use to start your passwords. And that nub should have a bit of flair to it. And some length. I've long advocated that you take the name of a teacher who made an impact upon you as a kid and spell the name backwards. For example, htims for Smith and sullesram for Marsellus. Now, break the name with a punctuation character. h/tims for example one, sulles.ram for the second. Now, capitalize one letter, either the first one or the last. H/tims and sulles.raM for the second. Lastly, add your LEAST favourite number to the end. I'm impartial to 2. So, now I have H/tims2 and sulles.raM2 for my nub. (Names have been changed in the making of this password ... although Frank Marsellus probably DID have the most impact upon me while I was in school).

The nubs I've just created seem a little bizarre. But trust me, spell them often enough and they become second nature. And just for the record, my fingers seem happiest making the capital the first letter in the group. Just saying.

NOW, when we are creating passwords for various sites, we just can't use the nub everywhere. In fact, that's a REALLY BAD IDEA. Especially for bank accounts. You have to add characters. And just adding a couple of letters indicating the site to the end of the nub isn't good. In fact, it might be worse. If you were code-breaking the password, wouldn't you look for the initials first, then for the first X characters? Nope, no using the initials. Directly that is.

Pick two letters to represent the site, three if you're feeling frisky. Should be the first three characters you think of. Now DRAW those letters on the keyboard. Whatever feels natural to you. You can use the numbers 1-9 on the keypad (make sure the numlock is turned on!) or on the keyboard itself. For example, a G could be 987412365 or uytgbnmjh or iuygvbnjh or 8765tgbnm,kj or whatever your heart desires. Again, the secret is to have a sub-system. For example you could do everything on the numpad. Every letter and number can be drawn on the 3x3 square of numbers 1-9. Or you could do everything on the keyboard's alpha character area. When you draw the letter on the keyboard, remember to include the letter on the left of the right edge of your 'drawing'. Remember, you are going to have a 'slant' to your letter. G in a nine-character grid with G on the left side is uytgbnmjh when slanted to the left, iuygvbnjh when slanted right. Whatever makes it easy for you to remember. And enter in quickly.

Oh, and did I mention that you can do consonants on the keyboard and vowels on the numpad? Or vice-versa.

Ultimately, you want to get to 16 character-long passwords. H/tims28765tgbnm,kj1475963 is a pretty decent GMail password. Running it through a checker at http://www.passwordmeter.com/ gives me a 100 per cent score. It's 26 characters long (I can type in, in less than two seconds). It doesn't have enough capital letters, but one's enough most of the time. At http://howsecureismypassword.net/ the estimate to crack this password using a desktop PC? 715 Nonillion years. Note that H/tims2gm would take about a year. That's for a regular PC Desktop. If you happened to fall into the interest spectrum of nasty people, the long password would take something in excess of a billion years while the shorter password would survive about two  weeks.

Why 16 characters? Typical Windows encoding breaks passwords into two 'phrases' and breaking those phrases for up to 15 characters is a known science. Once you get past the 'known science' part and into longer passwords, well things get really, really difficult.

A word about your security question(s). First, try hard to lie, consistently, about things like birthdate. The reason? If that birthdate isn't absolutely necessary for use of the site, why give it to them? Things like birthdate really help when people do an identity theft. I like February 29th, 1952 as a fake date, but pick one and use it religiously. And to answer the security question? Well, give the answer, but preface it by adding the nub to the beginning or the end, or some invective. For example, what's my favourite colour? Blue, but I answer H/tims2blue or noneofyourbusinessblue or bluedarnit. What's the odds of somebody who knows me and knows I prefer blue getting any of THOSE answers correct when phishing at Facebook or somesuch sites that rely on these easy to figure out security questions before revealing all. This was how various celebs have been hacked. Knowing them or reading their social media made it easy to guess answers to the security question. And when  you have THAT, you have the whole password system by the short hairs. You can then change the password to something of your own choosing. Mischief ensues.

A last word about passwords. You have to have a SYSTEM. You HAVE to have a different password per site, although admittedly, my particular system doesn't enforce that. For example, my facebook password and my facts in five password are... well ... identical. Get one, get both. But generally, all my key passwords are unique. Plus, I cheat a little. I use LastPass available, oddly enough, at http://lastpass.com/, as the cloud-based (and available) repository of my passwords. Theoretically, I only need one password for that site. And trust me, it's a LOOOOOONNNNGGG password. And that site will dole out the passwords as I need them. But, in tried and true paranoid fashion, I also save the passwords on my local computer using PasswordSafe, free to download at http://pwsafe.org/. Afterall, not all of my passwords are web passwords. And I use different passwords to access each. Having the two products gives me backup.

REALLY the last word: LastPass had it's own security crisis last month. A 'possible' breach was treated like a full breach. Full disclosure and a requirement that everybody change their passwords, hopefully to something even more secure. I did that immediately. My password is now 27 characters long and I can type it in, in about two seconds. I am very satisfied with LastPass's response to the situation and to its service. Since I only use it with Windows, I can get along, and do, with the free service. IF you REALLY, REALLY hate passwords and want to reduce your memory requirement to JUST your LastPass password, then I think this is probably as good as you can get. Give it a try.

No comments: