December 16, 2014

False Perceptions of IT Security: Passwords

Security

Welcome to the second post in a series about the false perceptions of IT security. In this post we will describe some of the issues associated with password management. As you know, it is quite important to have a strong password. So, what exactly is a strong password?

password

When asking random people about passwords, they tend to agree that having a strong one is very important, but it is also very difficult to remember all of these passwords. I believe that instead of trying to come up with a good solution, we simply give up and use this as an excuse for having a poor password policy.

One problem is that we are not even sure what a strong password is. Many people think that a strong password is a complex string of random letters, numbers and special characters. However, when looking at it from a security perspective, rather than a cryptographic perspective, a strong password does not have to be completely random and, therefore, incredibly difficult to remember.

I am expecting a lot of password maniacs to yell at me now, but please keep in mind that the purpose of this blog post is not to describe the most complex and secure password algorithm out there. Rather, it is intended to simply share some good tips and tricks for how individuals can stop using crappy passwords or using the same password on every single site where authentication is necessary.

You can, of course, use a password management tool such as Kaspersky Password Manager, but this post will hopefully teach you simple password management without the need for any tools.

So, let’s take a look at how we can generate a strong password. First of all, I think that the most important detail to consider when creating a strong password is to make it personal. I agree that trying to remember a computer-generated password with random letters, numbers and special characters is difficult. But, if it’s a phrase that is personal to you, it will probably be much easier to recall.

There are tons of different methods for generating passwords, but I would like to share one way with you. Though it has probably been described by others before, I will call it the “Story Algorithm”. There are many variants in this process, so feel free to come up with your own version that you believe will most help you.

  1. Think of a phrase, song lyrics, quotes from a movie or simply a lullaby from when you were a child.
  2. Take the first letter from the first five.
  3. Between every letter add a special character.

At this stage you will have created a static string, and from now on you will base all of your unique passwords off of this string. Since it’s a static sting, it won’t be unique for every site that you need a password for. What you need to do now is use the power of association.

When you think of Facebook, Twitter, eBay, dating sites, online gaming sites or any other site, write down the first word that you associate with that site that you need a password for. For example, if you are creating a password for Facebook, you might associate Facebook with the blue color in the logo: so, then you can simply append the word “blue,” maybe in all caps, at the end of your static string.

ComStar

For example, let’s play with the idea that the phrase I think of is “Twinkle Twinkle Little Star How I Wonder What You Are,” and the special character that I want to use is the pound character, ‘#’. Then my password for Facebook would be something like: T#T#L#S#Hblue. It makes no real sense when you look at it, or if someone gave it to you. But, since it’s personal, you understand the system used to generate your passwords and you associate the word with the site, it’s easy for you to remember. Not to mention, it is quite strong — you can test it with our Password Check.

There is one password that you should be extra careful about; it may even be good to use a completely different phrase when generating this password. This is the password to your email account. If someone can access your email, they can use the “forgot login” function to not only get access to your email, but also change the passwords for every site you have access to that’s connected to that email address.

Please remember to use strong passwords. It’s a false perception that password management is difficult and it is a bad excuse not to do it. Just remember these golden rules:

  • The length is very important when creating secure passwords!
  • Uniqueness is very important! One password per site!
  • Complexity is not about how random the password is, but how difficult it is to crack!
  • Make the password personal, it’s MUCH easier to remember it that way!