Search The Web

Today's Headlines

Thursday, July 2, 2009

Password Recommendations, Policies And Suggestions

If you use the web on a frequent basis, even if you are not a computer programmer or other IT professional, you will find that you have a lot of passwords to remember. In addition to using the web extensively, I am also a programmer who maintains programs on multiple computer systems. This means a huge number of passwords in my life!

In this post on software recommendations, I mention, in the context of my write-up on PasswordSafe, that I could write an entire post on passwords. And that is what I am going to do right now.

Before we proceed, let us review some basic recommendations on passwords put out by many IT departments, websites and so on.

  • Passwords should be private (never share your password with other people)
  • Passwords should be secret (it should not appear in clear text in any computer file or program, or be written on a piece of paper for reference
  • Passwords should be at least 8 characters long
  • Passwords should consist of at least one each of upper case letters, lower case letters, numbers and special characters (punctuation marks, characters like &, ^, etc.)
  • Passwords should not be guessable (should not contain words in dictionary of any language, should not have the same character repeated several times, should not reflect the layout of the keyboard by containing characters that are next to each other on the keyboard)
  • Never use your login name in any form as your password (reversed, capitalized, with a prefix, with a suffix, etc., etc.)
  • Never use your first or last name, your birthday, or those of your family members. More generally, never use any personal information that can be obtained about you such as car license plate numbers, telephone numbers, the name of the street you live on, the names of any of your friends or relatives, etc.
  • Do not use place names, names of famous characters, names of cars or any other words you might find in an encyclopedia
  • Never use the same password for multiple systems. One compromised system would then allow a miscreant to compromise all your accounts
  • Change passwords frequently, preferably every month or at least every 90 days

As you can see, that is a long list of recommendations. And it is not easy to come up with one password that satisfies all these requirements and is easy to remember, so that you don't have to write it down somewhere. But, you have to come up with several of them because you can not use the same password for more than one account. If that weren't daunting enough, you then have to find a way to change the passwords periodically to satisfy the last recommendation.

I will be completely honest and admit that I did not follow these recommendations for the longest time. I came up with one password that was 8 characters long. Check. Everything beyond that was ignored. It was a combination of two dictionary words. It was all lowercase letters (later, I replaced part of one of the dictionary words with a couple of numbers, for a minor improvement). I used it for every new account I signed up for anywhere (online banking accounts, email accounts, credit card accounts, etc., etc., in addition to my PC, and every other computer system I got access to because of my job). And I never changed it. I never changed it because I could not think of an easy to remember password to change it to. And the first couple of systems I changed it on, I got locked out because I could not remember the new password, so I just gave up on ever changing it.

And I am sure lots of people are in the same boat I was in. I saw surveys on various sites that suggested that most people remember their passwords rather than using any technology to help them with password-overload. The ones who did not remember their passwords either wrote them down or used their browsers' password saving feature to help them out. The problem with either is that the data is saved in plain-text form (either on a piece of paper that somebody could get their hands on, or in the browser's password storage area which is easy to find if you do some research online. For instance, Firefox stores passwords in the location C:\Documents and Settings\user name\Application Data\Mozilla\Firefox\Profiles\something.default\signons.txt in a file called key3.db. Nice to know, isn't it?).

And if people were remembering their passwords, it was probably being used in a bunch of different places because I can not imagine coming up with different passwords for different websites and remembering them all. But at least, I did not think that what I was doing was that aberrant or abnormal. The problem with that attitude is that you tend to associate aberrant or abnormal with dangerous, and normal with safe. In this case, it is the exact opposite.

So, essentially, I was living quite dangerously. I did not think it was that dangerous because even though the password was the same at dozens of websites, it was not trivial to guess or brute-force. As long as I did not reveal it, I thought I was reasonably safe. And, of course, what I was doing was completely normal, after all, so it had to be pretty safe. Then something happened that changed my mind entirely.

I signed up for some website account, and the website sent me an email to confirm my registration. This email contained my user ID, obviously, but instead of including just my password hint (this is what many websites do), they sent me my password itself out in that email. In plain text, for anyone to see over my shoulder, or for anyone snooping on my wireless internet traffic to read. Or for Google's servers to pick up and file away somewhere since I used a GMail email account. And remember, this password is the same one I use everywhere on every system I access, so it was not just my account at this website that could be compromised by someone who knew that password, but they could compromise any account I had anywhere just by guessing my user ID (which in most cases was just my name since nobody told me to make my user ID hard to guess or anything like that).

So, that is when I decided to sit down and actually come up with a strategy that would enable me to get more secure about my passwords. I will warn you right now that changing your password behavior takes time to come up with a strategy and a commitment to stick to it. But if you value your online security, you have to do it at some point or another too. So, I took this list of recommendations and started figuring out how best to satisfy all of them while still having a system I would stick with. That is the important thing because the best system in the world is of no use if it is so difficult to implement and follow that you give up on it.

The password policy I came up with may not work for everyone, but it works for me. I have managed to follow it pretty well until now (about a year since I implemented it). If a solution works for a few months, it is pretty safe to assume that it is sustainable. If it were not sustainable, it would have been abandoned earlier, and also, after a while, it becomes a habit, so it sticks better.

The password strategy I use consists of some basic steps.

  1. First, I decided that each of my passwords would have 3 separate parts
  2. The first part would be 4 characters long and be account-specific (by account-specific, I mean that these 4 characters would have some kind of mnemonic connection with the website I am trying to log into, or the computer system I am trying to access)
  3. The second part is where the technology comes into the picture. The second part would be upto 12 characters long and would be a random password generated by PasswordSafe. It would be different for each website and system that requires a password, but would not be mnemonic or in any way capable of being remembered. It would contain at least one each of lower-case letters, upper-case letters, numbers and special characters
  4. The third part is a 4-character suffix that would be completely secret. It would not be account-specific, and it would not be stored anywhere, in plain-text or encrypted. It would be in my mind and nowhere else.
  5. I then created two PasswordSafe databases. I put the first parts of my passwords into one of the databases and set it aside.
  6. In the second database, I generated the second part of my passwords using PasswordSafe's built-in random password generator and stored them. The length of this part of the password depends on the maximum length of password allowed by the account. Some sites allow unlimited number of characters in their passwords. Others restrict the password to be 16 characters, for instance. In that case, since the first and third parts of the password account for 8 characters, the second, random part of the password for this account is restricted to being 8 characters long. This step was obviously the longest of all because along with generating the random passwords, I had to log into every single account and change my password at the same time as I was generating them.
  7. I also set it up in PasswordSafe so that the password expires every 90 days for every single password.
  8. I came up with two new, reasonably strong passwords to protect my two databases and that was it.
  9. When the password expires, I generate a new random password in PasswordSafe and change the website's password to the newly generated password.

The way it works now is that I have the database that contains the random part of the password (the second part) always open on my computer. PasswordSafe allows a database to be open permanently, but locks it after a few minutes of disuse so that it can not be compromised if you leave your computer unattended at any time. So, this database sits in the notification area of my taskbar waiting for me to use it at any time. When I need to log into a web site, I enter my user ID. On the password line, I enter the first part of the password (which is mnemonic and easy to remember, but in case I forget the mnemonic part, it is in another database, so I can refer to it if needed). Then, I open my passwordsafe database (this is where some delay occurs and can make you give up on the whole method, but the delay is trivial in the grand scheme of things considering how much more secure you have made your online life), and double-click on the appropriate entry to copy the password into the clipboard. I then paste it into the password entry box, complete the entry with the third part of the password (which is not stored anywhere except in my mind), and hit log in. Voila, I am in! I then highlight some random word somewhere on my computer and copy it to the clipboard so that the copied password is lost forever.

It may sound complicated, but it has become a habit now, and it just works for me with no extra effort on my part. This is the system I use for both web-site logins as well as access to other computer systems at work or access to programs like Microsoft Outlook.

I could have just generated a long password in PasswordSafe and used that for each website instead of breaking the password into 3 parts for each login. Why did I do that? The reason is that as part of my research, I also came across some websites that allow you to store your passwords online for use when you from anywhere where you have internet access. But I was not entirely convinced that the passwords would be safe from all prying eyes on the internet. The company offering the service may be honest, but I did not want to take the chance that they would never be hacked into. So, I did not want my entire password to any site to be compromised by a breach of security at the online storage site. The 3-part method meant that I could store just the second part of my password online, and if it was compromised, the hacker still would not be able to access any of my accounts.

These online password storage sites also provide plugins and other technologies for your browser that allow you to enter user names and passwords directly from the repository into the appropriate boxes, and log you into websites with minimal effort on your part. I don't use those facilities because of my 3-part password strategy, but if you trust these sites, you can store your user names and entire passwords in such a repository, and log into websites even quicker than I do. The service I use right now is called Clipperz, but there are others out there if you do a web search for them. Clipperz is free for personal use. If you are currently using your browser to remember your passwords, I would suggest at least moving over to one of these online systems. The level of effort required for any log-in sequence is no different with the online method if you get the appropriate browser plug-in. But the level of security is much higher because these online systems use at least 256-bit AES to encrypt your passwords, while your browser might leave it lying around in plain-text or encrypt it with weaker algorithms. Moreover, with an online solution, you have access to your passwords whenever you have internet access rather than only when you are at your own computer.

I believe that my password policy follows most if not all of the recommendations and keeps my passwords quite secure. I hope it, or something like it, works for you. Given that so much of our life revolves around the use of various websites nowadays, it is in our best interest to make sure our personal and private information stay so. It has become doubly important to prevent our bank accounts from being raided, our credit cards from being used fraudulently and our identities from being stolen and misused. Until retina and fingerprint scanners become more commonplace and fully integrated into computer systems, passwords are the best we have got. It is our responsibility to come up with and stick with a good policy for passwords that keeps us secure online.

No comments:

Visitors Country Map

Free counters!

Content From

In the News

Article of the Day

This Day in History

Today's Birthday

Quote of the Day

Word of the Day

Match Up
Match each word in the left column with its synonym on the right. When finished, click Answer to see the results. Good luck!



Spelling Bee
difficulty level:
score: -
please wait...
spell the word:

Search The Web