LIVE FROM THE OCCUPATIONS OF NEW YORK CITY

OccupyWallStreet.net is brought to you by the NYC General Assembly to provide news, information and inspiration from the occupations of Wall Street and around the world.

Get SMS Updates: text "@NYCAction" for announcements & "@NYC2Ferguson" for updates to 23559

It’s Time To #FloodTheSystem

How to Make and Manage Your Passwords like a Pro

Drew Hornbein
heartbleed

You’ve probably been hearing about the computer bug Heartbleed recently. It’s bad and it affects you, but don’t despair. This is a great opportunity to make your online life more secure and easier to manage. I’ll tell you how!

First off let’s talk about Heartbleed. Basically someone goofed and released a bug in some software that helps websites secure connections between you and their servers.It’s what makes the “s” in https stand for secure. You can read up on the details yourself [edit: XKCD has a great explanation] but long story short it compromised a lot of servers across the Internet, servers where you might have an account. Which you now need to update with a new password.

The good news is that you probably needed to update your passwords anyways! I’m going to explain why passwords are important and how to keep your passwords secure and manage them with ease, after the jump.

If you’re like most normal people you know that passwords are important and you’ve probably got a few variations on a theme that you use, the normal one, the one with a number in it, and the “strong” one for e-mail and banking. Its already a pain to keep track of which one goes to what website and generally it’s something you’d rather not deal with.

First I’m going to tell you why passwords are important then I’m going to give you some ways to make the whole process much less painful while keeping yourself secure. Click here if you want to just skip to the how.

Why should I care about passwords?

In a nut shell: hackers.

Nope, Angelina Jolie isn’t coming after you…

Now I’m not talking about people, per se, I’m talking about robots that hackers employee to “hack” many millions of people at once. If you’re in a situation where a real live hacker is trying to gain access into your Facebook account you’ve got bigger problems than general password safety and your use case is outside the scope of this post. Good password management will keep malicious robots and prying ex-lovers out of your accounts but you’ll need a much higher level to keep a skilled advisory out of your Instagram.

Your typical hacker isn’t personally going to crack your password. They are going to write scripts that exploit known vulnerabilities in systems across the web. This is why it’s a good idea to keep your software up-to-date. Most of the time “ethical hackers” (called white hat hackers) find security flaws in programs like Internet Explorer, Flash Media (literally just popped up while I wrote this) Player, and OpenSSL (e.g. Heartbleed) before the bad guys do. They will then report the issue and a “patch” will be made for the software. This is why you are constantly seeing your system ask you to update Flash or Java. These programs are constantly fixing exploits.

Pro tip #1: keep your system up-to-date

This same methodology is used to break into your account. A script will take a bunch of user names, which are often publicly available, and just try common passwords like “123456″, which recently became, according to splashdata.com, the #1 most used password (it unseated “password”).

How do we know these are common passwords? From data breaches like that which happened to Adobe last year. This means that hackers have a fairly good list of common passwords, chances are that if you haven’t put much thought into it there are thousands of other people who have put just as little thought into their passwords too and you all are using the same one!

Here’s the thing, when you use crappy passwords you’re putting yourself and your friends at risk. It’s easy to understand how keeping your bank account secure is important, but consider you’re social network. If you’re on Facebook and you message a friend, it’s as if you are talking to them. If someone else has control of your account they can speak on your behalf, using the trust you’ve built with people you love to exploit them! A few years back I nearly sent $800 to England because I thought a friend was stranded there. Less extreme issues can come when a hacker sends malicious links to friends. You’re weak password could have just allowed a hacker to trick your friends and family into downloading a debilitating virus!

Worse yet that malicious software you’re grandma just downloaded from an e-mail “you” sent her might have just made her computer part of a bot net – a zombie like network of computers that can be controlled by a third party. This bot net might be used by Chinese hackers to attack European targets, setting off World War 3.

mushroom cloud atomic explosion, this is what happens when you use weak passwords

Do you regret using “password1″ now?

See what horrors your weak passwords cause? Not to worry today is the day you change all of that!

Go ahead and test your password over at howsecureismypassword.net and let me know how you scored in the comments.

How can I change my wicked ways and be a password god?

I want you to stop reading this right now and open your calendar. Now block out 2 hours that you will dedicate to updating your passwords.

I’ll wait…

Okay, great. Let’s look at the factors for great passwords and how to manage those passwords.

Here are some key points which I’ll go into more detail below:

  1. Don’t ever use the same password twice. Keep it unique.
  2. Use a mix of numbers, capital letters, spaces, and symbols. Mix it up!
  3. Make the password long. In this case length does matter!
  4. Try not to use words you’d find in the dictionary. Think like Hulu and Xerox!
  5. Keep in unpersonal.
  6. Use a password pattern or a password management system.

Don’t repeat passwords!

Never use the same password for different services. If you disobey this rule, at least have unique passwords for sensitive services like e-mail and banking.

Here’s a relevant XKCD that explains why:

Here’s the scam black hat guy is talking about. Let’s say you sign up for dailycatphotos.com, they ask you from a username, e-mail, and password.

[email protected]

your_user_name

yourp4ssw0rd

This is now in the dailycatphotos.com database. Let’s say that you’re very bad and use the same password and e-mail for your Facebook login. This means that anyone with access to the dailycatphotos.com database can look you up, try your e-mail and password on Facebook and gain access to your account.

Pro tip #2: Don’t re-use passwords!

Mix it up, make it long, and don’t pull from the dictonary

When designing a password length is most important. The amount of computer resources it would take to “brute force” a password – try every possible combination of characters to guess the password – goes up exponentially with each character added.

So a 9 character long password would take a matter of minutes while a 10 character password takes hours to “crack”.

As you add more kinds of characters you use also increases your password’s strength. If you use only lower case letters your adversary will know that there are only 26 possible characters for each slot. If you use capital letters that doubles the possible characters, throw in symbols (!@#$%^&*) and even spaces and you’ve made your password much more complex.

Pro tip #3: M1X 1t-upppp!

You’ll also want to avoid common words. Passwords with common words that you’d find in a dictionary are easier for a computer to “crack”.

Don’t make it personal!

Never use any personal information in your passwords. Don’t use birth dates, addresses, names or anything else that is connected to you. If I were trying to crack your password the first thing I would try is combinations of your birthday and other personal information.

Let’s build a strong password system

You have two main options for managing passwords. Either you come up with a “Password Template” (as I call it) or you need to use a password manager.

The Password Template

The objective of a password template is to create a password that is both memorable and unique. Let’s use the lessons we learned above to construct our password.

The first step is to make something long and memorable. This can be a turn of phrase or some kind of quote you enjoy. For this example we’ll use a random phrase:

dancing in the mist what a wonder

Weird but it’s a good length, let’s add some symbols and capital letters.

Dancing 1n th3 MIST what @ w0nder!

This is getting much better. Any service will congratulate you on having such a strong password! So how do we make it unique? Easy, just add the service name inside the password, like so:

Dancing 1n th3 Facebook MIST what @ w0nder!

Dancing 1n th3 Gmail MIST what @ w0nder!

Dancing 1n th3 Bankname MIST what @ w0nder!

See the pattern? Each password is now both strong and unique. This method allows you to keep many strong passwords in your head. Now go make your own!

The downside, of course, is that if someone finds out one of your passwords they have all of your passwords. Though you could find a clever way around this issue I’m sure. [update 4/12/14]

Password management

Another great method for managing passwords is using a software tool to store all of your passwords in a vault. The basic concept is that you have all your passwords stored behind a single login, so you only need a single password to unlock all your other passwords.

There are a few options:

  1. KeePass – This is the software that I use, it’s a bit more technical but leaves me in complete control. I can open my password database on my Android phone and keep a copy on a thumb drive.
  2. LastPass – This is an online service which seems to be very good, though I’ve never used it.
  3. Roboform – This is the service my mom uses. It seems well integrated with browsers and serves her well.

Let me walk you through my common password process.

I go to the new service I want to create an account for.

Go through the normal process and simply copy and paste the information into the program. KeePass even has password generator:

All the passwords I create are big and random. The downside is that if I can’t access my password database I can’t log into anything!

KeePass has a method for creating an auto-type sequence so I can press a single button and have it automatically fill in my user name and password.

The downside is that all your passwords are now random, not even you can remember them. So forget logging into your Friendster account from your buddies computer. Unless you bring KeePass along with you on a thumb drive or use another service that provides a way to access your passwords remotely.

Conclusion

So that’s that. Now you know why it’s important to have strong and unique passwords and you have two methods to go forth and update your accounts.

Many services now offer the ability to use two factor authentication. When ever possible please use this it will keep you even more secure.

Do you have a password management strategy? What do you like? What do you have challenges with?

Resources

Originally published on blog.dhornbein.com.

Share +

Tags: 
hackers
NSA
Technology