Saturday 25 February 2012

How Secure Are Your Passwords? How to secure them...

Hello again guys. A few days ago I was speaking to a good friend of mine who had his password hacked, unfortunately this password was the same for all of his online accounts including his online banking! This obviously meant that his whole online ‘persona’ was compromised. Since I work in IT security he came to me for advice. This conversation got me thinking just how secure most peoples passwords are so I thought I would write a post on how to secure yourself online.

Use complicated passwords

During my conversation with this friend, he explained that his universal password was his surname followed by 123. This is obviously very insecure, along with things like ‘password123’, ‘password’, ‘abc123’ etc. Basically stay away from the word ‘password’ in your password(s) or any kind of personal information about you or generic statement. You can have a password that is complicated yet easy to remember. For example, let’s say my friends password was ‘jones123’ this can be made more complicated yet still be easy to remember by substituting letters for similar looking numbers and adding a capital letter. So our password now becomes ‘jOn3s123’. This password is now a lot more secure than before, but we’re not finished yet. To make it really secure we can add a special character, again using ones that look like the original letter, so now our password has become ‘jOn3$123’ so it’s still ‘jones123’ but a hell of a lot harder to crack or guess.

Some examples of substitutions that you could use are below:

  • o = 0(zero)
  • o = *
  • i = !
  • s = $
  • e = 3
  • i/l - 1
  • and - &

Another good method of making secure passwords is to have a long one. Most people don’t know this but a space is a valid character in a password so you can use a sentence as a password. For example, ‘My favorite t-shirt is green and has 11 printed on it.’ This password is long, has upper case letters, numbers and special characters - it would be extremely difficult for a hacker to crack that bad boy!

Using Password Managers

Not everyone can remember very secure passwords like the ones above and even if you can, having the same password for everything still isn’t ideal. That’s where password managers come in. This is how I personally remember all my passwords. There a many password managers out there but in my experience there are 2 main contenders, KeePass and LastPass. I have used both but I personally prefer LastPass.

KeePass

KeePass is an encrypted password database that is stored on your computer. You need a password to open up the database and from there you can access all your passwords and accounts. It can generate extremely secure passwords such as ‘FrdjgTdki3u4yFRJTF2894hdggTFD34455f32fdTY’. You can then drag and drop your password from KeePass to the password field on your website and KeePass will enter the password for you. This means that you only have to remember one password and all of your website passwords can be different. Here are some screen shots:

You can download KeePass for free from HERE.

LastPass

LastPass is my password manager of choice as it integrates with your browser and logs you into websites completely automatically. All of your passwords can be synced between machines automatically as they are stored on LastPass Servers. All of your passwords are encrypted before they leave your computer so once they get to the LastPass servers they are fully encrypted and LastPass have absolutely no access to your passwords. Like KeePass, you simply add all of your accounts to your LastPass vault along with the web address they coincide with and LastPass will then be able to automatically log you in next time, LastPass can also generate very secure passwords like KeePass.

The big advantage that LastPass has over KeePass (apart from syncing) is the fact that it supports multi-layer authentication. This means that you can have a special USB stick that provides an extremely long, one off password each time you need to logon to your LastPass vault. So, in order for anyone to get access to your account they would need your username, password AND USB stick - extremely secure I think you will agree. By default the USB multi-layer authentication is turned off.

LastPass also had apps for all smart phones so you can have your passwords anywhere. For this though you need a premium account which costs just $1 a month (normal accounts are free). Here are some screen shots of LastPass:

You can find more out about LastPass and also download it for free from HERE.

Conclusion

Luckily my friend managed to change all his passwords in time and only 2 of his online accounts where accessed, he is now a LastPass user also. The thing to take away from this is simply, use complicated passwords where possible but if you have a bad memory then use a password manager. I hope some of the information helps you guys to secure yourselves online a little more!

If you want to see how secure your password(s) are then why not take a look at HowSecureIsMyPassword.net here are the results for a password I use and the results for my friends old password:

My friends old password:

My password:

No comments