Editorial

Staying Secure Online: Passwords

This article is the first in a series on how to stay secure online. It's a topic I am often asked about and which I am surprised regularly by how little thought it is given to good password practices by both technical and non-technical people alike. Ideally most of what you read below you will already know – but maybe it will prompt you to improve your current password practices if you're currently at risk of one of the following (common) problems:

  • Having an online service hacked
  • Your bank account emptied
  • Facebook account taken over (for an attempted scam)
  • Email compromised

Most don't think any of the above are relevant to them - but please read on. It's possible that you haven't considered securing your passwords adequately.

Secure Passwords

Ensuring your passwords are secure is a key element. So often I hear stories of people who have had an account hacked – Facebook, Twitter, Hotmail, etc. The first point I should mention is do not use a real word as a password – or even a real word with letters swapped out for numbers/symbols – as in this example – p@ssw0rd (this is so common that those trying to hack into anything may well try this technique).

If you can’t use real words – what should you use? Ideal things to include in your passwords:

  • Unique acronyms (that you’ve made up) and are easy for you to remember
  • Numbers
  • A mix of upper case and lower case letters
  • Symbols

By mixing up the above you should be able to come up with a secure password. As example I’ll pick one of each of the above to make a new password:

Step 1: Start with a unique acronym that I can remember – MCICA (stands for: my city is called Auckland).

Step 2: Add in some numbers (I’m going to add a number that is relevant to me but nobody else 218. My password is now: MCICA218

Step 3: Change letters to a mix of upper and lower case. My password now reads: MCica218

Step 4: Add in some symbols in random locations: My password now reads MC+ica=218

Now – the trick is to mix up how you create your password – don’t follow the above too closely. Certainly come up with your own memorable acronym that is unique and means something to you. And if you are following the above steps do it in a different order than suggested.

Different Passwords

One of the most important aspects of keeping secure online is to have great passwords. Yes – there is an ‘s’ on that because you should have lots of different passwords – not just one you use everywhere you go online.

In recent months we have heard of many situations where people’s existing passwords with a provider have been compromised. When this happens your password from that service (such as the PlayStation Network) may end up as public information and freely shared online. In other situations your password might not be public but it may be in the hands of hackers who will attempt to use it break into other services you might use – such as your bank, Facebook, Twitter, online forums, your work email system, Gmail, Hotmail, etc.

One technique I have come across for making unique passwords is to mix a common password that you remember (such as one made by following example earlier) with a unique identifier for each website you visit. So if you main password is MC+ica218 – you might add a code that represents Neowin to you – my example is #Winning – so the final password might be: MC+ica218#Winning

For most important passwords (such as Internet banking) you may want to use a different sequence compared to less important passwords.

Long Passwords

The longer your password is the lower the chance it will be guessed or that you will be hacked. Ensure all your passwords are at least 8 characters long – and preferably 14 characters or longer.

Password Storage

Now we’ve cleared up the importance of having different passwords some will be wondering how to keep track of all these passwords. I can suggest three techniques:

  • Use a password storage tool
  • For most secure passwords – don’t store the full password online
  • Write part of your password down and keep it in a secure location

A useful technique for your most important passwords is not store the full password in one place. You might for instance keep part of the password in your head (or on a hidden piece of paper) – and part of it in a secure online password store (such as LastPass).

What do avoid?

  • Password Sharing - try and create situations where you don’t have to share your passwords with friends or colleagues
  • Words that are listed in the dictionary or are names of people, companies or brands
  • Words spelled backwards, abbreviated, or misspelt
  • Common sequences – qwerty, 12345, 911, 111, abc, etc
  • Birth dates, phone numbers and other predictable personal numbers
  • Saving passwords in your browser or on your computer unless it secured and locked when not in use

Good luck with staying secure. I’m sure many readers will have other useful techniques and some may disagree with my thoughts. That’s okay – the main thing is to ensure you have unique passwords that can’t be guessed and are different in some way from website to website.

Report a problem with article
Previous Story

Sony BMG Greece hacked, 8,385 users compromised

Next Story

LinkedIn vulnerable through cookie exploit, says expert

19 Comments

Commenting is disabled on this article.

A good Bank will supply you with a Card and a Card reader with keyboard; that combo and a 'Challenge' & 'Response' system will guarantee you safe e-Banking!
The User uses another number string (8 char.) every time they log in + every time they do a transaction of any kind (on top of the traditional login). It 's a bit long-winded, but it is very secure!
The numbers generated by the reader/KB combine your card ID with the challenge ...

Hard to remember every password if you have many sites you've signed up for. I guess only change the ones you use most frequently and are to do with your everyday life things (banking etc.).

Having a password system such as the article describes is not smart. Once your system is cracked, you are gone. Random, gibberish passwords stored in a trusted password manager, people. Anything else is less secure.

Whats really ironic about this for me is that over the weekend my girlfriend's email account fell victim to a massive spam attack. I asked her how it could possibly have happened and she said that she uses the same password for her email\online sites logins\messenger programs etc.

I just shook my head =\

There's a main problem when we want to use 'rules' to create easy to remember passwords: disparity of websites security. I want to use symbols but some websites don't want (Gmail !). I want to use a 6 or seven characters password .. one requires 8. And so on.
At the end, it's difficult to follow a strict scheme
However, these are very good advices

The number of different characters and case of characters do add more complexity to the brute-force method. If I was going to try to brute-force somebody's password I would first try to use all lowercase alphanumeric characters first. Then move onto other combinations, due to the time constraints imposed by trying every combination of characters and symbols. Infact, if you ever use a brute-force tool, they give you the option to use lowercase, uppercase, mixed case, numbers, and symbols just for the reason of saving time.

The number of different characters and case of characters are NOT important when it comes to password complexity or security. Password length is the only true way of making a hard-to-crack password.

Today's computers and bot-networks can brute-force a small password in practical time even if that password uses varying case and "special" characters. Obviously you don't want to use typical passwords like "password" or family/pet names. Come up with something unrelated to you personally, and make it as long as the system will allow. There is no point in making it "hard to type" or use random characters here or there.

This brings me to a pet peeve of mine about account security. With today's storage spaces getting increasingly bigger and cheaper, online shopping/banking integrating more and more into our lives, and data theft getting worse it really ticks me off when companies that hold identity info and/or credit card info don't allow users to create passwords longer than 10 to 12 characters. It's such a simple fix to a growing problem, but no one seems to get it.

sanke1 said,
What are my options when some site like sony keeps my uber secret password in txt format?

One of the most important aspects of keeping secure online is to have great passwords. Yes - there is an ‘s' on that because you should have lots of different passwords - not just one you use everywhere you go online.

Simply take a different password for every site you signup for.
It doesn't have to be a totally different one, you can always use the same word over again and add things related to the website.

Example of what I mean:
For the site NeoWin.net --> networdNW
For the site HotMail.com --> comwordHM
For the site DeviantArt.com --> comwordDA

and so on

TrOjAn. said,
Simply take a different password for every site you signup for.
It doesn't have to be a totally different one, you can always use the same word over again and add things related to the website.

Example of what I mean:
For the site NeoWin.net --> networdNW
For the site HotMail.com --> comwordHM
For the site DeviantArt.com --> comwordDA

and so on

so if i'm sniffing your PC and i realize that your 2 first password that I got is networdNW and comwordDA so i would think and try on your paypal account comwordPA

thats not a good idea, you need to have unique password everywhere and over 8 letters, because 8 letters and lower is in the hash check (other thing hackers will try to get there hand on it), the best thing to do is 9 letters (numbers, letters lower and upper, symbols...) and over (the password is not going to be in the hash check).

At least this is better than one password for every account I got

Besides, that word is often replaced based on the type of website
So my PayPal password looks very different than the password to login here for example.

TrOjAn. said,
At least this is better than one password for every account I got

Besides, that word is often replaced based on the type of website
So my PayPal password looks very different than the password to login here for example.

oh ok!! thats better

TrOjAn. said,
Simply take a different password for every site you signup for.
It doesn't have to be a totally different one, you can always use the same word over again and add things related to the website.
Example of what I mean:
For the site NeoWin.net --> networdNW
For the site HotMail.com --> comwordHM
For the site DeviantArt.com --> comwordDA

and so on

RANDOM PASSWORDS!! DONT TRY TO REMEMBER YOUR PASSWORDS!!! USE PASSWORD MANAGER (ex KeePass). You'll never need to worry about any passwords ever again.

kabix said,

RANDOM PASSWORDS!! DONT TRY TO REMEMBER YOUR PASSWORDS!!! USE PASSWORD MANAGER (ex KeePass). You'll never need to worry about any passwords ever again.

until you are out of power or for some reason lose those files

kabix said,

RANDOM PASSWORDS!! DONT TRY TO REMEMBER YOUR PASSWORDS!!! USE PASSWORD MANAGER (ex KeePass). You'll never need to worry about any passwords ever again.

Until the day you need to login to a site from a different location.

thats not a good idea, you need to have unique password everywhere and over 8 letters, because 8 letters and lower is in the hash check (other thing hackers will try to get there hand on it), the best thing to do is 9 letters (numbers, letters lower and upper, symbols...) and over (the password is not going to be in the hash check).

I don't know if English just isn't your first language or you have just heard these words in a presentation somewhere and think you are now an authority on the topic but that is one very fragmented paragraph. A 'hash check' doesn't really work as you think; it sounds like you are talking about using rainbow tables in an attempt to reverse the hash function and this method is not strictly limited to 8 characters (in fact much larger rainbow tables exist, but the size of the table and the complexity of comparing them increase exponentially with the length). If you have a password 8 characters or lower that uses dictionary words in it it is pretty much guaranteed to be broken instantly by a rainbow table; this is a different story if you use symbols/numbers/letters etc as it is considerably more difficult but again quite simple.

A modern day gaming PC can try every combination of an 8 character password using lower/upper/numbers and symbols in about 3 days, give or take. This is absolutely nothing. This gradually increases the more characters you use but the rule is certainly not "use 9 and it won't show up in a 'hash check'" -- just be wary of providing inaccurate information as we do not want to have a whole bunch of people using 9 characters and thinking they are safe.

OPs method is one I use myself for remembering passwords but they are usually considerably larger--perhaps 15+ characters--using the entire site name, or perhaps the slogan (i.e. "N3w5F0rN3rdsPasswordOfTheMonth" for slashdot) and things along those lines. It doesn't really matter if you capture my hash out of the air because then you need to reverse the hash of that password, determine the pattern (if you can ever reverse it), and then hope I haven't changed the password of the month half by the time you reverse it (which will take years).

It is probably also worth mentioning that nowadays a lot of auth methods will use a salt with your password which makes it incredibly difficult for you to use a pre-computed hash table such as a rainbow table. All modern *nix distributions do this--for example a Unix distribution roughly 20 years old uses a 12-bit salt which would require multiple terabytes of hard-drives to pre-compute every possible password+salt combination (4096 tables). Any distribution between now and then uses a a 48 of 128 bit salt which means that for at least the forseeable future, it will not possible to attack them with rainbow tables. Again, longer the better, but just sayin', don't give advice unless you can back it up.

Edited by ascendant123, May 24 2011, 8:16am :