Sunday, April 24, 2011

Password Security

   Some of you might know that this blog is not my only means of communicating technical information.  I have also led classes, mentored colleagues, given briefings, and so on, at work.  What some of you might not know is that I also give speeches at my Toastmasters club.  Occasionally the topics are technical, such as this one I gave last Thursday.  (Okay, it's nothing new for me, but it may be for you....)

===8<---cut here---

What's the Good Word?

   Raise your hand if you've got anything important protected by a password... and keep it up if you know how to pick a good password.

   Mr. Toastmaster, fellow Toastmasters and honored guests, if you put your hand up, but didn't keep it up, you need to listen up.  First we'll look at what makes a *bad* password, so you can avoid them, and then, some ideas on how to make a good one.

   A bad password is one that is easily guessed.  In the movies, the clever hero racks his brain for the one word that the villain uses to protect his evil schemes.  Reality, though, isn't usually like that.  Most attackers aren't after *your* account, but *any* they can crack.  They won't research you, let alone type guesses one by one!  Pros use tools that try hundreds of guesses per second, from lists.  So it boils down to what's on the lists.

   There are generally three levels of lists.

   First are common passwords.  Some might be otherwise decent passwords, but so many people use them, that now they're worthless.  Password.  Short phrases like LetMeIn.  ILoveYou.  Finger-drumming patterns like 123456, Qwerty, and Asdfgh.  And the name of the site.  If a lot of other people are probably using your password... change it as soon as you get home!

   Next come words of types commonly used for passwords.  Names for people (first, last, or nick names), pets, places, schools, sports and their teams, from all over the world.  So if your password is the name of your significant other... or your chihuahua (like Paris Hilton did)... or any of these others... change it as soon as you get home!

   Last comes the entire dictionary, or rather all the dictionaries they can find, including jargon and foreign languages.  So if your password is in any dictionary, what should you do?  Yes, change it as soon as you get home!

   It's not enough to spell a word *backwards*, or substitute digits for letters they resemble, like zero for o and one for i.  These tricks are so well known that attackers also use lists like that.

   I've scared you enough for one night, so let's look on the bright side: what's left for good passwords?

   The best passwords are long and random, with upper and lowercase letters, digits, and punctuation.  The bad news is, that makes them hard to remember!  The good news is, you don't have to!

   First, you can use multiple words.  For an account at SunTrust Bank, the name might remind you of sunburn, and the "trust fall" team-building exercises.  Put them together, in either order, with some numbers or punctuation in the middle or on the ends.  Maybe you got sunburn on a team-building retreat in 1987, so use "1987FallBurn".

   Next, try a virtual password, based on a longer set of words.  Pick a line from a story, a song, or a poem.  Take the first letter from each word, or the second or last or whatever.  Using the first letters of the first line of "The Star Spangled Banner" yields "Oscys,btdel".

   Lastly, use multiple ways of altering words.  Digitize every *other* eligible letter.  Add something to each digit.  Press Shift on every other character.  Doing all that to the worst password of all, "password", gives "p&s*wOrD".  Much better!  Doing it to the virtual password we made earlier, gives "O8CyS,0tD6L".  I'm sure that's not in any dictionary!

   Just pick a memorable starting word, or set of words, and a few ways to combine and change them, and remember those.  Then you can *recreate* your password any time you want!

   To recap:

   DON'T use common passwords, or common words, including names, places, sports, and teams, even with digits put in for letters, and backwards.

   DO use multiple words, virtual passwords derived from several words, or at least long words, and alter them, to get a mix of upper and lowercase letters, digits, and punctuation.

   With these few simple secrets, you can keep your secrets secret.

===8<---cut here---

   Of course, there's a lot more I could have said, like not just using letters because of brute-force attacks, quote some gurus, how to keep them safe, and mention specific password leaks like the big ones from Hotmail and Gawker... but this was for Project #5 out of the "Speaking to Inform" advanced manual (now finished, yay!), so I had a dictated timeframe of six to eight minutes. The above just barely fit within the grace period, coming in at about 8:20.