During the past week, I've had a couple of professional colleagues who have been victims of password hacking by hackers -- and now have had a real mess to clean up.
A few years ago, I became aware of an excellent blog post about hacking passwords and password management of password databases through clever password creation by John P. of One Man's Blog, "How I'd hack your weak passwords."
In that posting, John gives excellent advice about creating passwords and password combinations that are difficult for hackers to hack or exploit. One of his best pieces of advice is:
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
And here is his chart to prove it. Look at the difference and degree of difficulty that can be achieved through clever password creation and/or password combinations -- that is, creating passwords in your password database that meet a certain length and use certain characters.
Simply by creating passwords of more than 10 characters and mixing upper and lowercase in password creation, you can make hackers work for almost two millenia to break the passwords in your password database! If your passwords don't meet this requirement, go read John's original post and get the fear of God and the importance of password creation and password management into your system. If you heed his words, you will save yourself a lot of misery. Trust me.
Some of the other excellent hints about creating passwords and password management include:
- When creating passwords, randomly substitute numbers for letters that look similar: The letter ‘o’ becomes the number ’0'' or, even better, an ‘@’ or ‘*’ or 'O'. (e.g. – m0d3ltfOrd… like modelTford)
- Randomly throw in capital letters when creating passwords (e.g. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in a dictionary will fail under a simple dictionary attack or brute force attack.
- Maybe create a password using the name of a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant -- or a combination of names (with numbers and characters)
- You really need to have different username / password combinations for everything in your password database. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere. Vigilant password management is important!
- Since it can be difficult to remember a ton of passwords, John recommends using Roboform for Windows users. It will store all of your passwords in an encrypted format in your password database and allow you to use just one master password to access all of them. It will also automatically fill in forms on websites, and you can even get versions that allow you to take your password list with you on your PDA, phone, smartphone or a USB key. If you’d like to download it without having to navigate their website here is the direct download link. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Make your master password that you use on your computer different and unique from any others.
- Use password extensions for the major browser (Google Chrome, Apple's Safari, Mozilla Firefox, Opera, etc.) to help remember and secure password. They make password management easier by maintaining your password database and providing password storage.
- Be sure to activate the login / logout feature on your computer and the lock / unlock screen feature on your smartphone as an additional line of defense.
- If you're a Mac OS user, become familiar with the keychain feature and iCloud to help synchronize your password database on all your devices: desktop computers, laptop computers, iPhones, iPods and iPads -- and whatever new devices Apple is planning.
When it comes to password applications and password software, John recommends 1Password software program. There are 1Password extensions available for Google Chrome, Safari, Mozilla Firefox and other browsers. It is available for Win OS, Mac Os and smartphones such as the iPhone, Android, etc.
I can also recommend the SplashID password software program -- which works on Win OS, Mac OS and a variety of smartphone (including iPhone and Android) and PDA platforms -- and have been very pleased with it.
There are also ways in which you can setup either 1Password or SplashID to work with Dropbox or other cloud storage and file sharing apps to take advantage of syncing the app on all your devices -- desktop computers, laptop computers, smartphones (iPhone and Andreoid) and tablets like iPads.
Last, but not least, DO NOT share your passwords with anyone - not ever your nearest and dearest. But DO leave a list of passwords with your important documents such as a will so that your accounts can be deactivated by your executor (or his/her representative) in the event of your demise.
Some day you'll thank me for sharing this.
- The most common passwords on the Internet (matadornetwork.com)
- Tales Of Password-Hacking Woe (gizmodo.com.au)
- Future Chrome version may choose your passwords, and change them when you've been hacked (arstechnica.com)
- How the Gizmodo Crew Manages Their Passwords [Change Your Password Day] (gizmodo.com)
- Security Tip: Never Type Your Passwords (dailyblogtips.com)
- Replacing a Hacked Password (cryptosmith.com)