Your password stinks

Okay, your password might not stink. But it probably stinks, since most people have rotten, foul, shouldn’t-ever-be-used passwords.

Passwords aren’t fun, but until SQRL is ready you’ll need to use them. There are some super-basic rules about creating passwords that you really shouldn’t break.

Make your password unique

This is the hardest one to do, although it’s easy to understand. Don’t use the same password for more than one service.

Why not?

Suppose you have a Facebook account and an account with another service, SociallyInsecure.ca (I just made that up, and the domain isn’t registered, so feel free to grab it). SociallyInsecure.ca has a security breach (imagine) and your email address and password are now in the hands of nefarious cybernasties.

What do the cybervillains do? They head immediately over to Facebook.com to see if your email address and password from SociallyInsecure.ca will log them into your Facebook account.

Now the bad guys can read your stuff and impersonate you.

And since you used the same password for your email, they get access to all your other services too, by using the “forgot my password” links.

You could have prevented this by using a different password for each service.

Change any password someone else gave you

Often your initial password is given to you by a person or server. Change it. Otherwise, it’s possible someone knows it, or it’s printed out on a master password list somewhere. Don’t tempt anyone to use it.

Don’t use a word for a password

Those are easy to guess, and the cybercrooks try them first. Capitalizing the first letter isn’t much of a barrier either. Don’t use a word, especially monkey.

Don’t use something people will guess

Don’t use “amazon” for your Amazon.com password. Don’t use the names of your spouse or kids or dog or workplace or anything about you or the site you’re visiting.

Use a long password

Like, really long. Try more than the 8-character minimum that most services require. Try 10 characters, or 12. It takes a second longer to type it in, but it takes centuries longer for the cyberjerks to figure out.

Use multiple character types

Easy passwords use all lowercase letters, or maybe they start with an uppercase letter. Some services require a capital letter and a number, so people use things like Monkey1. Mix it up a little more than that, and include “special characters” like punctuation.

What’s a good password?

I can’t tell you a specific good password, because then it won’t be good. But here’s the sort of thing you’re looking for:

u1is4$kK5H

Urgh…

That’s a good type of password, because

  • it’s not a word
  • it’s not guessable based on what you know about me or where I’m going
  • it has lowercase and uppercase letters, digits, and symbols
  • it’s long (10 characters)

I can’t remember one of those for every service I use

You might not be able to remember dozens of those passwords (and so you’re tempted to write them down – don’t do it!), but you can remember one. So memorize it, then set up a password system for yourself using the password you memorized as a base password.

For example, maybe you modify that password based on the site you’re going to. Suppose you want a password for Amazon.com. Mix something from Amazon with something from your base password:

Amazon

u1mais4$kK5H

I took the second and third letters of Amazon (m and a) and inserted them after the first two characters of the base password.

How about for Facebook?

Facebook

u1acis4$kK5H

If you can remember the base password, you get a (nearly) unique password for each site without having to write it down.

Don’t use this exact algorithm. Come up with your own that you can remember and that you’re comfortable with.

But stop writing stinky passwords on a sticky note on your laptop.

Advertisements

Checking for server certificate revocation in Google Chrome Post-Heartbleed

By now you’ve heard about Heartbleed. If not, go check these links out:

Once you have changed your pants, you should enable a check for server certificate revocation in Google Chrome and any other browsers you use, since a bazillion certificates need to be revoked right now. Here’s a quick how-to for Chrome.

Open Chrome’s “hamburger menu” and choose “Settings”:

How to access Chrome's settings

Scroll to the bottom and click “Show advanced settings…”:

Where to find Chrome's Advanced Settings

Scroll again and check the box beside “Check for server certificate revocation”:

How to enable Chrome's check for server certificate revocation

This will make sure that Chrome verifies certificates, rather than assuming no news is good news.

 

#NaPoWriMo for April 1 – “Passwords”

Your password isn’t very tough;
A simple, brute force try’s enough.
The hackers don’t need fancy tricks:
You use 123456.

Your password’s used more than one time?
Come on, that’s practic’lly a crime!
If just one site is compromised
All your accounts are jeopardized.

Use passwords only one time each.
Lessen the cost of any breach.
We’ve learned from Sony, LinkedIn and
Adobe that it will happen.

NaPoWriMo – April 7 – “Secure Your Site”

Web 2.0 tools
Aren’t written by fools
But they’ve problems, I’m sorry to tell.
They aren’t all secure
And I won’t endure
A connection that’s not SSL.
It’s easy to get
A certificate yet
So many sites don’t bother buying.
You’re storing my password?
Come on now, that’s absurd!
Another site I will be trying.