Password Management

presentation slides

Worst Practices

The twenty five most common passwords used as culled from leaked passwords and hacked sites are incredibly common and because of that, insecure. From splashdata.com:

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football
one comic panel from xkcd

An illustrative XKCD comic, number 792, dealing with password hacking

In 2011 Bashar Assad’s email was “hacked”. By hacked, it means that someone guessed that his password was “12345″. He is a horrible person, a brutal dictator and uses poor passwords. Don’t be like him.

how hackers work – It’s good to know how hackers approach obtaining a password. In “How I’d hack Your Weak Passwords” (http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/), John Pozadzides details some common ways that hackers gain access to accounts.

other vulnerabilities – Even good passwords can be obtained with other methods.

shoulder surfing – people watching your hands on the keyboard as you type passwords. Be careful in crowded places like coffee shops, cafeterias, etc.

key loggers – Keylogging is the practice of capturing a users individual keystrokes as they work on a computer. This can be done in malicious software (sometimes called spyware). Virus infested and other low life places on the web can install spyware on your machine if not adequately protected.

Be aware of public computing facilities like labs, internet cafes or gaming stores.

http / https – both of these protocols deliver web pages, but one is secure and encrypted, the other is not. If you are entering text over a insecure connection it is much easier for someone to obtain your password.

phishing – the practice of faking an email from a legitimate source with a con-like draw to get you to click on a link. The link in the email can take you to a marauding website that looks exactly like a page you are familiar with and trust. You then willingly give your password to criminals. Remember, no tech support or IT people will ever ask you what your password is, they can always reset it for you and have you change it later.

typing your password in a presentation – when you are teaching a class you are concentrating on content and student learning. It is easy to type your password in the wrong spot, or, if you are using something like an iPhone or iPad to do presentations, the wonderful iOS lets anyone see what you type. (solution, unplug your device from the presentation while entering passwords).

shopping result search for usb keylogger

The iPad and iPhone do not blank out the last letter of your pass phrase during entry in forms’.

Best Practices

So what does one do in the face of so many web services asking for usernames and passwords? What does one do knowing that as computers get faster and faster, hackers can obtain pass codes with “brute force” methods like guessing every word in a dictionary or using different combinations of letters and numbers?

long and memorable, not short and forgetful – Use long password strings that are difficult to guess but easy for you to remember. Try using quotes or phrases as passwords, rather than single words.

Example: q:h4]0#M is 8 characters long and uses a number space of 94^8 = 6.09568939 × 1015 but is hard to remember. Whereas “Four score and seven years ago our fathers brought forth on this continent a new nation” occupies a number space of 52^87 = 1.96015717 × 10149 and is easy to remember. (This huge number is greater than the number of protons in the known universe).

You may use phrase generators like song lyrics, poetry, or movie quotes. Try putting two quotes together: “Frankly my dear I don’t give a damn” and “Luke, I am your father”. Except don’t use popular quotes, use quotes that are memorable to you.

One website for mathematical theory http://www.hammerofgod.com/PasswordChecker.php lets you play with number space calculations.

concatenation extended to multiple sites – Instead of using the same password for every site you visit, try using a hybrid password. Use a formula like (but please, not exactly the same as), [your catch phrase][name of web service]. For example

  • FranklyMyDearIAmYourFather_twit for twitter account
  • FranklyMyDearIAmYourFather_theFlickr for Flickr account

Notice how _twit was used for Twitter and _theFlickr was used for Flickr? Slightly different patterns? Use different patterns for different websites.

Other Methods

Two Factor Authorization – the practice of using more than one form of authentication. http://en.wikipedia.org/wiki/Two-factor_authentication