Four easy-to-remember passwords that will protect your accounts

The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web.

Founded in 2007 Dropbox that uses cloud computing to allow us to store all kinds of large files on the Web, and across a variety of operating systems, that are then easily shared with others.

For about four hours on June 19 anyone could get access to any account with a dummy password. “It was like our skirt got lifted for hours.”

This is what Dropbox wrote on their blog yesterday:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

This is a serious issue for Dropbox—a company valued at $1.5 to $2 billion—since trust is the number one value they offer over their competition. Until we hear more about the “additional safeguards” they intend to implement it does give us pause about our chosen passwords.

We live in a password era, and we all have our passwords that range from the ridiculously simple and cheesy like “love” to impossible-to-get-straight gobbledigook. Apparently a shocking 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to this book “Perfect Password: Selection, Protection, Authentication.”

We also learned recently that 75% of us use the exact same password for everything. This is a huge mistake. All it takes is one hacker and one weakly protected site and your key to everything, including email and banking, is up for grabs.

When you use the same password for everything it is only as strong as the weakest site and, unfortunately, there are plenty of weak sites. Ninety-three percent of organisations have been hacked at least once in the past two years, according to the US State of Web Application Security Survey, Ponemon Institute.

You can use the same series of numbers and letters but do mix them up (upper case, lower case, order, creating what may be a near limitless variety) for different sites, banking, discount shopping, online publications, airlines, etc. and change them up regularly.

There is a better, simpler way, according to Christopher Mims at MIT Tech Review. He suggests that you create only four passwords and use them in a tiered system.

Low-tier password: Something you may already be using that is so easy to get that it might as well be your middle name. Use this for low level importance sites. One's you don’t care about, like commenting sites for online magazines or music streaming sites. If you get hacked the worst that can happen is that your username suddenly likes Lady GaGa!

Second-tier password: “For sites on which you have personal data and definitely don’t want to be impersonated (Twitter, Facebook, etc.),” says Mims. Here you need something longer as long as you are comfortable with recalling complex phrases. Remember to use at least one special character, especially inserting it into the middle of the phrase, not at either end.

Never, ever use what is called a “dictionary password” i.e. any real word that will exist in a dictionary. A classic tactic that hackers use to break into sites uses a fast program that repeatedly inserts real words until it finds a match.

Third-tier password: This is your second highest level of security and can be used for email accounts and your cell phone. It needs to be unique, long and interspersed with special characters. Your email account is where you might hold information about your other passwords, so it must be highly guarded. It is the “master key” of passwords.

Fourth-tier password: The gold standard of passwords should be used to protect your wealth i.e. your bank and financial information. This password should be unique and can only be used for your banking, nothing else.

So we don’t need to have 30+ passwords memorised, or worse, documented in email or on scraps of paper, we just need four — or at least three — that are tiered for importance and security.

As for tips on creating a vice-like, gold standard password we suggest reading an informative post on the worst passwords of all time, and avoid them.

Even a cryptic string like “abgrtyu” is on the list, so be wary. The hard part is following the paradoxical mantra of password creation: Easy to remember, hard to guess.

Once you’ve mastered that statement, try measuring your password strength using this useful Microsoft test. I used to get angry and hurt when my passwords were noted as “weak” as if it were a personal affront. Now I know it can be part of an entire strategy of protection.

Warning! How I’d Hack Your Weak Passwords - by Lifehacker

Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security.

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.

1.Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
2.The last 4 digits of your social security number.
3.123 or 1234 or 123456.
4."password"
5.Your city, or college, football team name.
6.Date of birth – yours, your partner's or your child's.
7."god"
8."letmein"
9."money"
10."love"
Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…

Black Hats
Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

Brute Force
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials.

Insecure.org has a list of the Top 10 FREE Password Crackers. Please use this information in a responsible manner. If you do use them, do so to improve your system security.

Security Breach

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

You probably use the same password for lots of stuff right?
Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.

However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.

Software aids

So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.

Once we've got several login+password pairings we can then go back and test them on targeted sites.

Interrogating cookies

But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. Use cleaning software to remedy that problem.

Speed is relative

How fast can all this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Lowercase and Uppercase
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put their computer to work on it they'd finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and we can all sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it.

Here are some strong password tips:

• 1.Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0′, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
• 2.Randomly throw in capital letters (i.e. – Mod3lTF0rd)
• 3.Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
• 4.Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
• 5.You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
• 6.Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you'd like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
• 7.Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
• 8.Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

Guard email passwords
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there."

Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Drive-by Hacking

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Pay attention

Now I realise that every day we encounter people who make a lot of noise and over-exaggerate points, to move us to action or for their own benefit, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that haven't been mentioned.

I also realise that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do yourself a big favour and take a little action to greatly strengthen your passwords. You know it makes good sense.