10 Strategies for choosing a Secure Password You Can Remember
March 22, 2009, 8:27 pm
Filed under:
lifehacking | Tags:
effectiveness,
excellence,
lifehacking,
memory,
passwords,
planning,
prevention,
security,
strategy,
tips
Having seen my fair share of “bad passwords” and understanding that for many IT departments password resets can account for 20-30% of all calls, it seems there is the need for a post on this topic that might help people choose good passwords they can remember.
(flickr credit: ferran.pons)
There are two very different perspectives
From the IT side of things, generally the focus seems to be on security, so this results in policies that;
- make users change their password every 30-60 days
- require more complex combinations of; UPPERCASE letters, lowercase letters, numbers and symbols.
- lock out your account if you get your password wrong a few times in a row (ever left caps lock on?)
On the user side of things, generally the focus is on the utility of being able to log in so that you can get your work done. This focus leads towards;
- Folks who have forgotten their passwords using others’ accounts so they can get their work done.
- Passwords on post-it notes by their monitors
- Users re-using passwords between systems to reduce the number of passwords they need to remember
- People picking “easy” passwords to help remember them.
So it is easy to see how either side could view the other with disbelief. The IT group shaking their head at people choosing poor passwords and showing disregard for security. The users shaking their head at an IT group that appears to care more about complicating passwords than helping them perform their daily tasks. It doesn’t have to be contentious, there is hope. More and more, users are becoming educated about the importance of good security practices, and security professionals are realizing that the best security is the kind that works for users rather than against them.
What makes a password good?
Put simply, anything you can do to make your password difficult to figure out is good. So if your password is really long, and composed of many types of characters, it becomes very difficult to “guess”. If your password is short, a real word found in the dictionary, or something an attacker would know about you, then you make it easier for someone to guess your password. But having a “good” password is only part of the challenge. The best password in the world does you little good if you can’t remember it. Locking out all the would-be hackers is only part of the equation, making sure the account is accessible by the right person is the other.
(flickr credit: guspim)
10 Strategies for choosing a secure password you can remember
So here are some strategies for picking a strong memorable password. Read through them all, and pick 1 or 2 that will work for you.
1. Plan ahead
Have a strategy for picking passwords that you can use across many systems. That way when you go to a new system that asks you to pick a password, you can appyly your strategy rather than having to wrack your brain for a new password.
2. Take your time
Taking 60 seconds to think about a great password you will remember, rather than typing the first thing that pops into your brain will pay dividends. Apply your strategy pick something you will be happy with.
The next 3 get you to try not thinking in terms of a pass-word.
3. Think in terms of a pass-phrase.
It could be a line from a song, a poem, a story, anything, but of course you will modify it by adding punctuation, truncating the sentence or swapping in a word you like better like;
- “The dish ran away with the poon”
- “I’m dreaming of a white Xmas”
- “AllIwantforChristmasismy2frontteeth!”
- “Thyme4Golf!”
- “4getaboutit!”
- “NowwhatwasmypasswordCharlie?”
4. Think in terms of a pattern.
A very popular pattern is to apply a prefix, a root, and a suffix to your passwords. here is my version of “the pattern”
- The prefix modifies the root, so you might want to relate it to what it is your are logging into. If you logged into a system for email, you might use “email” or “Email” or “e-mail” or “E-mail” as a prefix.
- A good choice for the root is a non-dictionary / non-name word like “selebrait (yes exactly, it isn’t in a dictionary)
- The suffix is something you add to your pattern to add the required “non-letter” characters so that your password is “complex” enough. Lets choose “$4”.
- For email your password might be “emailselebrait$4”; for AOL it might be “aolselebrait$4”, for gmail it might be “gmailselebrait$4” etc…
5. Think in terms of a simple puzzle.
Where am I, who am I, what kind of login is this could yield unique results. for every login while requiring only a little bit of mental gymnastics. For a gmail login it might be “gmailGregWebmail”
6. Anticipate being asked to change your password.
So if you have picked out a fabulously strong password that you can remember well, don’t let the “prompt to change your password” cause you stress, build a “counter” into your password which you can simply increment. It might look like;
- “Sallysellsseashells!1”, “Sallysellsseashells!2”, “Sallysellsseashells!3”
which is a reasonably complex password you could remember and which would allow you to “survive” the password change without having to think of a new password. Note, lots of password systems won’t let you simply tack on a number (too easy). So I recommend you resort to one of two ninja password moves I’ve come to appreciate. The first is to us a numeric increment, but not on the end;
- “Sallysells1seashells!”, “Sallysells2seashells!”, “Sallysells3seashells!”
Or you could use something other than number to increment. If you held down “SHIFT” while pressing the numbers 1-9 you would see “!@#$%^&*(“, so using our Sally example again it might look like this;
- “Sallysellsseashells!!”, “Sallysellsseashells!@”, “Sallysellsseashells!#”
Or you could substitute letters for numbers along the lines of A=1 B=2 OR Q=1 W=2 E=3 (look at your keyboard to understand why I’m choosing those letters.
7. Use your muscle memory.
What do the following 4 passwords have in common?
- ajskdlf;
- quwieorp
- zmx,c.v/
- 17283940
OK, that last one should have given it away. The fingers type the same sequence in a different row of the keyboard. by mixing up the rows and columns on your keyboard you could easily come up with dozens of “muscle memory passwords” that feel the same to your fingers but would leave a potential hacker scratchign his head. NOTE: Left to right rows of keys like “qwerty” and “asdfg” are REALLY bad passwords.
8. Test your password strength.
Not sure if you picked something strong enough? You could always try typing it into the Microsoft password checker; http://www.microsoft.com/protect/yourself/password/checker.mspx Don’t worry, if you are a bit paranoid like me you won’t like the idea of typing your password into a webpage. Microsoft assures you; The password is checked and validated on your computer, but is not sent over the Internet.
9. (Guys only) Write all your passwords down on paper in your wallet.
We are talking about the wallet that never leaves your front pocket. If you lose your wallet, treat your passwords like your credit cards and get them all changed. (Ladies, nothing personal here but the purse left slung over a chair in your office is nowhere near as safe as the wallet located in a guys pocket.) Guys, if you don’t trust the people living in your house this might be a poor choice.
10. Use password safe software
Password safe software can hold all of your passwords. These tools use a master password to encrypt all of your passwords. If it fell into the wrong hands it is useless to the bad guys, but in your hands, it can help you not only remember passwords, but also usernames, URLs for logging in and other details you record with the entry in a searchable “password database”. I recommend KeePass which I’ve discussed previously.
Hopefully these 10 strategies for choosing a secure password you can remember will lower your password stress, raise the strength of your passwords, and save you some time chatting with the nice guys at your company’s IT support desk.
Cheers,
Greg.
Choosing and using passwords badly
If you want to pick a bad password you have come to the right place. A password is only useful if it is something you can remember and nobody else can figure out. Today we are going to discuss as several common password mistakes so that your passwords can be;
- Easy for hackers and others to guess
- Easy to disclose
Password (flickr credit: Bruno Santos)
For picking a bad password try…
- Making your password the same as your username
- Use a meaningful name, like your name, your middle name, your mother’s maiden name, or the name of your children, the name of your pets. Basically choose anything someone could read off of your facebook page. Remember if you are really tricky you can REVERSE the name. I’m sure nobody would think of that.
- Use significant numbers like a date. Your postal code, your birthday, your aniversary, your kid’s birthday.
- Use 0bscenities. No decent hacker would dare type THAT. (Most password cracking software will try them early on because they are very common.)
- Science fiction terms, greek letters and mythology. Like; “Data,” “Spock,” “Borg” and “HAL.” “Epsilon”, “Venus”, “Aphrodite”
- Computer terms: stay away from “keyboard”; “mousepad”; “megabyte”; etc.
- Line-of-sight terms: e.g., “Gateway” because that’s the brand of your computer, or “telephone” because there is one on your desk. Though this can help you remember your password, it is a trick that password crackers are on to. To play it safe, avoid any reference to common objects found in households and offices.
- Common phrases: in particular, those pertaining to greeting or getting down to work, such as “Good morning,” “Wake up”, “Hey you” or “Get going.”
- Anything related to your login ID: It’s relatively easy for other people to get your login – don’t let it provide a clue to your password! For instance, if your login is “basset” don’t make your password “doglover.”
- When choosing an ATM PIN, make sure that the (4) numbers you pick spell a word like “Love” (hardly anyone would think of that one… Sorry if I’m giving all your secrets away.)
For bad password management try…
- Put your password on a note and tape it to your monitor. This way an unethical coworker could read and use your account pretending to be you.
- Use the same password everywhere. This way if someone gets into one of your accounts, like an online email account, they could figure out what other services you use and use the same password to access those other services.
- Base your password on something that will change over time, like the date. “MyBrandNewPasswordFor2001” made sense in 2001, but 8 years later you may find yourself trying out all the intervening years.
- Share your password with people who need to “borrow” your accountt, then don’t change the password even after it may have been discovered.
- Use an unmemorizable password like; awnf65ayr8f9as6df584 as nobody will argue that it is not secure. This way you will have to write it down. Maybe in the front cover of your daytimer, or in a file on the desktop called password.txt.
- When you forget your password, you can rely on the “security questions” like what is your favourite colour to recover your password. Choose easy or predictable security questions. In response to “what is your favourite colour?” choose “Blue” rather than Oceanic815.
- Type passwords slowly in full view of those around you.
- Never look around at ATMs for hidden cameras which may be watching the keypad.
- Do not shield the keypad when using your bank card
- Don’t change passwords on electronic door locks with push buttons so the worn buttons can remind you of the numbers in your combination.
- Leave Laptop locks and safe combinations “set” so that you can open these items more easily.
There, those should be enough tips to get you started on choosing poor passwords and using them badly. I hope you found this informative despite the tongue in cheek delivery. Watch for an upcoming article on “Choosing and remembering really good passwords”.
Cheers, and safe computing!
Greg.
The Cause of the Credit Crisis Explained in Pictures
February 27, 2009, 6:41 pm
Filed under:
Sustainable Living & Social Issues | Tags:
banks,
corporation,
cost benefit,
Credit,
crisis,
government,
money,
moral,
security,
social responsibility
There is a really informative video by Jonathan Jarvis at Vimeo which provides an overview of the credit crisis.
If you have found yourself struggling to understand how everything could get so messed up, you might find this video to be quite enlightening.
The Credit Crisis Explained
Check it out The Crisis of Credit Visualized
Thanks Jonathan for the excellent explanation which was quite easy to listen to!
Useful Portable Apps for Your USB Drive.
February 22, 2009, 1:50 pm
Filed under:
lifehacking | Tags:
7-zip,
drive,
firefox,
flash,
free,
keepass,
lifehacking,
notepad++,
open office,
portable apps,
rocketdock,
security,
texter,
tool,
usb,
useful,
vlc,
xampp
Not only are USB drives now commonplace, but with increasing frequency, applications no longer require installation and can run from those USB drives.
USB drive / USB Key
I got the idea for this post from Cam who observed that KeePass (mentioned previously) was portable. I thought I’d share some portable apps with you that have been really useful.
If you are new to the subject of portable apps, a good place to start learning about them is “portableapps.com“, Wikipedia also has some lists of portable applications to get you started. There are a number of reasons you might want to use portable apps including;
- You are borrowing someone else’s computer and don’t want to install software
- You are not allowed to install software at work
- You don’t want software to clog up Windows’ registry and slow down your computer
- There is a set of familiar tools you want to use when moving from computer to computer.
- Portable applications that can run from your USB drive, don’t make changes to your computer’s registry startup files or hard disk. (unless you ask them to)
- Portable apps won’t set themselves up to load when you turn your computer on.
- Sharing your most useful applications is as easy as copying some files
I’ve placed these in order of utility.
Texter – A powerful text replacement utility; we’ve looked at Texter previously
KeePass – Useful for securely storing your passwords We’ve also looked at KeePass previously
Firefox Portable – Run the popular open source browser from your USB key
Notepad++ – Thanks to Darryl for recommending this powerful editor which supports regular expressions and syntax highlighting.
7-zip – A lightweight archiving and compression utility
Open Office – An open source office suite similar to MS Office, which maintains a high level of compatibility with popular office products.
VLC Media player – Is described as a highly portable multimedia player for various audio and video formats; it can play almost anything.
RocketDock – This one is just for fun, but its portable, and makes your applications easily accessible.
Xampp – More for died in the wool geeks, it is a portable collection of Apache web server, the PHP scripting language and the MYSQL database. All open source and freely available, this is the easiest way to run a web server with web applications and data from your USB key. (ever think of your USB key as a web server?) Now you can run any PHP/Mysql web app from a computer without installing a thing. (some assembly required)
Note: Many of these applications come in non-portable versions, so pay attention to which version you get. (I recommend starting with Portable Applications).
Protecting your privacy on Facebook
Over at AllFaceBook.com there is a great article showing 10 privacy settings every Facebook user should know about.
So if you are like me, and you want to use facebook to stay in touch without having your information being used in ways you didn’t expect, this is a good read. For me, the most useful tip was the first, to create “friend lists”. These lists allow you a finer degree of control over who (which friends) see your information. If you have “work contacts” and “personal friends”, like I do, you can appreciate how you might want to have a bit more control over who can post things on your wall for others to see etc. Its all in the article Enjoy.
Now I’ll just make this comment that these settings protect your information so long as FaceBook is not doing evil private information sharing (selling the information, being careless with their backup tapes etc.) AND it assumes that whoever buys facebook in the future also is not doing evil things, AND it assumes that their servers won’t get hacked and have all the private information stolen and sold on the Internet.
So if you trust FaceBook, and are banking on them not getting badly hacked, this tips should help keep you safe.
Enjoy!
Greg.
Protect your Passwords with KeePass
Remember all your passwords easily by storing them securely in a password safe.
When it comes to password security, we continue to hear about the importance of choosing passwords;
- that are too complex to be guessed
- that are unique from every other password we use
- that aren’t real words or dates or names
And it works great to keep our accounts safe… until WE forget our own password. Then we wish we’d re-used a password, or picked something we could guess. God help us if the account locks itself after 3 wrong tries. I am at the point in my Internet experience where I can’t keep track of all the places I have accounts (never mind my passwords). So I needed a tool to help me, because apparently large amounts of fair-trade coffee isn’t enough to jog my memory
I needed a place I could keep all my passwords. I needed a password safe. It had to hold; passwords, URLs, usernames, comments, the ability to organize those passwords in a hierarchy that would make sense, and it needed to be secure lest it fell into the wrong hands. For several years I have used PasswordSafe which promises Simple & Secure Password Management. It worked great, but I had one problem using it. I could rarely remember which subfolder in the hierarchy contained my entry… I needed search. Enter Keepass. Keepass offers all the above features including “search” if you type in some text it will match every entry in the encrypted Keepass database that matches this.
way better than a post-it note!
I have been absolutely Loving Keepass, and as long as I’m disciplined to put my passwords in there, they are available to me when I need them. The Keepass website makes this introduction; “KeePass, the free, open source, light-weight and easy-to-use password manager.”
So there was one more problem I needed to address and it was the question of how do I synchronize keepass databases across the multiple computers that I use in a week. I don’t have a magical 5 minutes every time I’m done using a computer to make sure my database is copied correctly. So the fear would be that an old copy overwrites a new copy, or that a password is in one location and not the other location where I need it. (What computer was I sitting at when I signed up for that account?).
To synchronize files, I turned to Dropbox. The promise of Dropbox is that you can “synchronize files online across computers” . On the downside Dropbox requires you to install some software on your computer which runs at startup (or else there is little point of automatic synchronization). It probably uses more memory than it needs, but hopefully someone on the Dropbox team will be working at reducing that memory footprint further. Essentially you share a folder with yourself via the Dropbox website. Your application checks every so often to see if the file has been updated, and if so, you get the most recent copy. For myself there is no synchronizing via this method at work in order to respect policies around automated Internet traffic and not installing unsanctioned software. So I have ALMOST solved my problem right? The rest of the solution is provided by Keepass itself which has a handy importing feature. You can import from another keepass database into a specified folder, and then the passwords themselves have a unique identifier to help make sure that you are truly synching the same password.
I hope this is helpful, let me know how you make out.
What password strategies work for you?
Greg.
Avoid identity theft
Simple tips for avoiding identity theft as collected over time.
1. PIN or password protect your credit cards and bank accounts whenever possible. don’t use your address phone number or brithdate as passwords as these are easy to guess. Never store your PIN with your card (Personal Identification Number)
2. Do not carry your SIN (social security) card in your wallet or purse. Keep it in a safe place in your home or safety deposit box.
3. Review your bank and credit card statements eac moth for accuracy, and report any discrepancies quickly.
4. Secure your computer with a firewall. Use up to date virus protection software and malware protection software.
5. Never disclose credit card information or financial details over the phone or Internet to a caller (they initiate the call). Ask for their phone number, and name and then look up the phone number from a reputable resource (the phone book) and ask to speak to the person who called. This assures you they aren’t lying about where they are calling from.
6. Never enter personal or credit card information including passwords and usernames for financial matters on an unsecured website. The URL should start with HTTPS:// and a locked padlock icon should appear if you are on a secured site.
7. Never enter credit card or financial information on a website without assessing who it is (even if the webpage is secured). Look at the URL carefully. Is the company you are dealing with well known? Is there an option for paying without disclosing your information (PayPal for example holds your financial information, but allows you to make payments to third parties).
8. Be aware of the scam named Phishing. This is where you receive an email claiming to be from a bank or other financial company, there will be a link to a fake website that looks like the bank and they will request that you enter in a user name and password (which they record and use later to access your “real bank account”. Report phishing immediately to the bank being impersonated.
9. In Canada report scam letters and phishing attempts tohttp://www.phonebusters.org
10. Occasionally request your credit report from the credit bureaus Equifax or Transunion to determine if fraudulent accounts have been opened in your name.
11. If you suspect your information has been stolen, act quickly to prevent identity theft by contacting your banks and credit card companies. Keep a record of any conversations and correspondence with creditors and contact the credit bureaus mentioned above to advise them of your situation.
How to avoid and reduce the effects of SPAM
April 15, 2008, 8:47 pm
Filed under:
lifehacking | Tags:
e-mail,
email,
filtering,
lifehacking,
prevention,
security,
spam,
uce,
unsolicited commercial email,
unwanted
|
I originally wrote this compilation of tips for my customers at GreenTree I hope you find some of them helpful.
Unsolicited messages, commonly called “spam,” comprise approximately 50 percent of all e-mail carried on the Internet, according to industry estimates. Respectable businesses will remove your e-mail address from their mailing list if you ask. However, many spammers want to push their offers into as many e-mail boxes as possible and will take any response-even if it’s “REMOVE ME FROM YOUR LIST!”-as encouragement to keep sending out new messages. |
Currently, there is no way to ensure a 100 percent spam-free e-mail box. You can make it more difficult for spammers to get your e-mail address, however. There are also steps you can take when unwanted e-mail does arrive in your mailbox. Plus you can ask your Internet Service Provider (ISP) and other organizations to help you identify a spam mail’s origins. You can use that information to try to block future mailings from known spammers.
View an updated version of this list HERE: |
Here are some tips to help prevent spam from filling your e-mail box:
- Avoid posting your e-mail address in public. Many spammers buy e-mail address lists from brokers who compile their lists by harvesting addresses from Internet newsgroup postings, Web sites, chat rooms, membership directories for online services, and other sources.
|
- Alter your e-mail address before posting it publicly. List brokers do their harvesting with computer programs that scan Web pages and newsgroups in search of e-mail addresses. You might be able to foil these harvesting programs by altering your posted e-mail address in an obvious way, such as changing joesmith@mail.com to joeH8SJUNKMAILsmith@mail.com. Most humans will know to remove H8SJUNKMAIL from the address before they use it, but computer programs will not.
|
- Never respond to a spam e-mail, even to unsubscribe. The e-mail message may include instructions on how to remove your address from the organization’s list, such as telling you to reply with REMOVE in the subject line or to call a phone number. However, many spammers do this only to try to confirm that they have reached a real person’s e-mail account. Unless you are unsubscribing from a distribution list that you signed up for or you know the sender of the message, it is safer to discard the message without responding
|
- Create an alternate e-mail address to use on the Internet. Your primary e-mail address should only be given to friends, family, business contacts, and other people whom you know. Consider setting up a second e-mail address to use when filling out information requests, applications for special offers, and other forms on the Web.
|
- Apply for a free Yahoo or Hotmail account to use as a “spam sink”. Gmail (www.gmail.com) does a very good job of filtering spam with perhaps 1 in 100 spams showing up in your inbox.
|
- Set up filters to block known spammers’ messages. Many e-mail programs offer a “filter” option that you can use to automatically send junk and adult-content mail to a specified folder-or the trash. Many programs will allow you to filter on e-mail names as well. To ensure you do not accidentally throw away mail from friends and family, consider creating a “junk mail” folder for your filtered messages. Be sure to check the folder before you empty it.
|
- Use junk e-mail filters in your email program
|
- Consider reporting spammers to ISPs, e-mail providers, and the Federal Trade Commission (FTC). Most Internet Service Providers (ISP) and account providers have a complaint address for e-mail issues. If you get unwanted mail, look at the return address. The ISP name should be in the middle (between the “@” sign and the designator, e.g., “.com”). Forward a copy of the spam mail to the ISP’s complaint address. Most providers will take steps to eliminate spammers from their system. In addition, send a copy of any deceptive or unwanted mail to the FTC at uce@ftc.gov. The FTC uses its database of unsolicited messages to pursue law-enforcement actions against senders of spam. (The FTC only can take action against spammers based in the U.S.)
|
- Review all user agreements. When signing up for Web-based services such as online banking, shopping, or online newsletters, you should carefully review the corresponding user agreements to assure yourself that your e-mail address will not be shared with other organizations.
|
- Don’t participate in email chain letters or pyramind schemes. Bill Gates is not going to pay you for sending junk email to your friends and family, neither is the Gap going to give you free clothes. Interenet “snowball fights” and other forms of chain emails are unwelcome on the net, and irritate most people who receive them. The same can be said for the “guilt letter” where you are required to pass on an email or you are a terrible person for caring so little about the mentioned issue.
|
- Use the BCC (Blind Carbon Copy) field in your email program if you have to send an email to several people. This prevents everyone’s email address from being listed in the “to” field where all the recipients can see it. This becomes critical when the email is likely to be “forwarded on” as in the case of a joke or other ‘interesting’ email. While you know the people you are emailing, they don’t all know each other, or want the others to necessarily see their email address.
|
- Don’t forward emails to others without first “cleaning” the email up by removing the previous sender’s and recipient’s email addresses. This prevents their address from being distributed beyond the people they know.
- Consider the user of a spam filtering software like “spambayes” or “mailwasher” to handle spam before it gets to your inbox.
|
pam appears to be here to stay, at least for now. Taking these steps can help you reduce your exposure to this online nuisance, however. If you have more spam fighting strategies, I’d love to hear your ideas! Send me a message with your idea
Know somebody who would benefit from some of the email “best practices” on this page? Send them the address (this link will open your mail program) and ask them to check it out.
|