You are viewing this article in the AnnArbor.com archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see MLive.com/ann-arbor
Posted on Fri, Feb 17, 2012 : 11 a.m.

Proper password storage is the next step for protecting your data

By Kristin Judge

Last time we visited, I encouraged you to create a strong password. If you haven't done that yet, let me repeat the importance of doing so. A strong password has at least eight characters including one symbol, one number, one capital letter and one lower case letter.

Let's assume after reading my last column you were inspired to immediately change your passwords to meet the best practice guidelines. Let's also assume you followed my suggestion to create different passwords for each account you had online.

Now you have to remember a couple dozen complex passwords. This is the dilemma I believe has kept some people from creating and using the best passwords.

Research and discussion on alternatives to passwords are taking place. The Huffington Post, for example, recently reported that, "Biometric Identification Will Replace Many Passwords In Next Five Years, Says IBM Scientist." Sounds very science fiction to think our computer will do a retinal scan to allow us access to our favorite social media page, but that is one of the options being talked about right now to address this password issue.

It may take some time for any alternative solutions to affect change in our homes or offices. So, in the meantime, we need practical advice on how to manage the passwords in our life.

There are a number of "password management" systems on the market you can use. They are basically programs that store your passwords for you electronically. Millions of people use these systems, however, it is important to realize the pitfalls to having all your passwords stored on an application that is located on your phone or computer.

First, the company that runs the password storage application can get hacked. We have seen some of the most secure systems in the world get hacked in just the last few months alone.

Second, people lose their phones and laptops at an alarming rate. A quick review of online studies shows the number of stolen laptops range anywhere from more than 10,000 a week stolen from airports to one laptop stolen every 12 seconds, or 2.6 million a year in America alone. We are human, and with all the gadgets we carry around on a daily basis, we are bound to lose one eventually.

So, we need to ensure we do everything we can to keep our passwords safe, as they are the key to our data and personal information.

Today's Quick Tip (QT):

Create strong passwords, and store them safely.

Chose a sentence that means something to you and make that the base of your password. Make sure you use separate passwords for each account.

Example:
Phrase you can remember easily: "Some families love to see movies in the theater."
Translated into a password using the first letter of each word: Sfl2$m1tT

Now, write down password hints (not the passwords themselves) for your online accounts on a piece of paper and store them in a safe spot. It may seem old fashioned to use pen and paper to keep track of your passwords, but right now, it’s one of the best options we have.

To get more great information about staying safe online, including access to free monthly newsletters, webcasts and more, visit the Center for Internet Security at www.cisecurity.org. Stay tuned for our next chat!

Kristin Judge is the Director of Partner Engagement for the Center for Internet Security, Multi-State Information Sharing and Analysis Center. She can be reached at kristin.judge@msisac.org.

Comments

Gabriel Elohim

Thu, Feb 23, 2012 : 9:24 p.m.

* Correction* My math was off 8 char. alphanumeric / specials Rainbow tables will take up approx 17.77 TiB of space. . .

Kristin Judge

Thu, Feb 23, 2012 : 5:59 p.m.

Thanks to everyone for being a part of the conversation. Online safety is a process with many options and opinions on methods to be safe. Let's keep talking!

Gabriel Elohim

Thu, Feb 23, 2012 : 4:57 p.m.

lol, the above post(s) were written by Jeff Haller, part of your WC4 team, AnnArbor.com posted it as the username to an old email account for some reason >.<

Gabriel Elohim

Thu, Feb 23, 2012 : 4:52 p.m.

(Continuation from my above responce) All that is needed to foil the bad guys is to take your methodology one step further E.g. Turn a phrase that you can easily remember into a "passphrase" that is easy to remember. For example, pick a phrase from your favorite movie; Turn "Go ahead make my day" into, "G0@h3@dM@k3MyD@y" Capitalize the first letter of every word, turn A's into @ symbols, O's into 0's (Zeros), and E's into 3's. You now have a "passphrase" that is: A.) Easy to remember. B.) Utilizes a combination of alpha-numeric and special characters. C.) Is 16 characters in length. Meaning that BlackHat will have to "recompile" another set of Rainbow table if he / she wants to compromise your account. This will increase the size of the storage space required for BlackHat's Rainbow tables exponentially, not to mention the CPU processing time that would be required to create such a precompiled Rainbow table... Cheers, Jeff

Gabriel Elohim

Thu, Feb 23, 2012 : 4:50 p.m.

Nice article Ms. Judge, If I may add my "two cents"; (Due to LinkedIn's Character limit this will take two (2) posts sorry >.<) While your methodology is sound, it only created a password that is 9 characters long. Even though this password utilizes a combination of alpha-numeric and specials, it will do little to deter a determined "BlackHat" that is utilizing a time memory tradeoff algorithms such as Rainbow tables. If social engineering skills have taught us anything, it is the fact that most users are inherently lazy when it comes to password creation. Meaning that most users will pick a password that is in the range of 8 to 12 characters, 8 being the minimum character length required for "most" authentication protocols, and 12 being the maximum character length that "most" users will attempt to remember. We should assume that Mr. or Ms. BlackHat already has every possible character combination of passwords between 8 and 12 characters in length, stored in per-compiled Rainbow tables. These "tables" can be purchased via the Internet for about $30 American. While "Sfl2$m1tT" would appear to be a strong password, it would literally be cracked in a matter of seconds, with the processing power of modern computers, and the use of an algorithm that utilizes a time memory tradeoff technique. (Continued in NEXT post)

DFR

Sat, Feb 18, 2012 : 2:03 p.m.

'"we allow respectful, constructive comments. No attacks, please" ...... Really? Wonder why "John's" comments made the cut? There are more appropriate ways of making ones point.

ChrisW

Fri, Feb 17, 2012 : 8:46 p.m.

I like PasswordWallet because it will enter the password for me after I unlock it and can sync between Macs, Windows, and iPhones. <a href="http://www.selznick.com/products/passwordwallet/" rel='nofollow'>http://www.selznick.com/products/passwordwallet/</a>

John

Fri, Feb 17, 2012 : 7:56 p.m.

You state that millions of people are using &quot;Password Management&quot; systems, but then list 2 bullet points stating that they 1) Can get hacked, and 2) People lose things. Why wouldn't you still make a couple of suggestions and advise people to use each one with full knowledge of its strengths and weaknesses? &quot;Write down password hints ... on a piece of paper&quot;? Are you serious? LastPass, 1Password, Keepass, etc. are all great applications at both storing AND generating passwords, and certainly much easier than coming up with a phrase and translating it! I'm sorry but to not use available SaaS solutions simply because they might &quot;Get hacked&quot; is silly. Using the right encryption, you can minimize the risk of loss. &quot;It may seem old fashioned to use pen and paper...&quot; you're absolutely right. I must ask: do you actually practice what you preach? I mean, you personally write your password hints down on paper, and sort of finger through a rolodex of them when you need to remember one? Why even write a technical opinion when you solution isn't even technical? Want to read a REAL article about password storage? Try this Ars Technica article: <a href="http://arstechnica.com/security/guides/2011/03/ask-ars-where-should-i-store-my-passwords.ars" rel='nofollow'>http://arstechnica.com/security/guides/2011/03/ask-ars-where-should-i-store-my-passwords.ars</a> Warning: Art Technica tends to be full of Science. Of course, you could always just save your favorite Science on little pieces of paper, and access them as you need. Weren't you worried your article would be hacked? Maybe you should have just left it to the print edition, you know, to be safer (LOL)!

Craig Lounsbury

Fri, Feb 17, 2012 : 4:37 p.m.

In my opinion you can separate &quot;important accounts&quot; from &quot;unimportant accounts&quot; with respect to complexity and uniqueness of passwords. I have several what I deem &quot;unimportant accounts&quot; with the same, or nearly the same password. These accounts get me in to a forum perhaps or a website where I have offered no &quot;delicate&quot; information, only a throw away yahoo or Hotmail address. I reserve my complex passwords for bank, credit card, places I pay bills or use a credit card, that sort of thing. This place for instance doesn't warrant a complex password in my opinion. Am I off base?

Registration on or use of this site constitutes acceptance of our User Agreement and Privacy Policy

© 2013 MLive Media Group All rights reserved (About Us). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of MLive Media Group