Saturday, June 15, 2013

Passwords - The Latest


Over the years I have written several articles about passwords. I stand by what I wrote back then but everything around computers changes at break neck speeds. Recently I had to completely change my take on passwords.

I read an article on a more technically oriented web site about modern methods of password cracking and much of what I have said in the past about passwords has to be revised. I will update the old articles about passwords to point to this article.

The article I read is here. I will quote the key conclusions and key advice (emphasis added):
  1. Long passwords are the best defense. That is nothing new ... [a graphic] shows that the time required for a brute force hack really takes off at around a password length of 7 or 8 characters. Many people recommend 11 or 12 characters [length] for passwords.
     
  2. However, just making passwords longer is not enough. ... That means complexity is required in a password, with random mixtures of case, symbols, and numbers. If it is allowed by a service, use a mixture of alphabets.
    Again, nothing new but it really needs to be emphasized that randomness is necessary.
     
  3. Various popular substitution methods such as @ for “a” and $ for “s” are too well-known by hackers and don’t add security. ...
     
  4. Anytime a service that you use loses password data to a security break-in, your password probably ends up on a list somewhere. You need to change it, no matter what the service says.
     
  5. Don’t use the same password everywhere.
    Not new advice but millions of people don’t heed it. 
     
  6. The password testers that you see on the web often just look at length. Their results do not take into account compexity and have to be interpreted accordingly.
I admit it, as far as point 5 goes I am guilty as charged.

The long and short of it is that any password you can easily remember is UNsafe!  

I strongly recommend using a password manager. Names that come to mind are LastPass, Dashlane and Keepass. I know there are more but these three seem to be the best reviewed and most secure ones. And these programs and services are free for the computer based versions. If you need this service on one or more cellphones then LastPass costs $12.-/year and Dashlane Premium $20.-/year.

If you are uncomfortable with giving your passwords to a cloud service and if you need to manage passwords only on your single home computer then look at Keepass

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

No comments: