Hi, I’m Wesley Tomatsu. I’m an Oxy alum (Class of 2001), I work in ITS, and when I’m not busy inconveniencing everyone by rebooting servers, I am responsible for information security here at Oxy. October is National Cyber Security Awareness Month and here is your NCSAM Tech Tip for the day.
Passwords. Am I right?
If you’re like most people, you have a password. You probably use it for lots of different sites. It’s probably very old but you keep using it because you’ve committed it to memory. You probably know it’s bad and you hear all sorts of horror stories of what can happen when someone steals your password but making a new password is hard so you’re just rolling the dice.
So what should you do about it?
I know that my hypothetical presupposes that you already know the risks of having poor password hygiene (yes, that’s a thing) but it’s worth spelling it out mainly because cracking most passwords is so easy that a beginner can do it. Out of 17,000 real Twitter passwords stolen by hackers, a total beginner was able to crack half of them in about 90 seconds. Easy-to-guess passwords are also thought to be responsible for the recent celebrity photo leaks as well, though Apple deserves some of the blame for that one.
Traditional approaches don’t work. Maybe they were workable back when you only had a handful of passwords to deal with but nowadays, you might have passwords for hundreds, if not thousands, of sites. So what can you do?
1. Use mnemonics for good passwords that are easy to remember
Security guru Bruce Schneier put it best:
My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence – something personal.
“Hard to guess” doesn’t necessarily mean “completely random”. A personal anecdote, a favorite joke, a misheard lyric – all are good candidates for this approach. The key to making it hard to guess is to make it unique and the key to making it easy to remember is add a personal connection.
2. You don’t have to have hundreds of passwords but try to have at least three
- Use the best password you can get yourself to remember for accounts with obvious monetary value: credit cards, banking, investment accounts, payment services like PayPal, and any online store where your credit card information is stored.
- Pick a decent password for email, social networking, and other communication sites. While the monetary value isn’t high, the potential damage someone can cause by hijacking your reputation is a headache to deal with.
- Whatever password you’re using now, keep using it for low value sites. Ever had to sign up to a site just to read the rest of a story? Think of it as a “burner” password.
3. Change your passwords, but you don’t have to change them all at once
If you’ve got at least three passwords you’re using for everything, maybe change one of them every 6-9 months or so. That way, you’re only working on memorizing 1 new password but you still get some of the benefits of having multiple passwords.