Your passwords - making them memorable but safe and secure
How to plan for and then Create, Store and Use Passwords securely
If the only action you take as a result of reading this page is that
you take distinct approaches to your passwords for each level of risk that
you are exposing yourself-to then you will have decreased your exposure
to the consequences of using passwords to protect your assets - financial,
reputational and many other nasty outcomes of password theft.
Just as you have different access protection on garden gates and sheds,
garages, front and back doors and internal doors and safes it is
imperative to have different tools, procedures and approaches to
your use of passwords - appropriate to the risk! level.
All aspects of high risk passwords should naturally be handled
with more care and attention to detail even if that makes them less
convenient to use but crucially, there must be no possible
"route" for a hacker to get to those (higher-level)
passwords from ANY! lower-level passwords or assets / resources
that rely upon them - e.g. e-mail accounts!
Bear in mind that the hacker is a human opponent at a game of Snakes and
Ladders (apologies to readers who are not familiar with the game!) and
your goal is to constrain him or her to the lowest level (row) possible.
Escalation to higher levels of password risk is explained
Creating - what makes a password bad! and why!
Passwords are regularly hacked by a variety of methods, some of which are
within your own control due to the attacking methods (below:) used
to crack them.
Bear in mind that any of the following are likely to be used as a starting
point - hackers and more precisely their software! will combine numbers,
transform letters to numbers and even combine the starting
data when conducting an attack!:
- Publically accessible or Known Private Data harvesting -
whether this is the names, pets, children, places, dates etc. from your
entries on social media web sites (Facebook, YouTube, LinkedIn etc.) or your
past addresses, dates, telephones numbers, cars registrations etc. from
more factual web sites
- assume that it can all be used as the starting point for attacks.
It is important to understand the variety of sources of information
as attack vectors - this range from a completely unknown miscreant in
a far-off country with no more than basic web access
through employees of companies that you have interacted-with
through to ex-work colleagues, friends, associates etc..
- A WIDE variety of dictionaries -
words of any language, names, places, many millions of known passwords
from virtually all prior hacked web sites, sexual, vulgar and swear words.
This is a simplistic description of
how to hack a (weak) password.
- Brute force -
although this technique works excellently when the attacker has access
to the device where the password is stored (a relatively small file from
your PC, mobile, web server where you have an account etc.) it can
be slowed-down or even halted by a well-designed and managed web site.
This attack can be countered by a combination of two password factors -
length and variety of characters used. For professional web sites
a length of 8 characters and 4 different character types - lowercase,
uppercase, digits and specials such as: ',./?:;@ "%^&*()-_=+' would
be sufficient as a strong password
Note that a strong password (level 3-5) must be able to resist all
Brute Force, Dictionary and any variant of
Data harvesting AND the tweaking of characters as advised by SOME
guides to password creation
An example of BAD ADVICE or judgement is
- but at least it IS labelled as the Internet for beginners!
The column headed OK contains many lines with words / names that are
NOT OK, the column marked 'Better' is only slighty better for those lines
and the column headed 'Excellent' certainly isn't on several lines.
There is guidance on the creation of good passwords at our
companion page: Passwords - best practices but of course there can be nothing prescriptive
written without compromising the passwords created - hence it is
expressed as ideas rather than rules and instructions.
Using - what causes a password to be compromised?
- Passwords you share between sites -
many but hopefully not most
web sites that require you to have an account store both your e-mail
address and associated passwords in plain text format and have very little
security to stop those details being regularly harvested by hackers.
Sadly you only need to have just 1 account at one of the 10-30% of web
sites that have so little security to open the door to all of your other
web site logins sharing that e-mail address and password!
Even if you DO use different passwords at different sites it would be
worthwhile to read the final item in this list as you
need to ensure that there is ZERO chance of anyone compromising
a high risk site as a result of knowing your passwords at lower levels!
- Simply visiting! web pages -
although many people assume that they are safe from malware as long as
they don't click upon (or worse - download and Run!) links that
'appear' to be 'bad' - that is WRONG - malware can steal information
from other web pages and logins on other web pages! This is
particularly dangerous in two circumstances, the first is obvious:
- When you have a window open (anywhere else in that browser!) to a
web site that is high value and/or risk to your life, finances etc.
- When you are using web-mail such as BT/Yahoo, Googlemail, MSN,
Windows Live, AOL and most Broadband providers (ISPs) such as Talktalk,
Sky, Virgin, Tiscali,
The latter is almost as bad as the first - once a hacker has access
to your e-mail they have access to your whole on-line "world" because
of the prevalent use of e-mail for resetting of passwords etc..
- Key logging or other Trojan malware -
malicious software used to be "in your face" but now that serious,
organised criminal teams are using malware for commercial gain the
obvious switch has been made to covert / hidden operation so that
their foothold on your device (PC, mobile etc.) can be used for
long-enough to inflict serious damage on their victims and
their friends and families! as an infected user is an ideal conduit
to their next victim.
Note that a subset of this attack is the use of Keyloggers in Internet
Cafés where although the attack is limited it can still yield
disasterous consequences depending upon the passwords used/stolen.
- Capture of passwords when using public Wifi (Hotspots) -
this is now prolific - especially for social networking sites when
used by mobile devices - increasingly smart phones but Laptops are
very often totally insecure too.
There is even a Firefox plugin to enable a Laptop user to do the
identification of available victims
and subsequent hi-jacking of their session!
The capture of login passwords is not available at all of the (30)
web sites that it supports.
- Trusting the Server when it (or the connection to it!) can be compromised -
although the actual fault is with the integrity and/or competence of
the site owners, their management and suppliers - it remains YOUR
choice as to who to trust with what password(s) - and levels of password
- see below!
This is difficult to convey to anyone who is unfamiliar with computing
infrastructure and in particular security aspects of it
and to do so on a web site is
perhaps one of the worst places to do so for a wide variety of reasons
but it IS important because web sites with very, very large
numbers of users are being reported as hacked every week and month and
no-one knows how many cover-ups are happening that keep some of the very
largest institutions of the planet out of the press on this topic.
Protection against this type of attack is not directly within your
control but your best defences are to:
- 'buy time' and at least enough to change all other passwords that could
in any way be compromised - keeping your passwords distinct on each site
will probably take you out of the 'low hanging fruit' category.
Also see the next item regarding password 'levels'
- Make it more difficult for hackers to exploit - a simple but
significant action would be to have more than one e-mail address - see below.
Allowing hackers to escalate to high risk level sites from lower -
as stated as the first point above -
if you use the same password at multiple sites you are inviting hackers
to strip you of the assets they protect.
IF you have planned your use of password risk levels and what resources each
(level) is going to contain - see above - then you are more resilient
BUT you need to keep those levels extremely well separated - see below.
Explaining this notion of levels of risk is best explained by example.
Assume that 1 is the lowest level (very little or NO risk) that
you need and 7 is the highest where 3 and/or 5 would be intermediate.
3 would be used for the majority of sites at which there is any
significant risk - even as simple as someone impersonating you in an
on-line forum but you can't be certain of the integrity and
competence of the site, owners and/or management.
You might use 5 when the latter is known to be good - examples of sites
here would be any site that held any of your credit or debit card details.
Level 7 would be for financial and other important sites
where THEY (as well as you) would potentially lose a
lot of money and/or customers if they failed to keep your passwords,
data and assets safe!
I suggest this numbering so that 9 could be reserved for technologies
sometimes called (password) 'safes' which are available in on-line
(e.g. LastPass, RoboForm etc.)
and device-specific versions
(e.g. KeePass - multi-platform)
- obviously IF you used such a tool then
the compromise of that would probably be disasterous although one
possible usage would be as a facility to store the dozens of
level 1 (or 0!) passwords that a typical on-line user 'accumulates'
over the years and that would then NOT be such a high risk.
Q. How can hackers escalate their attacks to the higher level
risk sites you have defined? -
this is the closest that this page will get to giving an example of
an algorithm you might use to create passwords - NOTE that it is
deliberately NOT a good example! as it has obvious flaws.
Note also that this is defining a 'Level 1' algorithm so that it can
then be used as a reference to what would make it easier for a hacker
who 'cracked' this algorithm to escalate to sites at your higher
levels of risk.
A sample algorithm for a Level 1 password for a ficticious site -
www.chatbored.ltd.uk (don't check the .com!):
- First 2 characters (of all 'my' level 1 passwords) are always 'l1' -
that is lower case 'L1'
- Next 2 characters are taken from the web site name after the www.
or secure. or similar prefix - in this case 'ch'
- Next 2 characters are 'my' year of birth, say '88'
- Last 2 characters are 'my' initials in upper case, say 'DC'
For a password which is guarding resources / assets that is regarded
as little or no risk ('Level 1') - the password above is NOT
THAT BAD when compared to
this 5 page report on Bad Passwords
where 300,000 (1%!) used the password '123456' and 60,000 used 'Password'.
But the issue is how easy it now is for
anyone! (they were published to the web!) to use those
32 million! passwords to login at any sites
that are of more importance / value!
Returning to the weakness of the example above -
given the amount of personal information that is available on
the web it would not be difficult for a hacker who had stolen the above
password (l1ch88DC) from an unprotected site to then explore other sites
at which you might have a login and to get a good idea of what
your 'Level 1' algorithm was.
However - even a small hurdle that needs human intervention will
probably be enough to delay an attack on your other credentials.
The escalation risks (i.e. if your next or even higher level passwords
were constructed similarly)
are at least the following and I have deliberately
left out some and included some unlikely ones so that this page is of
little or no use to hackers, only numbered for ease of reference:
- Using multiple sets of two characters
- Using 'l' followed by a digit at the start
- Using the start of the web site name
- Making the next 2 characters digits
- Using a year or even worse the same year (e.g. Date of Birth)
- Using initials or even worse the same initials at the end
- Making the last 2 characters upper case
Additional methods of keeping levels of risk separated
Having a different approach (algorithm) to the creation of passwords
for different levels of password is just one technique to make it more
difficult for a hacker to exploit any loopholes or exploits.
The list below hasn't been thought through as at 11th June 2012
but I am sure that I and others will add to it in coming months and
years. Again, only numbered for easy reference:
- Having more than one e-mail address is a very, very useful
technique that obstructs hackers. The reason this creates at least a
short term barrier is that more and more web sites use an e-mail
address as a (login) user name and the combination of
that with the password is needed to login.
- Having many e-mail address is a perhaps(?) even more useful
and can be simply be enabled with the purchase of a personal domain.
The reason this could be even more secure is that the e-mail address
using for a particular web site can be completely unique and
dedicated to that particular use and may be very, very difficult
for the hacker to know.
Anyone wishing to contribute to the list above is welcome to do so
as I am quite certain that more contributers will improve this page
for all readers.
This page © Business before Technology 2011-2020 - see the respective sites of the owners for their copyright as well as terms and conditions
Links and other information last validated on 22nd May 2012.
Please use the Contact us page to suggest any additions or revisions.