DEVELOPMENT by
Paul Poturalski
/

Password Security in an Uncertain World

With our reliance on cloud computing, all that it takes is a password and an Internet connection to access our online profile.

With our swelling reliance on cloud computing, all that it takes is a password and an Internet connection to deftly access to our entire online profile. Everything from work documents to our bank accounts are instantly available if we enter a few secret letters, characters and numbers. It’s fabulous and terrifying.

Our Internet passwords can grant access to endless possibilities online. However, creating secure passwords and recalling them can be vexing.

If you’re suffering from password fatigue, you’re not alone. A 2012 Online Registration and Password study conducted by Janrain with Harris Interactive reveals that 58 percent of online adults possess five or more passwords. And, 30 percent have to remember greater than 10 passwords.

Perhaps a bit extreme, but in the Janrain with Harris Interactive study mentioned above, they found, “38% of adults sometimes think it would be easier to solve world peace than attempt to remember all their passwords.” Either these are some pretty optimistic folks or they are having serious trouble recalling their passwords. With password management such a troubling issue for many, it’s tempting to skimp on security and select easy to remember passwords or to repeatedly use the same few memorable choices.

“It’s worth focusing on safety”

Paul Poturalski, Project Manager at INCORE tweet this quote

You will likely recall when LinkedIn was hacked. In June 2012, 6.46 Million passwords were stolen and immediately posted on a Russian hacker forum. It was a bad day for internet security breaches as the same hacker acquired another 1.5 million user passwords from eHarmony. It happens. In 2012, some of the biggest password breaches involved trusted companies ranging from those in financial services to cloud storage. In February 2013, Twitter alerted users that quarter of a million passwords and email addresses were stolen by hackers.

If one of your passwords is going to be compromised as part of a big batch in large-scale security breaches such as that, there isn’t much you can do about it. However, you can refuse to grant hackers access to all of your information by generating unique passwords for each site you frequent. If one password is successfully cracked, you can imagine that it’s the first password the hacker will try on the next site. Don’t sign on to iTunes with the same password that you use for your investment account and your Amazon account. In addition to varying your passwords, it is wise to change your passwords frequently.

Suspecting that most people are a bit like us and tend to repeat the same few passwords over and over, we ran our own Google Consumer Survey and posed the question, "Do you use the same password more than once on different websites?" 70% of the responders claim they always create unique passwords. (Bravo!) 30% admit to repurposing existing passwords. We aren’t convinced that the self-reporting is entirely accurate as nearly everyone we know personally admitted to not adequately varying passwords or creating unique passwords often enough. Maybe it’s only the kind of thing you divulge to friends.

So, how do we create unique and hacker-resistant passwords that are easy to remember?

We can learn a lot from the types of passwords that people tend to choose so that we can make different choices by analysis of previously stolen passwords. For example, one of the most common passwords of the LinkedIn passwords was, “link.” Passwords that include the name of the site are surprisingly common.

Adam Caudill, a Software developer, analyzed the 442,786 passwords that were exposed when Yahoo was compromised. He was able to find some striking trends in the passwords. 123456passwordwelcomeninjaabc12312345678912345678sunshineprincess, were the favorites. He also learned that eight characters is the most common password length. Very short passwords (1 or 2 characters) are rare as are those having greater than 17 characters. Adding a few numbers or an exclamation point to the end of a dictionary word doesn’t cut it. Programs can run through tens of thousands of words a second.

Avoid words that can be found in a dictionary in any language. Just because you learned it in French class doesn’t make it safe. Spelling a word backwards or using abbreviations isn’t stealthy enough either. Nor is using personal information including your dog’s name, your birthday, your mother’s maiden name, your passport number, the name of the street you grew up on or anything that someone else can guess. Use passwords that are greater than 8 characters in length. When developing passwords, don’t hesitate to include symbols, numbers, punctuation as well as lower and upper case letters. Use the whole keyboard. Increasing more variety the better.

LinkedIn has the following suggestion for creating a unique password that is both easy to recall and hard to hack, "I always tell people to use a sentence. I drive a 1978 Volkswagen! = IDA78VW! or Living At Home Since 1972 Sux = L@HS72SX"

Or, you can invent a system to generate and recall strong passwords. For example, if you choose p56kq as a base set and add it to the name of the site you are accessing: to log into Facebook, you might use only the consonants, Fcbk and add your base set Fcbkp56kq. This makes it easy to update your passwords as well. If you simply change your base to say, 39yg8 your new Facebook password becomes Fcbk39yg8.

It can also be useful to test your passwords with a password checker in order to evaluate strength and to avoid choosing commonly selected passwords. Some people solve their password problems by trusting programs that will generate, store and manage passwords such as 1password and LastPass which, allow you to only have a single password to recall. And many of us devise elaborate word games to try to outsmart hackers without losing track of our own sign-in information.

As a precaution, especially if you change your passwords often, you might want to make yourself a key somewhere. Writing your passwords (or hints that will help you recollect them) on a piece of paper and locking it in a deposit box or secured drawer tends to be safer than keeping a spreadsheet on your computer, entering passwords into your address book or contacts list or writing them on sticky notes, or entering them into your smartphone.

We live in a nearly paperless world. Most of our personal information is stored as data. It is essential to protect yourself and your information by selecting and maintaining strong passwords. I don’t know about you, but I am going to change mine now.

Project Manager

Ensuring accomplishing projects effectively, efficiently and on time is Paul’s domain. He balances 10,000 feet view and detail oriented approach to tie offered solutions and project results to business goals. As he says, “Excitement of leading a team of creative individuals to achieve business objectives is, in its own unique way, addicting!”