May 3rd, 2011

Protect Your Passwords from Theft

Passwords are the keys to a person’s identity.  However, it is more and more often the case that we hear of passwords and their corresponding usernames falling into malicious hands … causing financial loss, time loss, emotional distress, and worse.

In this day and age, you pretty much have to use the Internet and deal with passwords and security issues.  You can take many steps to protect yourself from password theft and to minimize the damage caused if a password were to fall into the wrong hands.

Common Ways Passwords are Compromised

In order to protect your passwords, we need to have a good idea of what we are protecting them against.  The most common ways that people’s passwords are discovered by others include:

  • Using “Insecure Connections” to web sites and Internet services. Malicious people in the same wifi hotspot or network as you can eavesdrop on your communications and easily discover your username, password, and any other information sent to or from your computer.
  • Companies that are hacked. Just like what happened recently with Sony’s Playstation Network (70 million accounts stolen including usernames, passwords, and perhaps other personal and financial information).
  • Passwords being guessed. Manual or automated attempts at guessing peoples passwords.  Either people sitting down and trying to try passwords that they think you may use, or computers trying thousands or millions of common passwords until a match is found.
  • Company employee access to passwords. Many times, employees at companies (like Gmail) have full access to your passwords.  They can, maliciously, save them and use them.
  • Scraps of paper. You wrote your password(s) down on a post-it note and someone saw it …

How to Protect Your Passwords

1. Do not use “Insecure Connections”.

You should always use connections encrypted using SSL or TLS, so no one can eavesdrop on you.  This is especially true in public places, like wifi hot spots.

If you are connecting to a web site, be sure that the address in your browser’s address bar starts with “https://” and not “http:”.  The “s” in “https” means “secured using SSL” and means that everything between you and that site is encrypted.  However, if your browser gives you a warning that the site is “not trusted” or that there is some problem with the web sites “certificate”, you should NOT go there and login — someone may be trying to intercept your connection to glean your credentials!

Connecting to other services, like email, chat, Facebook or Twitter, should also be made over SSL or TLS connections.  If you want to use a service and they do not support secure connections, either do not use them, or use a username and password that is only for them (so if it gets discovered, it won’t impact anything else you are doing).

2. Do not write your passwords on post it notes.

Leaving your passwords written down and lying around is a great way to get yourself in trouble.  Instead of the “post-it note” method of remembering passwords, it is best (if you can’t just remember them all in your head — but really, who can?) to store them in a secure database.  I.e. keep all the usernames, passwords, and other pertinent information (like secret questions and answers) in a file or database or location that is itself encrypted — with one password, the only password your really have to remember (or maybe it is protected with a fingerprint reader … even better).  With an encrypted password database, you can access all of your password data anytime, and no one else can get to them, even if they have access to your computer and all of your stuff.

LuxSci provides one such solution in its WebAides suite — online Encrypted Password storage.  Access your passwords securely from anywhere you have an online computer, and rest assured that the passwords are actually backed up and safe from disaster, misfortune, or compromise.

3. Choose vendors that do not actually save your passwords in “plain text” anywhere.

The big problem with companies being hacked or having malicious employees is that databases of customer information get stolen.  It is often the case, that companies have your passwords stored in “plain text” along with your username in their databases.  I.e. if your password is “apple123”, and anyone looks in the database, they would see that clearly — and that is bad.

Another way to do things is for companies to store only “hashes” of passwords.  A “hash” is a one-way mathematical function for turning “plain text” like “apple123” into pretty unique gibberish like “$1$rjogGOYN$0p0j.DxKEBw0qKh4w1svU1”.   They only store the gibberish (the hash) in their databases.  In this way, they can still see if your password is correct by passing it through that math function and seeing if the result matches the gibberish.  However, you can’t “go backwards” from the gibberish to the original password.  If the database of a company that stores only hashes of passwords is stolen somehow, the passwords themselves are safe (well, mostly — see below).

If you can, you should choose to work with companies, like LuxSci, that never store plain text passwords anywhere.

4. Choose good passwords!

This almost goes without saying, but if you don’t keep saying it, people won’t do it.

If you choose a simple (poor) password like “apple”, it is easily guessed by computer programs that try millions of common words, phrases, and commonly used passwords.  How?

  • Some systems (unlike LuxSci’s) allow unlimited login attempts in a short period of time, even if they are all failing and all from the same place.  This allows computer programs to quickly try all kinds of different passwords until one is found that works (the so-called “brute force” approach).
  • Also, if the gibberish (the hash) of a password is known, while you can’t “go backwards”, you can try all kinds of passwords and see if any of them “go forwards” and match the hash.  If one does, it is the proper password.

If your password is simple, it can be quickly guessed by a computer in either of the above situations.  If not, you are probably safe.

What makes a good password? Doing a combinations of:

  • Using a phrase instead of a word: i.e. “let the games begin”
  • Using symbols and numbers and mixed case: i.e. “Let the 2011 Game$ begin!”
  • Keep it complex, but easily remembered.

5. Use different passwords for different sites / accounts

A big “no no” is to use the same password everywhere.  Why?  If it gets compromised in one place, then all of your accounts are vulnerable.  The more places you use your password, the more vulnerable it becomes.

Of course, the best thing to do is to use a different good password for each account you have.  However, remembering all of these passwords quickly becomes cumbersome, even with a good password database.  It is best if you can have different passwords for each account and create them in a way that makes them (a) strong, (b) easily remembered, and (c) you can’t easily guess one if you know another one.

For a good way to do this, see: Security Simplified, the Base+Suffix Method for Memorable Strong Passwords.

6. Use Two-Factor Authentication when available and choose companies that support it!

Two Factor Authentication typically requires some kind of verification beyond your username and password in order to gain access to an account.  I.e. if you have Two Factor Authentication enabled at LuxSci, when you login you will have a “token” (a short number) sent to either an alternate email address of your choice or to your mobile phone as a text messages.  You have to access this token and enter it into the login page in order to complete the login process.

Two Factor Authentication protects your account against your password being stolen … as without access to the “second factor” (i.e. your phone), your account is still safe from intrusion.

You can also use a good OpenID to provide multi-factor authentication, if your account supports it.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.