Tuesday, August 14, 2007

Passwords and Web 2.0

With all of the new web 2.0 tools, and every tool having a login, a family member asked me about how to manage passwords. I thought I would respond to that question quickly here. There are several camps of thought here, and I thought I would hit a couple of them.

First, let's talk about passwords. Passwords should be at least 8 characters in length, and more is always better (meeting the next criteria). Passwords should have a combination of upper and lower case, numbers (0..9) and at least one special character (!#$%^&*()_+@) as examples. If your password has all of the above criteria, most would consider it a "strong" password.

Some folks say that you should use a different password for every account. That is certainly the most secure, but pretty tough to remember which password goes with each account . If you go this route, there is a great tool called Password Safe and is found here. This tool is free and has been proven to be very secure. Essentially Password Safe is an encrypted collection of all of your passwords and you have one master password to unlock your safe. The tool has a ton of neat features, including the ability to generate strong passwords.

However, not all folks want the added overhead of using a tool to keep track of all of their passwords. Another option, although not as secure, is to use a two or three tiered password system. This approach divides your accounts into several tiers. For example, your banking, stock/account that involve money is guarded by one strong password. This password is used only with these accounts. Another strong password (different from the first) is used to protect your common account such as email, or less valuable accounts. The advantage here is that your most commonly used password (accessing email, etc.) isn't in use as much a your financial password, and as such, this is more secure that using the same password for every account.

Regardless of the method you choose, make sure to change your password every 90 days (more frequently is better). Also realize that if someone wants into your account, they will probably figure out a way. The key is to make it tough enough that it isn't worth their time. Also, don't rule out social engineering as a way to attack your account. Social engineering refers to the techniques to extract the password from you via some "official" sounding reason. These techniques rely on impersonation or someone often saying that they want to help you, or some other official looking website looking for information (phishing).

2 comments:

Mark G. said...

Steve,
Just a couple of comments about encrypting passwords. First you must be careful to never enter the password into any program such as word processor or spreadsheet. One technique to discover passwords is search the hard drive for text scripts including the window swap files. Second if someone wants your password bad enough they will install a keyboard logger on your PC. These are two methods the FBI uses to find passwords. They don’t try to break the encryption algorithm; they just look for you being careless.

Chadwick said...

Mark, great point about the keyboard logger. Are there apps out there that look for these types of loggers?