Friday, November 27, 2009

Login Security Tips

Today many of us live online, we bank, shop, and communicate with old friends via the internet. The problem with online life is that your identity is out there in so many places eventually one of the sites will be compromised. To protect ourselves we come up with passwords that supposedly only we know. Problem is people don't take the time to use properly secure passwords because they are too difficult to remember. How many people use the word "password" for their password? It happens all the time. So to combat this many sites require passwords of minimum lengths, this is fine except if you are using a word out of the dictionary, it is fairly trivial to crack. So to really get a secure password, we need to use a password with more than a few characters and it needs to include letters, numbers, and if the site allows it, symbols to make a decently secure password. Another problem then arises how do you remember your password? Security expert Bruce Schneier http://www.schneier.com/ recommends people can write them down and post them by their computer. This may sound crazy, but his point is simple, it's more important to have a secure password you'll never remember than one that's easily discovered by hackers. The fact is if someone has physical access to your computer all bets are off anyway.

My only problem with this idea is many people need to access their secure information while they're away from home or the office. Having your passwords written down while you're on the road is not a good idea, so you need to devise a way to create secure passwords that can be remembered. Doing this isn't as difficult as it sounds, devise a method that makes sense for you and use it consistently. One method I've used is to take a line you remember from a song you like and take the first letter of the line and then add numbers or symbols to it that make sense to you. I use lines from old songs I remember and I add numbers of old addresses, birthdates, or a series of numbers I just picked at random but can remember. The important thing is that it be easy to remember and totally random. The length of the password is also important less than 8 characters is too short, ideally 20 characters are considered totally secure most people can come up with a 10 to 12 character password they can remember that will be very secure.

Many people prefer to use a program to remember their passwords. A couple of very good programs I've used that are secure and easy to use are Roboform, http://www.roboform.com/ and KeePass http://keepass.info/ . While I don't use them anymore I think both offer a great service and should be considered by anyone looking for a simple way to manage your passwords in a secure fashion.

Another and potentially more serious problem which I see everywhere online, is the vulnerability in resetting your passwords. Several public figures have had their accounts hacked by the use of poor authentication protocols that websites use to reset your password in case you forget, or lose it. Sara Palin the Vice Presidential candidate in last year's national election in the United States is a great example. Her Yahoo mail account was hacked into because the security question was easily guessable and available on Wikipedia. This problem is perhaps the single largest login security hole we are facing. Typically websites ask questions like your mother's maiden name, or your first home town. This information can be often found in publically available locations. A better protocol is for sites to have the user to set their own "secret question". This is better but you still need to be careful not to use questions which can be guessed or known by others. On a more delicate note people need to realize that identity theft occurs most frequently by people that you know personally. It's not a good feeling, but it's statistically a fact, and shouldn't be ignored.

So how do you get around this problem of authentication? Simple, you lie. If you have to use your mother's maiden name, make up one you can remember. Use the name of someone else you may know or use a color you hate. There's no law that says your mom's maiden name isn't pink or you have to be truthful. Just make sure you remember the fake name you choose.

Logging into websites we use is easy to take it for granted. The problem is once your identity is compromised it can be a nightmare to fix all issues that will arise. Take the time to use good, secure passwords and remember, that your security questions you are asked are just as important as your passwords.

2 comments:

Arafat Hossain Piyada said...

To me secure password is important and in my case I choose my favorite places from around the world and then adjust it with my favorite numbers and symbol. So, at the end it is a good password when I mix all those stuff.

Mark said...

Arafat,
Sounds like a good system. Easy to remember and quite secure.
Thanks for your comment.
Mark