Weak Password Control – A Self Inflicted Injury

imageOver the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

15 Comments

Filed under cybercrime, Don't Get Hacked, downloads, Freeware, Interconnectivity, Internet Safety, Online Safety, Password Control, Software, System Security, Windows Update

15 responses to “Weak Password Control – A Self Inflicted Injury

  1. Pingback: Weak Password Control – A Self Inflicted Injury

  2. Hi Bill,
    There’s no excuse anymore for weak password management. I use Last Pass which does a great job and it’s compatible with Windows, Mac OSX, and Linux as well as most mobile platforms (for paid users). Last Pass like most password mangers will generate secure passwords and then remember them for you, you really only need to remember one strong password and a password manager does the rest. I’ve also tried Key Pass, Roboform, and One Password all which work great but not always with multiple platforms.
    Hope you have a great holiday season, stay warm!
    Mark

    • Hey Mark,

      Staying warm is a bit of a problem at the moment. It’s colder than a well diggers…, well, you know the rest. But, that’s what Winter’s all about.

      Happy Holidays to you and your family, and thanks for the excellent advice.

      Best,

      Bill

  3. John Bent

    Hi Bill
    As you know I swear by RoboForm2Go. All passwords and personal data kept on a USB drive under a single master password. Random passwords generated, I use 12 characters as default. Passwords and other personal data, including credit card details, can be entered into forms without keystrokes to defeat the keyloggers. No worries about losing the USB drive as info can be backed up and synched online. Drive can be encrypted to give a second layer of defence using Truecrypt if required. No trace left on computer once USB is removed
    And it’s free for non-profit use!

    Kind regards
    John

    • HI John,

      Very interesting. I’ve just downloaded, and I’m taking it for a test drive right now,

      Thanks for this.

      Best,

      Bill

    • Hi John,
      I read that you’re using RoboForm2Go. I downloaded it and found that it won’t run in a SandboxIE session. Well…it runs, but doesn’t automatically login any sites. Just goes to the site and fails to enter the credentials and submit. It runs properly outside a sandbox. I’m running IE, and know you may run something else, but thought I’d let you know what I’ve found. If you know anything about this situation I’d appreciate a note. Thanks.
      Best,
      Paul

      • John Bent

        Hi Paul,
        I use Firefox 3.6.13 and RoboForm2Go runs fine. Only slight inconvenience is that I have to open it manually the first session, whereas with older versions of IE it opened automatically. I find this a small price to pay for the huge convenience.
        I don’t use a sandbox as the ZoneAlarm firewall makes my computer “invisible” plus the Firefox addons give me added security. Sorry I’m unable to comment on this. RoboForm support may be able to throw some light on it.

        Regards
        John

  4. Hey Bill!
    “A lackadaisical effort is the norm.” You hit the nail on the head there. I just don’t understand why, in this unsafe environment, that folks don’t care about security. My recent poll, while not scientific, said that 35% of people said they didn’t know how to be secure on the Internet (not the case with Denton, obviously). BTW, I’m going to download Roboform2go also.
    Best,
    Paul

    • Hi Paul,

      Scientific or not, I think you’re poll is reasonably accurate. It’s frustrating to see developers continue to market security applications that are complex – leaving average users confused.

      ALL security applications need to be a one click solution – forget all the mumbo jumbo that average users don’t have any interest in.

      Little wonder that security compliance is so low.

      Best,

      Bill

  5. Pingback: Weak Password Control – A Self Inflicted Injury | Bill Mullins … | Retrieve Password

  6. John,
    Thanks for getting back to me. I expected you had a different configuration than me, but thanks just the same. Roboform support is my next stop. I like the functionality of the package and want to get it working. Nice to “meet” you.
    Best,
    Paul

  7. PasjonatLeonaWachholza

    I got an email from them with a warning that should change password.Not really even remember the I had anything to do with this company, but kept this e-mail, even suspecting that it was extortion or fraud.
    But Bill also write about this, so I will say that I think of passwords yourself and it is very difficult-not recorded in the memory of their browsers, but only using AI Roboform Pro and playing music.
    I wish consideration.

  8. Pingback: Geek Squeaks’ of the Week (#90) « What's On My PC