Your password is too short. Now it needs to include a number. Don’t forget to add a special character.
Passwords are frustrating to most people on the Internet. Balancing between something strong enough to keep you from getting hacked and easy enough to remember is tough.
Why are strong passwords important, and how can you keep track of them? Let’s look at some best practices to keep your accounts safe.
I’m always surprised how most folks treat access to their email. “So what if they get my email password? It’s just my email.” That’s a phrase I seem to run across every time I discuss password security.
The truth of it is, if someone looking to do damage to you gains access to your email, they own you. Every account you have sends the password reset to your email. So, if a bad guy gains access to your email, they have access to your bank, credit card, and any number of other accounts.
Since your email gets tied to so many other accounts, your email password should be among the strongest you have and should never be reused anywhere else.
Speaking of reusing passwords…
Brute force is one of the more common methods bad actors use when trying to steal credentials. Brute force involves guessing passwords randomly as fast as the system will allow in hopes of guessing correctly.
Most well-built websites will see someone attempting to brute force guess a password and will make efforts to stop them; usually, this is as simple as not letting them try for a short time. But, if you have an account on just one poorly coded website, it might not prevent someone from eventually guessing your password using brute force.
Having one account compromised is bad enough. If you reuse your password, having one compromised account means all your accounts are compromised.
You might think that using a combination of some pseudo-personal information makes your password easy for you to remember. And you would be right. But it also makes your password far easier to guess.
If you are on social media, your birthday, your phone number, and the names of your spouse, children, and pets are trivial to find. However, even if you are not on social media, this information is still relatively easy to find.
Some people even use their social security number as a password, but the truth is, your SSN isn’t nearly as confidential as you think it is. Your social security number has likely already been part of a data breach, but if not, someone guessing your SSN-based password gives them both your password and your social security number.
Whenever there is a data breach that includes passwords, I’m always amazed by how many people use very common passwords.
You might think you’re clever setting your password to ‘qwerty,’ but that’s been one of the top 10 most common passwords since we began using passwords. The same goes if your password is ‘123456,’ ‘password,’ or ‘princess.’
So, if you find your password on a list of most common passwords, it’s time to change it. If you use one of the passwords and someone tries guessing your password, these will be the first ones they try, and it’ll take far less than a second for them to run through the whole list.
If you look at the most commonly used passwords above, you’ll notice that many of them are straight out of the dictionary. With just under half a million words in the English language, you might be left with the impression that an obscure word would make a good password.
But computers are quite fast, and if you give them a list (for instance, the dictionary), they can click through all the words in it pretty quickly. When you start guessing thousands of guesses every second, cranking through the dictionary takes only minutes.
Much like the brute force attack, this is one of the more common ways someone will try to guess your password. It’s (not so creatively) called a Dictionary attack.
A longer password is usually more difficult to guess than a shorter one, even when the shorter one is more complex because the total number of combinations multiplies with every character you add.
If you have a super complex, 6-character password (complete with uppercase, lowercase, numbers, and symbols), someone intent on guessing your password can try every combination in well under a day.
However, a 16-character, lowercase-only password would take several thousand millennia to guess every possible combination.
Even though that 16-character, lowercase-only password is incredibly hard to guess, adding extra complexity to the password makes it virtually impossible.
I say “virtually” because it is still possible that someone gets lucky and guesses your password on the first attempt. But to guess it within a few years would take some winning-the-lottery-multiple-times-in-a-row luck.
If we add uppercase letters, numbers, and symbols to the 16-character password, we go from several thousand millennia to several million millennia to guess every combination.
The best password is one you can’t remember yourself. A genuinely random, 16-character password that includes upper- and lowercase letters, numbers, and special characters is incredibly hard to guess.
Don’t trust yourself to randomly pick your password because we’re all human and will fall into bad habits like selecting predictable patterns. Instead, you’ll be better off using a generator like passwords-generator.org.
They also have a nice feature that will not use similar characters (“Is that a zero or a capital O?”) and ambiguous characters (“What that a curly brace or a square brace?”). This relieves the frustration of figuring out if that character is a “1” or a lowercase “L” and doesn’t make your password significantly easier to guess.
And, while I can almost hear you ask, “If I can’t remember my password, how will I ever remember my password?” The answer is that you should…
So, now you have genuinely random passwords unique to every one of your accounts, and you can’t remember any of them. So, how are you ever going to know your password?
You can use a password manager. There are several outstanding password managers out there. DashLane and 1Password, are among the best and only cost a couple of bucks a month.
Another option is the good, old-fashioned pen and paper. There’s nothing wrong with keeping all of your passwords in a notebook. (Address books work well, where you can put “Facebook” on the F page where you can easily find it later.) Just be sure to keep your password book in a safe place.
One method to stay away from is storing your passwords in a file on your computer. All it takes is a quick bit of malware, and every one of those once-secure passwords are compromised.
Every time a company announces that they are going to stop supporting a piece of software, folks start asking me if they should upgrade. It happened with Windows XP, it happened with Internet Explorer 7, and now it’s happening with Internet Explorer 8-10.
OK, so, every time Microsoft announces they are going to stop supporting a piece of software, folks start asking me if they should upgrade. I’m not trying to be unfair to Microsoft here; at a certain point, you have to stop supporting your software, because continuing to maintain it takes away resources you could be using to create the next product.
Microsoft will stop supporting Internet Explorer versions 8, 9, and 10 on January 12th, 2016, and, let’s face it, if you are still running a web browser that was originally released when Oasis was still together, it’s time for you to upgrade.
Well, the most important reason to upgrade is because Microsoft will longer be releasing updates to the outdated browsers. While that might not sound horrible, any time a security vulnerability or bug is discovered in a program, an upgrade is required to fix it. So, after the software is no longer supported, no one is fixing issues that could allow people with bad intentions to run nefarious code on your computer.
Another important reason to upgrade is that old browsers can make websites difficult or impossible to use. We simply don’t design web pages the same way in 2016 that we did in 2009. Many frameworks (like Foundation) don’t even work in IE8, so you might not even be able to use the website you are trying to use.
Finally, maybe the best reason to upgrade, is that Internet Explorer 11 is a pretty good browser. It isn’t my personal browser of choice, but it’s far better than any other version that Microsoft has ever released. Give it a chance.
It’s what I always hear from folks that say they can’t upgrade their version of Internet Explorer. Because the new version will be incompatible with some web application that they have to use, they are stuck with IE8. Or, (the horror) IE7.
I won’t get into all the reasons that I think this is a awful reason to not upgrade your browser, but I will say that if the web application being used requires a web browser that no longer has security support, then the web application is likely to have security issues as well.
If you find yourself caught in this trap, I highly recommend finding out exactly what applications you are using that require the outdated web browser, and then only using the web browser for those applications. For everything else, give Firefox, Chrome, or any other up-to-date web browser a try. Either of these two are easy to download and setup, and will at least provide you with the updated security that an unsupported version of Internet Explorer won’t.
Beyond “Compatibility Issues,” there would also be the possibility that your computer doesn’t have the recommended resources for running IE 11, but they are fairly low; it’s pretty likely that if your computer doesn’t have the resources that Internet Explorer requires that Windows has ground to a halt already.
Go ahead. Upgrade. Your computer will thank you.
There is a new security vulnerability in the wild: Venom. For those of you that remember Heartbleed, this one is even more frightening:
“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, using an analogy. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”
A full description of the vulnerability can be found on ZDNet.
I have verified that 10T Web Design’s server has already been patched and is no longer vulnerable to Venom, however, this is a wide-spread issue. If you are concerned that your server is vulnerable, just contact me with the name of your hosting company, and I’ll be happy to find out for you at no cost, even if you are not currently a client.
Happy Security Sunday! I found this article the other day on Network World, pointing out studies on the dreaded ‘password strength indicators’ that many websites use to nudge folks into using stronger passwords (and generally annoy most everyone).
“Overall, password strength gateways are inconsistent, with some allowing all letters and others requiring different character sets to gain approval, the researchers found. That sends a mixed message to online users accessing many different websites.”
I agree with the article that the overall intention of the strength indicators are good, but for some the execution falls short, and there are significantly easier ways to keep your passwords secure.
I’ve long been a supporter of password managers such as KeePassX (available for Windows, Mac, and Linux; Free) as one of the best ways to keep your online accounts secure. A 20-character long string of random letters, numbers and symbols is incredibly difficult to break, and password managers allow you generate and keep track of them. In addition:
Easy to install, free, and super secure. If you haven’t, give it a try.