ASU Reports Weekly

By Damon Armour, IT Security Officer, contributing writer

In today’s digital world, passwords are the keys to our kingdoms. We need passwords to log onto our computers, to check our email, to post grades in Banner, to update our status on Facebook, to check our bank account balances, etc. Yet not all services have the same password policies or requirements. Should I use the same password for my email and my bank account?  What is the best strategy to create a secure password?  How should I protect my passwords?  How often should I change them? Who should I share them with?  How in the world can I help myself to remember all of these different passwords! This article aims to help with these questions and more.

Think of your passwords as keys on your key ring. Wouldn’t it be nice if there were one key for all your doors, cars, cabinets, etc? Yet, if that one key was stolen, the thief would have access to everything. The same is true for digital security. If that one password is forgotten or worse, stolen, not only can someone log in and check that individual’s email, but could potentially steal a person’s entire identity. For this reason, it is a good idea to maintain different passwords of varying levels of complexity based on the sensitivity of the item you are protecting. Services such as bank/investment accounts, healthcare, and other highly sensitive items should use strong, complex passwords. Other services such as a Netflix account, JCPenny, or a favorite blog should use a separate password that may not need to be as strong. Another suggestion is to create separate passwords for work and personal activities. This way if one side is compromised, the other will not suffer.

So what is considered a strong, complex password?  According the SANS Institute—perhaps the most trusted source for computer security training, certification, and research—a strong password should consist of the following:

• At least one number in your password.
• At least one CAPITAL letter in your password.
• At least one symbol in your password.
• A minimum of 12 characters in length. For highly confidential sites or information, SANS recommends 15 characters.

This can appear daunting at first glance, but SANS provides a suggestion that would make it extremely difficult for someone to steal your password.

For example, the sentence below may be very simple for you to remember:
My 2nd son was born at Boston Hospital at 6:30 p.m.

However, we can use that sentence to create the password you see here:
M2swb@BH@6:30pm

What we did was simply use the first letter from each word. We capitalized some of these letters. In addition, we replaced the word “at” with the symbol “@.” Finally, we included the time at the end. This is a long, complex password that will be very difficult to guess but simple to remember.

What else can you do to protect your passwords?

• Do not share them with anyone.
• If you feel that you should have your important passwords available in case something were to happen to you, then put them in a secure location such as a safety deposit box along with your other important documents.
• Be cautious of those pesky phishing emails that ask for your usernames and passwords in order to fix some problem.  If technical support has an issue with your account, they can change it without knowing your current one.

There are multiple ways to keep up with the collection of passwords each of us is required to remember. Yet the important step is making sure these passwords are maintained securely the entire time:

• If you must write down your passwords, keep them in a secure location that has accountability. Underneath the keyboard is not a recommended location.
• Another option is a software tool such as 1Password, KeePass, or LastPass. These tools require a strong master password that provides access to the rest of your passwords.  Be cautious with these tools, because if someone is able to get to your password file and guess the master password, they have everything.
• Lastly, you can use a phrase structure as suggested by SANS that provides an easy-to-remember method of creating a strong password.

Use what works best for you, while maintaining an acceptable level of security.

When dealing with passwords, use good online habits.

• Be sure that the website you are attempting to log into is secured. Look for https:// and the lock symbol in your Internet browser.
• Be cautious with passwords when using public wireless connections. Many of these services do not offer enough protection to keep thieves from capturing your passwords.
• Lastly, if you feel your password has been compromised, attempt to change it or contact the IT Support personnel immediately. Do not wait for further damage of identity theft to spread.

Resources:

SANS Ouch! Newsletter – Protecting your Passwords
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201105_en.pdf

1Password – can create strong, unique passwords for you, remember them, and restore them, all directly in your web browser
https://agilebits.com/products/1password

KeePass – the free, open source, light-weight and easy-to-use password manager
http://keepass.info/

LastPass – it’s easier, it’s everywhere, it’s safer, it’s secure, it’s free, it’s multi-platform
https://lastpass.com/

25 “Worst Passwords” of 2011 Revealed
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html

Printer-Friendly Page