by Paul Arnote (parnote)
By now, each one of us has heard it a million times and then some more. Every time we turn around, someone else is talking about password security. The recent hacking of the Ubuntu website in July drove the issue back to the foreground of computer security conversations.
On July 21, 2013, a hacker who calls himself Sputn1k_, gained privileged access to the Ubuntu forum servers. Not only did he deface the site, he also gained access to an estimated 1.82 million email addresses and passwords belonging to Ubuntu forum members. While user passwords were encrypted, that encryption turned out to be pretty weak. At fault was the VBulletin forum software that Ubuntu used to power its forums. The VBulletin software uses a "salted md5sum" checksum to encrypt passwords. Reports abound regarding how weak this encryption schema is. You can read the Ubuntu forum hack postmortem article that provides details about how the forum was hacked. The Ubuntu forum was closed for a week or more, as a result of the hacking of the Ubuntu forum.
Let's add into the mix the recent uproar about the U.S. National Security Agency (NSA) spying on computer and telephone communications against average, non-threatening citizens all around the world. No one is exempt from the NSA's intrusions into our everyday lives. Discussions about the security of your data, personal information and accounts has reached a fever-pitch, thanks to these two very high profile situations.
As such, it's timely to reexamine what makes a good password, and password strategies to avoid. We'll also take a look at some good suggestions in creating a secure password. First, let's look at some password strategies to avoid.
What NOT To Do
- Don't use numbers easily associated with YOU. Avoid using your zip code, your telephone number, your address, your birthday, or (heaven forbid) your Social Security number. Anyone attempting to hack your information will definitely give these a try.
- Don't use proper nouns. Using the name of your girlfriend, wife, pets, place of employment, etc. are just as frivolous as using numbers that are easily associated with you. If your attacking hacker knows anything about you, he/she/they will give these fairly well-known facts about you a try in an effort to crack your passwords.
- Don't base your passwords on your username. Sometimes, when signing up for an account, you might be tempted to base your password on your username. DON'T DO IT! It's too easy to guess, and very easy with a dictionary or brute force attack.
- Don't use real words or phrases that you can find in a dictionary. Everything popular is on a wordlist ... a wordlist that is in the hands of hackers. You can bet your last cent that they will try words from that list. You might be tempted because of something that you are really interested in, and it makes it really easy for you to remember, but resist the temptation. A password built this way won't stand up to a hacker utilizing a dictionary attack based on a common word list.
- Avoid ANYTHING on this list. Here's a list of the 25 most common passwords from 2012. Trust me ... some of these may have you rolling on the floor with laughter.
- Don't reuse passwords between sites. We've all done it. We latch onto a "favorite" password that we somehow develop an emotional bond with, or one that's incredibly easy for us to remember. If your account's password is hacked on one site (like the Ubuntu Forum site), every other account that you also "protect" with that same password is also at risk.
What TO Do
- Use a phrase to "seed" your password, using a method that only YOU know. This isn't too hard to do. Memorize the first sentence/paragraph of your favorite novel, or your favorite line from your favorite movie. Then, make your password the first letter of each word in that phrase. You could make it even more challenging, try using the second letter from each word in your "seed."
- Use a mixture of lowercase letters, uppercase letters, numbers, symbols and punctuation marks. The more you can mix it up, the better. However, try to avoid "predictable" patterns, such as putting a period after every letter. Some systems don't allow anything but letters and numbers to be used in passwords. While it may limit the effectiveness of your password, you can still achieve a very high level of security with just letters and numbers. Add symbols and punctuation marks into that mix on the systems where they allow them to be used in a password, and you dramatically increase security exponentially. Also, be aware that some systems now allow spaces in passwords.
- Periodically change your passwords. How often should you change your passwords? There's a lot of debate about it, but if you're the least bit interested in protecting your data and your accounts, you should be changing your passwords minimally once a year. If you're determined to protect your identity, data and accounts, you can change your passwords every 60, 90 or 120 days.
- Use a unique password for each separate account. Every account you have should have its own, unique password. We've all been guilty of reusing passwords. But when ... not if ... one of your favorite sites (like the Ubuntu Forum site) gets hacked, that puts all of your other accounts that also used the same password and user information at risk. Take a look at one suggestion in the "How To Make A Secure Password" section of this article, a little farther on.
- Size DOES matter. Bigger is better. An eight character password ... let's use Som3TiM3 as an example ... would take a hacker about 15 hours to break, using an average desktop PC. While it has a mixture of uppercase letters, lowercase letters and numbers, it isn't nearly as secure as Som3TiM3syOuSnffeR. The latter, at 18 characters long, would take that same hacker, using an average desktop PC, one quadrillion years to crack the password. Yes, that's 1,000,000,000,000,000 years. That seems like a pretty good level of security to me! Also, notice how I used a "3" for the first two occurrences of the letter "e" and used an "n" for the letter "u" (after all, a "u" turned over is a "n"). Consider that I achieved this high level of password security all without using a single symbol or punctuation mark.
- Test your password. So how did I find out how secure the passwords in the previous tip were? So how do you find out how secure YOUR password(s) is/are? While you could just leave it to chance and delude yourself into thinking that your passwords are secure, there are websites where you can actually test out how secure your passwords are. I was surprised to find out that some of my passwords that I thought were secure could be hacked in only hours. Just perform an internet search for "check password strength."
One such site is called How Secure Is My Password. Another is at Gibson Research Corporation, on their "How Big Is Your Haystack?" site. Simply enter the password and you will get immediate feedback about how secure it is. If you're hesitant to enter your actual password, fearful that a site like this might attempt to steal your password, make up a different password using the same schema. Then be sure to apply that schema to your final password.
How To Make A Secure Password
Secure passwords aren't all that difficult to come up with. We've already discussed a few methods: use a passphrase to "seed" your password, mixing in numbers, letters of varying cases, symbols and punctuation marks, avoiding using a word you can find in a dictionary. We even talked about using openssl to generate secure passwords in the September 2009 issue of The PCLinuxOS Magazine.
Find a method that works for you. For example, you can use a base phrase, and add elements to it to increase security. For example, let's use "computer" as our base phrase. Let's add some numbers to that. So now, "29computer61" becomes our password. But let's not stop there. Now let's add some punctuation and symbols. So now, "29@Computer!61<>" becomes our password.
Let's use the first website to test how secure our passwords are. If we were to use only our base phrase, our password would require virtually no effort to crack, and would be cracked almost instantly. With our second iteration of the password, made by adding some numbers, the security of the password increases dramatically. It would take a hacker with an average desktop PC 37 years to crack the password. With the addition of some punctuation and symbols, along with one uppercase letter, our third iteration of the password is the most secure. Only 16 characters in length, it would take a hacker armed with an average desktop PC 412 trillion ... 412,000,000,000,000 ... years to crack that password.
Another method to employ is to incorporate the name of the site into your password, which will help to make it unique to that particular site. As an example, let's set up a password for the PCLinuOS forum. First, start with your passphrase seed (thiNgy). Second, add some numbers to it (54thiNgy28). Third, add some part of the site name (54thiNgy28PCLX). Using just four of the consonants from the PCLinuxOS site name, we add PCLX. If we were making a password for Google, we would add GGL to the password. Yahoo would become YH. Ubuntu could BNT, or if you use the vowels, it could be UBU. I think you should be able to get the idea here. Fourth, add some symbols and punctuation (54@thiNgy28PC?LX). Using this method, you are able to create a unique password for each and every site that you visit.
So ... how secure is that? Let's take a look at how secure each of those passwords are by taking a look at how long it would take for a hacker using an average desktop PC to crack.
98 million years
412 trillion years
If you want to explore some other ways to create unique passwords, I highly recommend Luigi Montanez's Protect Yourself With Password Recipes article. That's what I've proposed above ... a secret recipe for creating your passwords that ONLY you know.
Almost everything we do in these times has some kind of online influence. You can order a pizza online for home delivery. You can shop for clothing without ever getting up off of your sofa. You can pay your bills and manage your bank accounts online.
If you think this is password security overkill, you won't think that for long if your personal information, accounts, and private data are hacked. Who knows what the hacker(s) will do with that information. They could do nothing with it, if all they were after was to see if they could hack a system. Or, they could literally destroy your life, your financial security, and your reputation. Fortunately, Sputn1k_ has subsequently decided to pass on attempting to decrypt the user passwords from the Ubuntu forum, despite its weak encryption. Not all hackers would pass on such an opportunity.
The username and password method of protecting your accounts is a bit long in the tooth. It doesn't scale well to the internet, where we have a plethora of accounts, each with a different content provider. In a way, it fuels peoples' desire to be lazy and find shortcuts ... like using the same password over and over for many sites. Security experts are in complete agreement that something better needs to be developed. You can read this article for a general discussion about what needs to be done and what's being done.
In today's age, information is king. We live in a much different time than even when I was born in 1960. We face information overload every single day. We are interconnected in ways no one could imagine even 20 years ago. Creating a secure password is your front line defense. Make your passwords complex, containing the tips provided here, and you just may make the hackers' jobs too difficult to mount an assault on your data. Instead, they'll just move on to "lower hanging fruit," hacking the passwords of users who haven't bothered to create a secure password. Creating secure passwords to protect YOUR information data and reputation ... at least until something better comes along, is more vital now than it ever has been.