As we go through our day to day lives we subscribe to more and more online services, services that provide us with rich content and material that enhance our lives.
We no longer need to visit our bank branch or indeed even the nearest ATM to find out our latest bank balance, we can just sign in to our online bank service and voila we have all of our account details at our fingertips.
We sign up to a gaming, a motor club, or a basket weaving site; the chances are we will reuse a username and password that we have already used for other sites, this is human nature, you don’t want to go to the trouble of thinking of and then remembering a new password. Beware! Here be dragons!
Once you have created a username and password for a site, depending on the method in which those credentials are stored, anyone who has access to the credentials store (which may include uninvited access such as a hacker) potentially has your keys to all of the sites that you are subscribed to using those credentials, all they have to do is try the keys in the lock.
If a thief steals your front door keys, but they do not know your house number, they may walk along your street trying the key in each door. Very quickly suspicion would be aroused and likelihood is they would be interacting with local law enforcement offices within a short period of time.
A computer credentials thief has no such challenges, the thief may be sitting in their comfortable lounge with a laptop feeding your credentials into websites in the hope that the keys fit the lock, or indeed drinking coffee whilst a program is doing this for them, either on their own computer, or by controlling multiple virus infected computers over the internet. There is no physical activity to arouse suspicion, and their activity may go on unnoticed.
Once one account that belongs to you is compromised then it is very possible that other accounts will follow. Once enough accounts are available identity theft becomes a possibility.
So how can we counter this threat?
There are a number of practices that we should use to mitigate the risks involved here, most involve common sense.
First and most importantly, do not disclose your password to anyone – personal or corporate. If you absolutely have to disclose your password, and sometimes your IT department may ask you for it, make sure you change your password once they have completed their task.
Keep track of the accounts you create, either in a spread sheet, or a note book, any way you like. An account that gets created and then is forgotten about may be an ideal target for a thief as its activity may not be being tracked. If you no longer use an account, consider deleting or disabling it.
Change your passwords on a regular basis. Yes this is considered to be inconvenient, however if your account does get compromised, the more often you change your passwords, the less time the thief has access to your accounts, potentially limiting the amount of damage they can do.
Do not write your password down. Very often in corporate environments it is very easy to walk around an office and gain access to their systems just by looking out for post it notes attached to screens or desks. If you do this you are inviting someone to walk away with your keys – how long does it take for someone to take a picture of your credentials using a mobile phone?
So what constitutes a good password?
The most secure passwords are random complex passwords, for example "^*(64/5#34g@wbt which was generated by pressing random keys on the keyboard! By their very nature random complex passwords can be extremely difficult to remember, however they are very secure because it would a long time to "guess" that password, even using automation.
So how can we create passwords that are both secure, and are easy to remember?
Well here are a few ideas for generating good passwords. First think of a few words that mean something to you, for example, your mother’s maiden name is Smith, your daughter’s name is Grace, you live at number 29 and your favourite food is apple.
You should not use a single dictionary word or name on its own as a password. For example market is not a good apple, combining two words such as appleSmith is better.
Using numbers in your passwords makes them even more secure, so appleSmith becomes apple29Smith which adds more complexity.
Introducing substitutions adds to the complexity, so say swap 4 for a and 3 for e, apple29Smith becomes 4ppl329Smith
Reversing the spelling of one of the words adds yet more complexity so 4ppl329Smith becomes 4ppl329htimS – this is now an excellent complex password that still means something to us.
One other thing to consider is that in general, the longer the password is the more secure it is.
But we have lots of different accounts, so how do we protect ourselves but easily remember our complex passwords?
A good method of password protection is account password grading. Grading is a method of splitting accounts into groups and assigning passwords to those groups.
Grade one accounts are bank accounts or any account that could be used to legitimately identify you. For example an account with a power supplier could be used to generate a letter or bill that could be used as proof of identity when applying for a credit card. For these types of account use a very complex unique password – so one password for each account that you do not use anywhere else.
Grade two accounts are accounts whose security you would place value upon, so for instance any site which stores credit / debit card payment information – your online home delivery supermarket is a good example. If this type of account were breached you could be at threat of immediate financial loss. For grade two accounts use a single complex password – or if you want to be more secure split your grade two accounts into groups and assign each group a password.
Grade three are accounts that have the ability to damage your reputation if compromised. These could be internet forums, Facebook, Twitter, MySpace and so on. For grade three account use a single complex password which is different to the grade two password(s)
Grade four accounts are any other account that carries no significant information. Grade four accounts should be protected with a single complex password that is different to your grade two and three passwords.
So we now have all of our accounts protected using around six complex passwords.
If you really can’t remember your passwords you can then store your graded passwords in one location (password protected spread sheet maybe?) and your account usernames along with their grading in another location (maybe another password protected spread sheet or a note book?)
If you’d like help with your password security please contact Crimson IT