10 Tips on Password Security for the cloud and the web.

In light of the recent password hacks in the past few months, days and in particular the high amount of media coverage on the “iCloud” hack. I thought I’d put down a few thoughts on password security. I think one can lecture or write for days on password security and they are even specialists and companies whose entire focus is nothing but security. That said this is simply a quick set of 10 tips from me that will hopefully help you better protect your passwords in the cloud and on the web. Some are common sense, most are well lesson’s learned from experience.

1. Use a hard password.

  • Don’t make a password that contains the word Password, or any version. EVER! P@55w0rd! will never be a safe password to use. So don’t pat yourself on the back at your cleverness…
  • Don’t use your real name
  • Try to avoid using the same repeating set of characters (1111, 2222, 1212, 0000)
  • Try to avoid using a straight sequence of numbers. 1234…

2. Make it at least 8 characters long.

Let’s be honest, if someone wants something bad enough, all they need is enough processing power and enough time.

If you’re being chased by a lion and were trying to throw random crates between you and lion, wouldn’t it make sense to put more crates between you and the lion? The more characters the longer it takes to brute force a password. And if you’re website login application is any good at all it will lock your account out for a set amount of time after a limited number of failed tries. This would normally discourage the hacker from continuing to try and the system effectively says I’m not letting you in even if you have the correct password now. (Nanny nanny boo boo, or something like that). Hopefully if send you an email letting you know that your account has been locked out for too many incorrect password tries and give you an option to reset it or contact an administrator, and this is a good thing. (Unless your email password has already been compromised, see Tip 9.)

3. Make it complex.

  • Use Upper case, lower case, numbers and special characters.

Don’t be scared to try the special sauce.

I’m going to go out on a limb and say most… hopefully most… most decent websites should properly escape their code so you should be able to use an ” or ‘ in your password without worrying about it blowing up your login page. If it’s never happened to you, then just move along. But some of you know what I’m talking about.

` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

4. Throw some space up in there!

  • Seriouslythrowsomespaceinthatpassword.

Or at least give it try. Imagine HeyYouGuys vs Hey You Guys. It gives you some additional options when coming up with great passwords.

5. Making it meaningful!

Maybe you can’t remember Cryptic randomly generated characters and letters. Try something a meaningful word or phrase. but be sure and don’t make it easy to guess.

  • Hello2U!  – this one is meaningful but Hello is just too easy to guess since it’s a dictionary word. Try changing the letters to something like this instead. H3ll0 2 U!  (Don’t forget to throw some space in it!)

6. Build your password Using Sentences/Phrases.

I bought a replacement Goldfish on the 15th of May! could look something like this Ib@rGot1505!

My happy day is 25 December! Mhdi25-12!

BUT LET’S AVOID USING THIS BELOW.

My birthday is December 25th 1959. = Mbi122559
Why you may ask? because your birthday is a common piece of information that a hacker is probably already going to try. It would just be unwise to give them a helping hand in cracking the rest of your password.

7. Change your password frequently.

I can hear the groans and pained sighs right now. (mainly because it’s me). I know I know it’s hard enough to remember your passwords, but now you want me to change it once a year too? Actually I’d recommend changing it every  60 or  90 days. Is that too much? All cards on the table, if you have a lot of sites you use, this could be a bit of a task, but you’ve gotta think privacy versus convenience in this case. Maybe you don’t need to change the password to your Bass Players Ultimate website, but I’m thinking the really personal stuff like banking sites, social sites and email are paramount.

If you work in the enterprise, there’s no greater joy than changing your password on Friday before going home, then hoping to remember it Monday morning. But it’s just part of the game. And you really need to incorporate this into your passwords used as home as well. Suppose your password happens to get compromised and gets added to spreadsheet of compromised usernames and passwords. Later on that data is sold on the black market. (They Do Exist) Wouldn’t it be nice to know that your password in that spreadsheet has been changed or will soon be changed by the time that spreadsheet gets into the hands of a bored hacker, devious criminal, or someone looking for a new identity?

In the enterprise we’re generally notified when our password is about to expire and have no choice but to change it or well… you gets no access son! At home, you’ll probably need to create yourself a reminder (or 3) on your calendar. I mention or 3, because when that first reminder comes up I usually say something like “I’ll change it later on.” and that later on becomes next month, next year, etc.

8. Be mindful of what passwords you save in your browser!

In the past there have been some, well let’s just call them “issues” where a particular browser, that I love, would store your saved website password and made it really easy to view the actual password in the browser. (Here’s that old story) And I don’t want to make this a bigger issue than it is, but on a shared computer I hope you can see where this could be a problem. Lets imagine…Joey, a friend of your roommate, wants to crash for a couple days on the couch. You don’t really know this guy and honestly your roommate met him at some geek meetup event (this are awesome btw, seriously) and oh he needs to use your computer for a couple hours to submit his resume for some job applications. Maybe later on you find out that Joey’s been logging into Facebook as you and posting cute kitten photos on your timeline, and messaging all of your friends and family with spam to his new “uber amazing, never seen before, vitamins website” etc.

Now I do believe this issue has been fixed, but still be mindful of what passwords you save in your browser. A password to let my kids play download printable coloring sheets? Why not. But credentials for my banking website? Not so much. And again this all depends on are you saving company related website passwords while working on your secure private corporate machine that NO ONE ACCESS can access and that you screen lock religiously, even when turning around to talk to your office mates. versus your personal tablet that you’ve been known to forget in break rooms for hours without supervision?

9. Don’t use the same password for all of your sites.

Suppose someone does compromise your password. Is it better that they have that password you use just for twitter? Where the compromise is hopefully contained to you just sending unseemly Direct Messages to all your twitter friends? Or how do you feel knowing that the hacker has your password to twitter, Facebook, blog, amazon, bank accounts, utility sites, cell provider site, and your personal email account. Shall we proceed further? If a hacker compromises your email account password, setup a forward in your email that sends a copy of all your messages to their own 3rdparty email account, or maybe even just change your email password. Then they could contact all the above said sites and request a password reset which generally sends the verification email, to oh snap, yes your email account that they now control. It’s not being paranoid for the sake of being paranoid, I’ve seen stores where people have stolen domains in similar fashion. It happens. Be mindful

10. Consider 2 Factor Authentication.

If you have used or use 2 Factor Authentication then you already know that it can sometimes be a pain. I remember and issue once trying to get my new phone activated and I couldn’t use my Google Account because the 2 factor authentication was throwing some kind of roadblock out there, but it was worth it knowing that if something had my email account password they couldn’t just log in without the randomly generated Pin send to my device. (Assuming they didn’t have physical possession of my device.)

If you’ve never used 2 factor Authentication, it pretty much requires something you know (your password) then it sends a pin or code to something you have, like a FOB, or your smartphone, a text message etc… You then have to enter that pin or code correctly before access is granted. Usually that pin or code is only good for 60secs or so before that code expires and a new code would have to be retrieved. Here’s a good link on lifehacker (hehe pardon the pun) on What sites you should be using 2 Factor Authentication on right now

2 factor authentication can be a bit of a pain, but throws not only a truck load of crates in front of the lion, but also stops the lion, and makes the lion guess a randomly generated, quickly expiring code that is hopefully in your pocket before it can proceed with the chase.

I’d highly recommend if you’re using an email service, use 2 factor, especially for 3rd party services like gmail, outlook, hotmail etc… Even more so if that email address is linked to all of your other sites.

Anyway’s that just my two cents, or two dollars how ever you want to look at it. Regardless of what tips or tricks you use just use common sense!

Remember Ignorance doesn’t equal exemption!

(35)

Category: IT, Quick Tips by techrevmarrell

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.