Wednesday, June 22, 2011

Four easy-to-remember passwords that will protect your accounts

The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web.

Founded in 2007 Dropbox that uses cloud computing to allow us to store all kinds of large files on the Web, and across a variety of operating systems, that are then easily shared with others.

For about four hours on June 19 anyone could get access to any account with a dummy password. “It was like our skirt got lifted for hours.”

This is what Dropbox wrote on their blog yesterday:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

This is a serious issue for Dropbox—a company valued at $1.5 to $2 billion—since trust is the number one value they offer over their competition. Until we hear more about the “additional safeguards” they intend to implement it does give us pause about our chosen passwords.

We live in a password era, and we all have our passwords that range from the ridiculously simple and cheesy like “love” to impossible-to-get-straight gobbledigook. Apparently a shocking 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to this book “Perfect Password: Selection, Protection, Authentication.”

We also learned recently that 75% of us use the exact same password for everything. This is a huge mistake. All it takes is one hacker and one weakly protected site and your key to everything, including email and banking, is up for grabs.

When you use the same password for everything it is only as strong as the weakest site and, unfortunately, there are plenty of weak sites. Ninety-three percent of organisations have been hacked at least once in the past two years, according to the US State of Web Application Security Survey, Ponemon Institute.

You can use the same series of numbers and letters but do mix them up (upper case, lower case, order, creating what may be a near limitless variety) for different sites, banking, discount shopping, online publications, airlines, etc. and change them up regularly.

There is a better, simpler way, according to Christopher Mims at MIT Tech Review. He suggests that you create only four passwords and use them in a tiered system.

Low-tier password: Something you may already be using that is so easy to get that it might as well be your middle name. Use this for low level importance sites. One's you don’t care about, like commenting sites for online magazines or music streaming sites. If you get hacked the worst that can happen is that your username suddenly likes Lady GaGa!

Second-tier password: “For sites on which you have personal data and definitely don’t want to be impersonated (Twitter, Facebook, etc.),” says Mims. Here you need something longer as long as you are comfortable with recalling complex phrases. Remember to use at least one special character, especially inserting it into the middle of the phrase, not at either end.

Never, ever use what is called a “dictionary password” i.e. any real word that will exist in a dictionary. A classic tactic that hackers use to break into sites uses a fast program that repeatedly inserts real words until it finds a match.

Third-tier password: This is your second highest level of security and can be used for email accounts and your cell phone. It needs to be unique, long and interspersed with special characters. Your email account is where you might hold information about your other passwords, so it must be highly guarded. It is the “master key” of passwords.

Fourth-tier password: The gold standard of passwords should be used to protect your wealth i.e. your bank and financial information. This password should be unique and can only be used for your banking, nothing else.

So we don’t need to have 30+ passwords memorised, or worse, documented in email or on scraps of paper, we just need four — or at least three — that are tiered for importance and security.

As for tips on creating a vice-like, gold standard password we suggest reading an informative post on the worst passwords of all time, and avoid them.

Even a cryptic string like “abgrtyu” is on the list, so be wary. The hard part is following the paradoxical mantra of password creation: Easy to remember, hard to guess.

Once you’ve mastered that statement, try measuring your password strength using this useful Microsoft test. I used to get angry and hurt when my passwords were noted as “weak” as if it were a personal affront. Now I know it can be part of an entire strategy of protection.

No comments:

Post a Comment