Image of briefcase lock

{ Between the Braces }

function blog(news, tutorials, insights) {

Welcome to Between the Braces, a web development blog by Adam Blom. This is where I will share my thoughts on the various aspects of web design and development. If you have a topic you would like to see here, feel free to contact me;

}

$blog.explore( );
  • Search
  • Categories
  • Archive

Categories

Archives

So the combination is… one, two, three, four, five?

by Adam Blom

I’ll be the first to admit that the password is not the perfect solution to security. If done properly they are hard to remember and still not very secure. But to date there are very few options that are better. Since we are stuck with them until something truly more secure comes along so why not make them the best they can be. You’ve probably heard some of these tips before, but there maybe something new you can start doing too. I have listed then in order from less security to more security and they are additive (doing 1 and 2 is better than just doing 1 or 2). I hope you take them to heart.

Rule 1:

Don’t use the same password for every single site.

Do use different passwords for each site.

If you use the same password for every site, you are basically creating a “master key” for your online life. It’s like using the same key to open your house door, your car, your bike lock, your office door and your safe deposit box at the bank. You wouldn’t do it with a physical key so why do it with a password?

A simple way to do this would be to use a common password core and then add unique pieces to it for each individual site that has some meaning for you for that particular site (should not be the site name, but could be an abbreviation or associate word with that site. Just remember that this is just Rule 1. It adds some security and is an easy trick, but you can always get more secure.

Example:

Select a “core”:      Apricot

Select a unique add-on for each site and append it to the “core”.

     – Password at Amazon:      ApricotKindle

     – Password at Cat Video of the Week:      ApricotKitties

NOTE:  I know. Who can remember all of those passwords. But it is very manageable. Please read on for tips and ways to manage them.

Rule 2:

Don’t use passwords of less than 8 characters in length.

Do use passwords greater than 8 characters, and ideally as long as you can reasonably make it.

Today’s computers can crack short passwords in milliseconds. Every character you add to the length of your password makes it exponentially harder on a computer to guess quickly taking the time to guess from milliseconds to years. Now using the word “Antidisestablishmentarianism” as your password may in fact work, but let’s face it, there just aren’t that many words that are 20+ characters in the English language and even fewer that will have meaning to you so that you can remember it. If you are trying to also follow rule one, you’ll probably run into limitations.  My tip is to try using a phrase or a quote that you like rather than a single word.

Example:

Take your favorite quote:      “The truth is out there.”

Now remove the spaces and you get:     thetruthisoutthere

Combine with Rule 1 and make your quote the “core”:

     – Password on Amazon:      ThetruthisoutthereKindle

     – Password on Cat Video of the Week:      ThetruthisoutthereKitties

If you have a longer quote that you like, take the first letter of each word and make that the core. Both are much easier to remember and is a long combination of words made up of many characters which means it would take a computer exponentially longer to guess. But guess what? You still make it stronger by combining rules 1, 2 and 3.

Rule 3:

Don’t use common dictionary words or  information about yourself that either you wouldn’t want to give away if someone got your password (like bank PINs and social security numbers) or that is easy to find in public records or social media (like your name and initials, pets name, birth date, etc).

Do use words or phrases that are meaningful but put in a mix of lowercase letters, uppercase letters, numbers and symbols.

Now I acknowledge that is hard to remember “%67HUi@34_~nNqw” so you can use several techniques to create and remember your passwords.

For most sites:

For sites that allow long passwords, use the same technique used for the single word and apply it to your quote. Now you have a long password that is infinitely more secure. If you follow a few rules like, making each first letter of your quote a capital, substituting lower case letters with similar symbols and numbers, you can get a secure password core that is not hard to remember.

Example:

Take your “core” quote:     thetruthisoutthere

Substitute in symbols, uppercase letters and numbers:     Th3Tru+hI$Ou+Th3r3

Now add your unique add-on for each site:

     – Password on Amazon:     Th3Tru+h!$Ou+Th3r3Kindle

You now have a password for Amazon that is unique to the website, is 30 characters long and uses numbers, uppercase and lowercase letters and symbols and is much easier to remember.

For websites with short passwords: 

Unfortunately some sites security are a bit out of date in the fact that they don’t allow for longer passwords, but if you don’t want to use long passwords or the site does not allow long passwords take a common lowercase word substitute in numbers, uppercase letters and symbols that are easy to swap in, like using a “3” instead of “E” or “$” instead of “S” or a zero for an “o”.

Example: V@ni!La

Rule 4:

Don’t write your passwords down put them in a place that is easily accessible or easily stolen.

Do use a password safe.

You would be amazed at home many people keep there passwords on a folded piece of paper in their wallet or on a spreadsheet on their computer desktop (or even better on post it notes next to their computer). But you may also still be thinking that there is no way to remember all of this…and you’re probably right. It can be tough to remember your rules for substituting symbols/capitals/numbers and then the short unique part for each and every website. If you only have a few passwords, just following rules 1-3 works just fine. But more and more of our lives are conducted online and the combinations of passwords, usernames, etc are getting too numerous to keep track of. Thankfully there are some great tools out there to help keep track of them all. There are advantages and most disadvantages come down to personal preferences.

NOTE: I am not affiliated or compensated by any of these companies or products.

LastPass, Dashlane and 1Password are all excellent and install into your browser. They all work in slightly different ways and have different features but all work on one similar concept. You remember a single master password to access the program. As you enter in passwords for each site, it uses heavy encryption on them (on your computer before being sent over the internet) and stores them on their servers so they are always synced in the cloud. Since they are encrypted even if they get hacked, they will not be able to easily break the encryption and by the time they did, the company would likely have notified you so you can change your passwords. They are all very easy to use and are very user friendly. I highly recommend each of these, but check out the features for your self to decided.

If you prefer to manage your own database file and/or prefer an open source product, I recommend KeePass. It runs in Windows and will run in OS X and Linux using Mono. It has also been ported for Android and has a portable version which will run off of a flash drive. It is similar to the three other options in that it requires a master password and stores all of your log in information using heavy encryption. It can also use a key file which you can keep on a flash drive or computer (or both a key file and password for the paranoid amongst us). The entire database file is encrypted and stored on your computer. If you want to sync it you can store the database on a cloud service like Dropbox, Google Drive or SkyDrive. It also accepts plugins to add functionality like additional encryption types or tools to make it work with more environments.

TIP: For passwords you want to remember you can use the concepts in rules 2 and 3 to create a safe but memorable password. For passwords that you don’t use regularly, consider using the password generator in each of the password safes to create a long random password made of letters, numbers and symbols. These are the hardest to guess since they don’t follow any dictionary or quote libraries used by hackers.

TIP: If you insist on a paper back up of your passwords (which is not a bad idea) then store it where you would store other sensitive documents such as a fire safe or safe deposit box and update it whenever you change your passwords (see Rule 5).

NOTE: All products here allow you to easily export your log in information if you want to leave the service or want a paper backup. You can also store more information in them than just passwords such as addresses, answers to security questions, etc.

Whichever product you choose it will make your life much easier and much safer.

Rule 5:

Don’t use the same password you have been using for the last 8 years.

Do change your passwords on a periodic and regular basis.

It can be annoying to keep changing your passwords, but if you change your passwords on a regular basis then it not only does it add some security but it also keeps you engaged with your online security. If you change all of your passwords every 6 months or a year, not only does it get rid of any passwords that may have been stolen in security breaches, but it allows you to see if you favorite sites have added any security features (like selecting a pictures that shows up on your log in to confirm you are on the right site, adding two-factor authentication, or allow for longer passwords now). These upgrades are rarely advertised so it is up to you to check it out and if you set yourself a regular interval to check in on each of your accounts then you’ll be able to keep up more easily.

Rule 6:

Don’t just use a password.

Do use two-factor authentication where available.

You know in spy movies where the spy has to get into the sealed vault but he/she can’t just enter the pass code because the vault also requires the a fingerprint or iris scan in order to open? Well even if you don’t, that’s kind of what two-factor authentication (commonly shortened to 2FA) does. It requires you to not only know something, but also to have something unique. It does so usually by requiring a numeric digit sent by SMS or on an app on your smartphone (such as Google Authenticator or Duo Security). The code changes frequently, so even if someone saw you enter it in, they can’t use it later. You can’t gain entry unless you have both pieces. So if they steal your phone, they also need the password and if they have your password they also need your phone. If they have both…well, let’s just say it’s way more likely they would get one or the other and not both.

NOTE: If you use this, do yourself a favor and make sure you have the security features set up on your phone too (PIN to unlock, pattern unlock, PIN with encryption, etc). While they would still need your phone, if they get it and they know what they’re doing, you at least want to slow them down as much as your can.

I think all sites should offer two-factor authentication, but still only a fraction of them do. To find out which sites do offer it as an option (most sites it’s off by default so check your account settings) check out twofactorauth.org. More and more sites are adding it each day so if you don’t see your favorites yet it may be added soon. If you want to help, then email the customer service of the site your use that is not offering it yet, and ask them for it.

Are you done now?

Consider my speech on passwords over. I hope it was helpful and has given you some tips to help protect your self by using good web practices with your passwords. It’s like putting on the safety belt in the car. In many places it’s not required by law, but it’s still a good idea. And once you start doing it, it will become second nature. If you do your part in protecting yourself and the companies who run websites do their part to protect your information then the web will be much more secure. I hope within a year or two this post becomes irrelevant as the web will have moved away from the password to something more secure and harder to hack, but until then do what you can to protect your self online.