Securing your Passwords
March 23, 2008 · Print This Article
Password Security Explored
In this article we will discuss the security issues surrounding passwords. We will show how passwords can be compromised, how to ensure you maintain a good password set, and we will provide links to tools that can be used to audit your passwords’ effectiveness.
A password is usually the first and sometimes the only security defense guarding sensitive data. With all of the modern tools and technology that your business or home network may employ, the password can act as a “window” in a largely inpenatrable fortification. As a systems administrator, I feel that a compromised password may not be a top priority for your IT staff. Large and mid-size companies have other measures in place to protect the sensitive corporate data. A compromised password may effect you more personally though. Because your password is the primary security measure in place, if someone can gain access to your password(s) they can have access to all of the information that password protects. In most cases a person’s password is the same from business to home, which can translate to total access of your personal information. The intruder could then gain access to your business/personal contacts, they can run malicious programs that “sniff” out other passwords (i.e. email, financial) and they can do all of this undetected because you have no way of knowing your password has been stolen.
Password security, like network security, is more of a philosophy. For your password to help protect you, you must help protect your password.
First let’s discuss choosing a password. Since a password is so important to your overall security it should not be chosen in haste. I would highly recommend using a password generator. Password generators create a random password that consists of letters, numbers and symbols in no distinguishable order. These generators can be downloaded to your computer or usb drive, there are also some on-line password generators. At the bottom of this article I will provide links to some well known password generators.
If you choose to create your own password you should keep the following in mind:
• Choose a seemingly random set of letters, numbers and symbols while varying the case. (i.e. TXUu39!Q$66)
• Choose a lengthy password roughly between 8 and 12 characters
• If you have many password protected accounts, choose a password that can be decramented. (i.e. TXUu39!Q$66 -yahooID, TXUu39!Q$65 -googleID, TXUu39!Q$64 -workID)
• Which brings me to my next point … pay attention, this is important … Do NOT use a universal password! If the password to your workID account is compromised then all of your accounts have been compromised. You don’t use the same key for your house, car, and lockbox, do you?
• Finally, memorize! Don’t write your password(s) down and don’t write down an obvious hint. Simply say your password in your head for a while and memorize it.
Next, let’s take a look at what the Bad Guys are doing to compromise your passwords.
Most people today that have a computer also have some sort of Anti-Virus software installed. This software protects you from a variety of viruses and malware programs, including some of the favorite programs used by attackers … Keyloggers. These nifty little programs contain a very small footprint on your system resources and can run in the background collecting all of your keystrokes, web pages visited, and sometimes programs launched. Keyloggers are definitely one of the best ways to spy on a user or set of users on a computer. Keyloggers do not have to be programs run on your machine either, attackers can actually attach a hardware keylogger to the back of your computer (plugged directly into your keyboard port). Needless to say not many people (at least marginally sane people) check the back of their computer everyday for keyloggers! Other methods of obtaining your passwords can be a little more sophisticated, like: wireless traffic sniffing, dictionary attacks, man-in-the-middle attacks, memory image forensics, and much more!
By this point you are probably getting a little paranoid, if you’re not then you should be. These methods I just mentioned and the tools that employ them are being distrubuted over the internet freely and for the use of many different skill sets. Some of these hacking tools have become as easy as clicking a button. So you might be asking yourself, “How do I protect myself from these types of attacks?” The short and disturbing answer is “you can’t”, but that is a result of only the most determined attackers. For the casual kid in the basement attack there are some things you can do to protect your passwords.
Here are a few:
• Create a good password (as mentioned above)
• Don’t share your password with ANYONE
• Change your passwords regularly
• For those of you afraid of keyloggers, try filler characters. If you are entering your password “flower81″ start by typing “fl” in the box, then click away and type rubish “asdkf;lkj” then click back into the box and finish with “ower81″. If a keylogger is present your password will look like “flasdf;lkjower81″.
• Do not go to sensitive areas (like bank websites) when you are unknown or “coffee shop” networks.
• Always look for the “https” or secure lock icon on your browser when entering sensitive areas. (Https means your communication is encrypted)
• Always lock your computer or laptop before leaving it.
• Don’t use important dates or names for passwords.
• I’m going to push this one again … Memorize your passwords!
Following these rules can help deter attackers and help protect you from potential headache or worse, Identity Theft!
As I promised, here are a few links to some great password applications.
Online password strength tester: Microsoft Password Checker
Online password generator: www.techzoom.net/security-password.
Password generator and safe: Keepass (Highly recommended!!)
Secure your communication: PGP
Secure your data: True Crypt
Enjoy!
Comments
Please leave us your comments.