By Dr. Jon Dorbolo
Ask Dr. Tech
Your passwords safeguard your identity and your property, but it is challenging to manage multiple secure passwords, so many people opt for less safe options putting them at greater risk.
You can have both security and practicality if you understand what your password is and how to protect it from the thieves.
Passwords date back to antiquity such as “The Histories” by Polybius (200-118 BC) which describes the use of passwords, also called “watchwords,” by Roman sentries to challenge those who sought passage; i.e. a pass – word. The Romans used sophisticated systems to distribute the passwords among troops while keeping them secret from their enemies. How do you share a secret and keep it secret? In those days it was not smart to forget your password; you did not get a chance to reset it.
In our time you can reset a forgotten password, but you may not be able to recover from a stolen one. It is not smart to share your passwords with anyone, no matter how much you trust them, because that practice is precisely what thieves who use social engineering rely on. Your loved one will probably not betray you, but if their account is cracked by a hacker and they have your password, then you are both forsaken. Sharing passwords radically increases your threat exposure.
Robert Siciliano of McAffee, a major computer security company, reports that; “74% of Internet users use the same password across multiple websites, so if a hacker gets your password, they now have access to all your accounts” (Broida, 2015). Reusing passwords is an open gate for your enemies to exploit.
Identity thieves also use hacking tools such as “John the Ripper,” a brute force password cracking tool that generates many thousands of variations of text strings until one of them succeeds in logging into your account. Programmers try to defeat brute force attacks by locking the account after a number of incorrect password attempts. The crackers can bypass that safeguard in some instances, so it is really up to you to create passwords that are improbable to match by brute force.
Choosing easy to remember passwords such as a pet’s name like “princess,” a birth date or a common word is an invitation to disaster. A 2012 study showed that the three most frequently used passwords are “password,” “123456,” and “12345678.” Those favorites were followed in popularity by – and I am not making this up – “abc123,” “qwerty,” “login,” “princess” and “starwars” (TeamsID, 2015).
It is enough to make a grown tech support man cry and I pray that informed university members such as yourself do not replicate such patterns.
A way to understand this situation is to test the passwords that you are using now. Please do not go entering your password into a web form just because it says “test your password.” It might be a trap set by the cracker hackers
One password testing site, sponsored by Dashlane which makes password management software, lets you check the strength of your passwords and is linked from my blog at jondorbolo.com.
According to that testing site, it would take the John the Ripper program about .001 picoseconds to crack the password “princess.”
“grumpycat” would take 2 minutes.
My email password would take 158 thousand years for John the Ripper to crack. I can live with that. You can do the same and still remember your passwords even better than before with a few strategic moves.
The primary qualities in strong passwords are length, diversity and uniqueness.
1. Make your passwords 10 characters or more.
2. Use a diversity of character types in making your passwords; a mixture of lower-case, upper-case, numbers, letters and symbols.
3. Make a unique password for every account.
Here is a schema for implementing these three qualities while crafting passwords that your over-taxed memory can handle with ease.
Start with something that you know well and is not immediately obvious about you. A favorite movie may be such a choice; let’s go with “Star Wars: Episode III—Revenge of the Sith” (2005) in which Yoda opines; “Not if anything to say about it I have.”
His speech is 30 characters long but you can certainly remember it, if Star Wars is your thing.
Some password systems allow spaces, but we will make Yoda’s wisdom universal by using punctuation; “Not.if.anything.to.say.about.it.I have.”
Using periods or hyphens or underscores or asterisks I can make a nearly impenetrable, but memorable, passphrase. Note that it already has two capital letters, which are intuitively placed for you, but not for the cracker hacker.
The fact that master Yoda is grammatically challenged works to our advantage.
Mixing numbers into the passphrase makes it stronger still and is required by some systems, so’ “Not.if.anything.2.say.about.it.I.have.” This is a very strong passphrase, which I’ll bet that you could remember even if you do not care about Star Wars, because you now know the principles by which it was constructed.
What, then about the uniqueness factor? If you have to make a passphrase for every login, how can you remember all of them?
That’s pretty simple because with a super-strong passphrase you can make two ultra-strong moves.
First, consider making unique base passphrases for different types of logins; e.g., one for school, one for finances, one for email, one for social and one for everything else. Your passphrase for each can be aspects of the movie theme, or whatever works for you.
For example, my finances passphrase may be; “M0ney.the.r00t.0f.all.evil.i$.” which is pretty Yoda-like and is super-strong because you can see how it implements all three of the strength qualities.
Second, you can customize the password for each separate login site by adding something from the site. For example, your Oregon State Credit Union (OSCU) login may be “OSCUM0ney.the.r00t.0f.all.evil.i$.” and your US Bank (USB) login may be “USBM0ney.the.r00t.0f.all.evil.i$.”
All you need to do now is remember the base passphrase and look at the site title for your add-on clue.
If you follow these principles consistently, you can make many unique and strong passwords which are always available to your powers of recall.
If the examples given here seem overly complex to you, then go back and break down the steps which taken individually are quite simple. You can make shorter base passphrases and still get super-strong passwords if you follow the principles outlines here.
According to the Dashlane password strength testing site, “OSCUM0ney.the.r00t.of.all.evil.i$.” would take 20 quindecillion years for a computer brute force attack to guess. That’s a 1 followed by 48 zeros.
I think getting somewhere, we are.
Work out your own system based on these principles and leave yourself some hints that will jog your memory but be obscure to others, such as; “What would Yoda do?”
Whatever you do, please do not leave your passwords in a weak, exposed condition. You have enough stress and do not need the hassle of identity theft and data loss.
When you do create those super-strong passwords, resist the impulse to share them with your friends to show how cool they are. Bask instead in the glow of secret satisfaction.
The next great move that you can make in identity and data security is to use a password manager, such as Dashlane and LastPass.
That, my dear Padawans, the topic for next week’s column will be.
The opinions expressed in Dorbolo’s column do not necessarily reflect those of The Daily Barometer staff.
Dr. Tech’s blog: Jondorbolo.com