Monday, December 29, 2008

Happy New Year - Time to change passwords?

It's that time of year again!  Haven't changed your passwords in a while?  Read on, and hopefully you will be paranoid enough to start!

Most people use the same one or two passwords for everything, and rarely change them.  This means that if someone gets your password once, you could lose it all.  Just earlier this year one of my friends had multiple accounts hacked by a nameless enemy.  

Think you're careful enough that no one else will get your password?  Think again!  I don't know how many times I see people not log out of their accounts on shared computers at my department.  

10 ways that someone could get your password:
  1. Guessing!
  2. You told them, or someone they know.
  3. They got into your email (you didn't log out or they had this one password) and found the rest of your passwords emailed to yourself!  Many websites will unfortunately email your password to you after you register.
  4. They found it stored on your computer (or written down) either just by being nosey, or doing a search on the contents of your files.
  5. There was a keystroke logger on the computer you used to sign in.  A keystroke logger records all of the keys you type.  This is a danger when you are traveling, using a shared computer at school, the library, at work, at a friend's house, or even in your own home (wife suspicious?).  Keystroke loggers hide in the background and you will probably not notice they are there.  Some keystroke loggers are not even software installed on your computer, they get plugged in in between the keyboard and the computer.
  6. They have a program that reveals what's behind the ******'s saved on your browser.
  7. They intercepted your internet traffic, through which you send your password in plain text whenever you're logging into an unsecured site (don't see the lock icon at the bottom? it's not being encrypted).  This is particularly a risk if you access the internet wirelessly through an unsecure connection.
  8. They are a site administrator with ill-intentions.  Most sites you register at will automatically encrypt your password with an encryption algorithm called MD5, but as a developer I know that sites can easily be set up to store passwords as plain text.  Also, MD5 is not completely secure.
  9. They used a password cracker.  Websites that tell you to make your passwords long and include weird characters are trying to prevent this.
  10. Maybe more...?  Okay, so that was only 9.
What should you do?
  • Change your passwords regularly (I do mine once a year)
  • Always log out of your accounts when you use a shared computer.  Even if it is an unimportant site, someone could change your email and request a forgotten password.
  • At the very least, use a different password for important sites (bank accounts) than for unsecured sites.  I use a different password for almost every website.  Sound way too complicated and annoying? Read my note below on password algorithms.
  • Search your email for your password(s) and see what comes up.  You may be surprised!  Delete these emails, or if you want to save them then forward them to yourself with the password removed.
  • Search your computer for your password(s) and see what comes up.  Have the search actually search the contents of files.  This will also help you find a keystroke logger if one is secretly installed.
  • Choose good passwords.  Longer passwords and passwords that are unpredictable/have a variety of characters (uppercase, lowercase, numbers, punctuation) take exponentially longer to crack.
  • Check for back doors.  A site I was recently working on got hacked twice because the first time the hackers created back doors.  This could be as simple as setting up email forwarding to another account (or POP3 access), so when they request a forgotten password they get the email too!  If you have been hacked, also make sure the email addresses on your accounts haven't been changed.  If your bank offers alerts for certain types of activity, take advantage of it!
  • Don't use your normal password for shared accounts (like if you share Netflix).  Make up something completely different.  
Some sites have a feature that lets you see the last activity on your account, like online banking accounts, and now Gmail!  In Gmail, you can even see the IP addresses from which your account was accessed. More information.  If you are concerned, check this periodically to see if there is any suspicious activity.

Password algorithms
Want to be uber paranoid and have a different password for every site? Heh.  It sounds like such a pain, but it doesn't have to be!  I actually think this is easier than memorizing a handful of passwords.
  1. Choose a good "root" password.  Like ChzB3rgr!
    *Many sites don't allow punctuation or and some sites don't allow passwords with more than 8 characters.  Keep this in mind when you choose a root password.
  2. Choose an algorithm or "codes" based on the website, or other things like the year, to add to the beginning or the end of the password.  Make them easy to remember and difficult to figure out.
Be creative!
For example, add SC to the beginning of your bank account (secure) passwords.  Or YUM! or whatever.  Add 9 to the end of your passwords for passwords for the year 2009.  Or 18 for 9x2.  To make it different based on every site, maybe choose the first two letters (or last two, first and last, the letter in the alphabet after the second letter) of the websites name.  Be careful with this because sites often have logins through third parties or subdomains and you want to remember which letters you chose.

So for Gmail, your password could be 18ChzB3rgr!I
ChzB3rgr! as a root password
9x2 = 18 as a prefix to represent passwords for this year, 2009
I, two letters in the alphabet after the letter G (first letter of Gmail) as a suffix
Or even 18YummyI - now that wasn't too hard was it?

Use the same algorithm for all of your passwords.  I know this example sounds complicated, but you can make it as simple or as complicated as you want.   Like just having YummyG9 works too (root=Yummy, suffix=G for Gmail, prefix=9 for 2009, although it is easier to figure out).  This is much easier and more secure than remembering 20 different passwords!

If you have as many different accounts as I do, you would spend forever changing all of your passwords at once.  If you do this every year, you can do it over time because you know the password will either be with the old algorithm, or the new one.  Try them both, and if it's old, change it once logged in.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)