Things we all know:
Passwords are important
We should not share our passwords
Passwords are annoying
We have too many passwords
Things the IT world knows about people's and passwords:
Passwords will be reused
People will add a 1 to the end
People will base them off their lives
People hate passwords
So honest truth, none of us are great with our passwords. Unless forced we rarely change them, we have a default we use for "unimportant" accounts and we often use bad passwords.
The problem is that there is no longer an unimportant account. Social networking accounts can be used to reset email passwords, email accounts can be used to reset almost any password, and eventually every one of those can lead back to your bank.
So what makes a bad password?
we have all seen this XKCD comic on password strength. Ok that defines (in one way) a good password, but what is a bad password?
Too short: short passwords are easy to crack or fake.
Easily guessed: There are any number of "Common Password" lists out there. If your password is anywhere on that list, you have a bad password. Just as bad, using a password that is uniquely yours, ie your favorite author/book/sport/sport team/etc. Those are also easily guessed.
Re-used: a password used in two places is bad. IF one place gets hacked, your password will likely be tried by an automated system in a bunch of standard locations. It will also be added to one or more of the known password lists and then more easily tried elsewhere during the next hack.
Unusable: This is a tough one to deal with, without help. If your password is a 42 character result of encrypting your cats dna and then multiplying it by your dog's dna.... its not going to be usable. However, you can fix this one easily with a password safe.
How to make a good password:
DON'T
Don't bother manually making a good password. Within the last 5 years more than a BILLION active passwords have been exposed. That means you can assume that whatever cool and innovative trick your using to make your passwords has been used by someone else and their password was exposed somewhere along the lines.
So don't make passwords by hand. Use a password generator.
Between the password save and the password generator you should no longer be looking at your passwords, ever.
I personally like 1password and keepass as my favorites. Lastpass and splashID are also OK, but not my favorites.
Which ever one you use, create a long password to secure it with, and then never create a password again. Let the safe generate and store and enter your password. Use the functionality built into most of them that tells you when its time to change old passwords.
Yes, the safe is a single point of failure in your personal security, however its a reasonable trade off. You, as an individual, are unlikely to get targeted. That means no one is trying to steal and crack your password safe. It does not mean that you are safe from an attack of opportunity.
Those strong passwords and thus your password safe making you a much less likely target for automated easy attacks.
and that is today's ramble.
No comments:
Post a Comment