For years I have been espousing the importance of strong passwords. Passwords are the key to your information including pictures, documents, on-line banking and… everything.
Your identity can be stolen and your reputation can be shattered in an instant … all because of compromised passwords.
Now that you understand that, you made your password super-complex… 19P@$$w0rd63 and you figure you are safe. After all, twelve characters, alpha-numeric with uppercase, lowercase, and special characters, what could be stronger, right? Yes, that is true… but a complex password is not the beginning and end of account security.
Things to remember
There is a simple equation: Password security is equal to complexity, but there is a time factor built into that, and however secure your password is when you set it, that security level starts to degrade immediately… and at a rate that is inversely related to the complexity of the password.
Wow… all of this sounds really confusing, doesn’t it?
I hope this will simplify things:
1) Assume that the moment you set or change your password someone is going to start trying to hack it. It may take a hacker three days to discover a four letter complex password, but three months for an eight character one. It is that much of a difference. That is why network administrators set policies to force you to change your password every so often.
2) The minute you tell someone your password, it is compromised. It doesn’t matter if you tell your mother or your priest, it is compromised.
Risky habits
So now that you are following the rule that you will change your passwords periodically – I recommend setting a specific time frame and sending yourself calendar reminders (or putting them into your agenda) – we should be safe, right?
Unfortunately not. There is another factor that can significantly increase the rate of decline of your password security, and that is where you use it.
Consider this:
- I know it is too scary to think about, but public networks are not safe, and most wireless networks certainly are not. If you sit in airport lounges, cafes (or restaurants), libraries, schools, or anywhere else where there is public Wi-Fi and check your e-mail on your laptop then there is a chance that there is a hacker capturing your signal. It does not require a lot of skill to do so, which is why I change my passwords as often as I do.
- If you use the same password on two sites then you are reducing the security of the password. Of course the more sites you use the same password on the less secure it will be. Some sites use one-way encryption hashes – in other words, they do not know your password, they simply keep an encrypted version of it that is compared to the password you type in to authenticate. These are fairly safe, depending on the encryption algorithm. However any site that maintains an unencrypted list is completely unsecure; if you click on ‘Password Reminder’ and you receive an e-mail that says ‘Your password is 19P@$$w0rd63’ then your password is in serious jeopardy… when I discover this about a site I immediately ‘burn’ that password everywhere else. Hackers know that most of us will use one (or two) passwords for everything that we do, so if they discover your password for match.com the first thing they will do is try that same password to access your e-mail… and banking, and anything else.
However these are the cloud-based equivalent of writing all of your passwords on a piece of paper (or saving them in a file). If someone gets ahold of it (or if you lose it) then you have a problem.
Likewise for the smartphone-based applications, which are fine until you lose your phone.
Practical advice
Of course, for complete password security it sounds like I am suggesting that you change every password (and make them unique) for every site that you use every week.
Let’s assume most of us have ten sites we use, that would mean you would have to change all ten of them fifty-two times per year. That is not realistic for the best of us. However remember that not every site that you use requires the same level of security; most people would want to change their banking and e-mail passwords more often than the passwords to their favourite social networking site.
The bottom line is that password awareness is hugely important. Changing your passwords frequently is just as important, as is keeping your passwords secret.
This is true for on-line passwords as well as local ones to ensure that everything that has your name on it is really yours.
Got a question for Mitch? Please post them in the Comments section below.
Tags: passwords
About the author: Mitch Garvis
Mitch Garvis is a Renaissance Man of the IT world. Aside from being a partner with SWMI Consulting Group, he is a Virtual Partner Technology Advisor for Microsoft Canada and has contributed to numerous certification exams for Microsoft Learning. He seems to collect certifications, and trains on a variety of topics including System Center, server virtualization, desktop deployment, and security. We think that parts of Windows 7 really were his idea. You can read his blog at www.garvis.ca, and follow him on Twitter as @MGarvis. He makes his home in Oakville where he has a wife, two kids, two dogs, and two minutes to himself per day.
Follow
Subscribe
This is an excellent article.
I would love to get your take and recommendation on the various password managers, in particular, the Kaspersky Password Manager. There are three perspectives that I would like to hear about.
1. Ease of use
2. Security
3. Can any Password Manager provide automatic assistance with the weekly or monthly change of your passwords.
Great work Mitch.
Thank you Linda! I do not plan to do specific product reviews for several reasons. Because of my corporate affiliation it can get tricky – if I review it well then the company benefits and gives me no recognition for it, and if I review it poorly then the company blames me and traditionally that has not gone well for anyone except my attorneys.
Thanks for reading!
Your advice is outdated.
Security experts in general agree that choosing a good password is far more important than changing it regularly. (See Bruce Schneier – http://www.schneier.com/blog/archives/2010/11/changing_passwo.html) You gloss over this part, and in fact give atrocious advice (your ‘super-complex’ password is a dictionary word with common substitutions that would be near the top of any cracking program’s list). Furthermore, as humorously illustrated by xkcd (http://xkcd.com/936/), you’re better off choosing a much longer password consisting of random words, mathematically speaking – easier to remember and harder for computers to guess.
Years of policies forcing people to change passwords regularly just make people choose less secure passwords with — for most applications — no increase in security. (A hacker with your banking password is not going to sit on it for a month – once he gets it, it’s already too late).
Furthermore, it seems that most password compromises are a result of phishing attacks or malware infections, in which case it doesn’t matter how complex your password is or how often you change it, since you’re just handing over a current password to the attacker yourself.
See here for more info: http://www.baekdal.com/insights/password-security-usability
Some good tips in this article but my burning questions is how the heck to remember all these strong passwords!! Bring on biometrics. Scan my retina please and junk all these crazy passwords.
Catherine that is a great point, and although there are plenty of biometric and two-factor authentication solutions for the corporate world, there are layers of complexity that are not conducive to adapting the current technologies to the consumer space. While there are many laptops (and desktops) that have fingerprint scanners, these are terribly unsecure. As for retina scans… I like your thinking! I don’t know when it is going to come to the consumer space, but I’ll keep my EYE open for it
Thanks for reading!
What has been missing from all these discussions is that the best way to store a password has been (and always will be) offline. If it is not in a computer – it can’t be hacked.
The objection that people have to keeping a password written down is that somehow by writing it down they are opening themselves up to loosing it or having it stolen. (Never mind that online hacking is 10,000 times more common than actual theft.)
But this author has found a solution to both issues. An offline password organizer that is just as encrypted as it would be online. The 5th Dimension Password Keeper (Amazon $9.95) keeps internet passwords safe from offline thieves as well. Yet, it is still really easy to use.
Look for it online.