Fix your passwords. Help protect your data.

Twisty Passages

Events, observations, and reflections from Jonathan Leistiko – TexVet webmaster, semi-pro game designer, and Austinite since '99.

What is your digital footprint?Are your passwords complex enough to keep your important data secure?

Odds are they're not, but don't panic! At the end of this article, I offer an easy tip that'll help you create secure, memorable passwords.

There's been a big kerfuffle about the recent illegal access (and I think it's fair to call it that) and "release" of private celebrity pictures from Apple product users' accounts. Apple asserts, "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone." (source) – In people-speak, they're saying their security systems worked as they ought to – it's just that the accounts that got hacked had bad passwords.

Setting Apple's responsibilities aside for a moment – whether they should have had better security, whether the security they have was implemented correctly, whether they're reacting as they ought to – this brings up an important point: A keyboard-based password system is only as good as the password you use. If you use the password, "password," for every system you use, it doesn't matter how great the security is. (Yes, a good system shouldn't let you do that in the first place, but that's a whole 'nother blog.)

Since we can't (directly) control how companies implement their security, let's focus on what we can control: Making good passwords that we can actually remember.

Passwords are an inherently flawed form of security. We’ve been trained to use passwords that are hard for people to remember and (relatively) easy for computers to crack/decode/brute-force guess. More on this is a moment, but what this leads to is people either (a) creating really simple passwords to guess, (b) gathering all of their passwords in one (usually insecure) location (like a piece of paper), (c) systems relying on easily-hacked means of resetting passwords, or (d) people creating passwords that they can not remember that meet an outdated and arbitrary set of security criteria. All of these solutions are lousy.

How hard is it for a hacker to figure out your password?Most modern systems support arbitrarily long passwords with letters in upper and lower case, numbers, and virtually all special characters (including spaces). In the past, systems have taught us that a secure password is at least 8 characters long with a mixture of capitals, lower case, numbers, and special characters. Including this mix is good, as it increases the number of options a hacker (human or computerized) would have to explore to “hack” your password, but what’s even more powerful is making your password longer. Every character you add to your password exponentially increases the number of passwords a hacker would have to explore. We humans are really bad at remembering things like, “qD33*gF1pYX#eRT_0+ck,” but we’re pretty darn good at recalling sentences like, “Strawberry shortcake is my favorite food at Galaxy Cafe,” or, “Let me not to the marriage of true minds admit impediments,” or, “My nephews are 1, 3, 7, and 13. They live in Tulsa."

And if you want a secure password that’s easy to recall, this is your best bet. Pick a sentence with a relatively large number of words (Fewer words makes your password more vulnerable to “dictionary hash” attacks). If you like, make it something that’s easy for you to associate with the website you’re going to so you can recall it more easily. Type it with proper capitalization and punctuation, and you’re good to go.

Q: “What if the website is older and won’t support an arbitrarily long password, or it doesn’t like spaces in the password?”

A: Here’s my two-path super-secret back-up strategy. Path 1: If you have a specialized domain of knowledge that uses obscure letter-number combinations you’ve memorized, use something from there. If you’re a coder, write a line of code. If you’re a chemist, use a chemical compound. If you’re an accountant or mathematician or physicist, use a formula. Path 2: Take the phrase you would normally use on the website and break it down. Take the first letter of each word (properly capitalized or lower case) and immediately follow it with the number of letters in the word. If the result is too short, add a special character to the end and repeat the encoded phrase. Examples: "Strawberry shortcake is my favorite food at Galaxy Cafe” becomes “S10s9i2m2f8f4a2G5C4”– “I like traffic lights” becomes “I1l4t7l6” and extends to “I1l4t7l6*I1l4t7l6”

Questions? Contact me throught the TexVet contact form!