“Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns.” (Mitch Radcliffe)
-----
This is the first of a series of articles designed to provide you with the common sense to survive the digital age that we live in. This does not imply that you are an idiot, but I've been wrong before.
There are many traditions that are celebrated for the New Year. Many of us sit in front of the TV and watch the immortal Dick Clark (I think I will die before he does) count us down into the New Year. Some will be in church, getting in that last-minute Hail Mary to make up for that little thing they did the hour before they got there.
But I'm sure that many millions of people will be on their computers, buried in Facebook status updates wishing everyone of their Friends a Happy New Year or tweeting it to their vast legion of followers. So, for those of you who live on the Net or pay it the occasional visit, here’s your new New Year’s tradition in three words:
Change.
Your.
Password.
Now.
Okay, that’s four. Sue me. Glad to see that kindergarten paid off for you.
I can hear the groans now. And, oh, the complaints. I’ve heard them all:
“I’ve used this for years.”
“I don’t have time.”
“I might forget this one.”
“I don’t wanna!”
I don’t care. I really don’t. Take Nike’s advice: Just do it.
Let’s face it, kiddies. We live in a digital world now. Almost everyone is online now. I’m sure that days ago, many people just got their first computer for Christmas and, like a kid who just got his new bike, went squealing feet first into the internet so they could tweet and Friend everyone.
But the Net is but a digital mirror image of real life. Like real life, the internet is fraught with hidden dangers. I’ll go through them as this series progresses, but nothing irritates me more than people who use simple passwords on their accounts. Your password is the first line of defense that most black hat hackers (aka The Bad Guys, who will now be referred to as BHHs) have to breach to get access to those bytes of information that stand between you and your bank accounts and credit cards.
Fun Fact #1: The most common password used today is “123456”.
Think of it like this: using a simple password is the equivalent of putting your spare house key under the carpet on the porch just before you go on vacation, then yelling to the top of your lungs to the neighborhood that you’ll be gone for a week.
Most of the time, BHHs will try simple passwords to break into user accounts. If there are, for example, 1 million people who have a username and password on a web site, maybe 1% of those people will use a simple password like “123456”. That would mean that 10,000 people risk having their accounts hacked.
I know. Not a lot of people, right? But keep in mind that BHHs will use faster-than-average computers to do this. So, something that would take several weeks for one person to do can be done in minutes.
Fun Fact #2: The second most common password in use today is (surprise) “password”.
Statistically, many users will use the same password to access their e-mail as well as their online bank accounts and credit card accounts. This would mean that a determined BHH who acquires that one simple password has the keys to your kingdom. Usually, they will not only run through the kingdom unchecked, but they’ll bring their friends along to play, too. Before you know it, you’ll be getting calls from creditors about the $5,000 you owe on a credit card you never knew you had.
Scared yet? Good.
The good news is that you can still do something about it. So here are the rules that you will follow from now on regarding your rules. Note that if you don’t follow them and something happens, it’s all your fault, so pay attention.
- Never use a password shorter than seven characters.
It’s tempting to use short words as passwords, but here’s why you should not do it. Let’s say you create a password for your account that uses lower-cases letters, like “fluffy” because that’s the name of your cat. Using a standard PC, a BHH can crack this in less than 30 seconds. Make it as long as possible, preferably seven or more characters. - Never use personal information as a password.
Another temptation, which I used in the above example, is to use a name of a favorite something or other. Why not? After all, it’s easy to remember. But if I wanted to find out personal information on you, I could go into your Facebook page, click through your information and photos and use those to make some pretty good guesses about what your password might be. And I would have you to thank for it.
Never, ever, ever use the following as a password: your name, your spouse’s name, your parent’s name, your kid’s name, your pet’s name, your best friend’s name, your boss’ name, anybody’s name, your phone number, your license plate, your birth date, anybody’s birth date, or any part of your social security number. - Whether it’s foreign or domestic, don’t use the dictionary.
What’s wrong with using “purple”, as an example? It’s your favorite color, right? Beside breaking rule #2 above, it’s a common word in the dictionary, which BHHs love to use in their brute force attacks. In fact, it is also one of the 500 worst passwords.
How about “fiesta”? It’s a Spanish word, right? It shouldn’t be that easy to crack, right? Wrong. Maximum time to crack “fiesta”? Thirty seconds. - Never use the same password for every place you log into.
In this day and age, it’s a pain to have different passwords for everything. So, to keep this simple, use different passwords for different categories. For example, use one password for your financial information. Use another for your newsletters. And another for your e-mail. That way, if you are compromised, the damage will be minimized and contained to one area. - Do not use letters that are next to each other on the keyboard.
An example of this is “qwerty”, which is the first six letters on your keyboard. This is also in the top five commonly used password list. “123456” fits this bill. So does “kkkkkk”. - Do not use an account number as a password.
This is common sense. Just don’t. - Use as many characters as possible, including capital letters, small letters, numbers & symbols.
The more characters you use, the harder it will be to crack. Be as creative as possible. - Change your passwords frequently.
At the very least, change your password every 90 days. At most, every 30 days. Keep them guessing.
One method I recommend for creating a tough password is to think of a long phrase, take the first letter of each word, and apply rule #7 to it. So, for example, take the sentence “The quick brown fox jumps over the lazy dog”. Using rule #7, I can get many passwords out of this. The following shows the variations as well as how long it would take to crack:
- “tqbfjotld” (initials): 6 days
- “Tqbfjotld” (initials, first letter capital): 8 years
- “Tqbfj0tld” (initials, first letter capital, zero replacing “o”): 42 years
- “Tqbfj0t!d” (initials, first letter capital, zero replacing “o”, exclamation point replacing “l”): 237 years
So there’s your assignment for the new year. Get to it. And if you’re out there trying to guess what my password is, I wish you good luck. If you’re lucky, it’ll only take you 700 million years, give or take. By then, I won't need it.
Maybe I should give it to Dick Clark.
Great reminder - thank you. Also, thanks for the trick. I always struggle to come up with a good alpha-numeric combo, and once I find some, I tend to stick with them. I have the worst memory for these kind of things!
ReplyDeleteFunny though, SOME places still only allow up to 6 characters, and one of my banks only 4! I have to make those extra good. Also, some places only allow alpha-numeric, so no other symbols.
You'd think writers would be good at making up creative passwords, no? :)
Unfortunately, Trisha, it seems that the institutions that would benefit from forcing users to create secure passwords are the same ones that don't give users the option. I hope that changes soon; otherwise, we'll be hearing a lot more stories of hacks and leaks in 2011.
ReplyDelete