— How to Make a Good Password —
UPDATE: even though your passwords aren’t stored as plain text at places like LinkedIn and Target it isn’t terribly hard to figure out what those passwords are should there be a data breach. This video shows you how password cracking gets done.
You’ve no doubt been hearing a lot about the recent “hacking” exploits, the ones that obtained pictures of various female celebrities in compromising positions. At first glance this looks like a new level of hacking, a major break-in and invasion of privacy, but it turns out it’s really not so new. We’re just hearing more about this one than usual, and let’s face it, it’s nearly a perfect storm:
- It involves CELEBRITIES
- It involves FEMALE celebrities
- It involves NAKED female celebrities
- It involves PICTURES of naked female celebrities
- It involves Apple.
Would the media be as interested if the bad guys got a hold of your Aunt Margaret’s travel reservations? Would we be hearing as much if the pictures were of naked MEN? Would there be as much interest if the stolen stuff was 40 million credit card numbers from Target’s servers? Would it be as interersting if instead of Apple, the story involved Asus? No, no, no, and no (even though the credit card stuff really happened, and no disrespect to Aunt Margaret). It’s the Harmonic Convergence all over again.
UPDATE: turns out these people weren’t “hacked.” They either had passwords that were easy to guess, or they fell for a phishing scheme and simply handed their passwords over. The weak link in this situation was the person, not the machine.
I thought I’d take the occasion to write a few things about Internet security, passwords, and you.
Is anything on the Internet secure?
If you mean 100% secure, with no chance that information could be taken by unauthorized persons, the answer is “no.” But what in this world is 100% secure? Banks have vaults and safes and alarms and bad guys rob banks all the time. That doesn’t mean you shouldn’t put your money in a bank. Cars have locks and alarms and kill switches (Jeff) and bad guys steal cars all the time. That doesn’t mean you shouldn’t have a car. Homes have fortified front doors and deadbolts and security cameras and bad guys break into homes all the time. That doesn’t mean you should quit living in a home.
Internet security is like physical security (with locks and alarms etc.). You should do what you can to make it difficult for the bad guys. You shouldn’t say “Well it’s not 100% secure so I’m not going to use it.” That’s the wrong move.
Keep in mind that there are a LOT of ways to break into an online account. One way is to “go in through the front” by (somehow) obtaining a person’s username and password, and getting that information is easier than you might think. A username is often an email address, and those are hard to keep private. They are especially hard to keep private if your email address is in the address book of someone else, which of course it is. Eventually someone’s account is compromised, and besides looking for naked pictures the bad guys are also looking for address books, because those give them a whole bunch of new targets. As for the password, sometimes a bad guy can guess it (see this list of common passwords), sometimes he can brute-force it (especially if it’s short), sometimes he can just ask you for it (phishing).
Take this Phishing Quiz and see how the bad guys try to trick you. Use a desktop computer or an iPad for the best experience.
Even if you have a great password and you don’t tell it to anyone there is another way for the bad guys to get it, and that is to get to it by going in “through the back.” That is, they target the institution that you access when you use the name and password. That’s what happened at Target (70 million email addresses and password stolen all at once). You can’t do anything about that. But you can do something about your end of things. At the least you can use difficult-to-guess passwords. Here’s how you do that.
How to make a good password
The first thing you do is actually the first thing you don’t do. What you don’t do is use a password that you use somewhere else. Look at it this way: suppose you had an account with Target, and your username was firstname.lastname@example.org and your password was fluffywuffy1. Then the bad guys break into Target and get your email address and password. So you close your Target account, maybe even close your credit card account, and you think you’re all set.
But you’re not. Think about how many online log-ins you have that all use the same username (that is, your email address). Now think about a bad guy, armed with your email address, and a password that you used at Target.com, trying to use that same combination at citibank.com. Or iCloud.com. Or Amazon.com. Or gmail.com. The bad guys will try “email@example.com” and “fluffywuffy1” all over the place. If you’ve used your Target.com password at any other site(s) it’s just a matter of time before the guy with your Target.com info gets into one of them.
You might wonder why someone would want to get into your email account. I am asked that all the time so I figured you might ber wondering too. The reason is that by reading your email a person can get to know a lot about you. He’ll know where you shop online, and what you bought. He’ll be able to see who you correspond with. He might see Facebook notifications from friends of yours. He might even be able to figure out whether you have kids or or a dog or a cat, what their names are, and when they were born– all things that might help him figure out what some of your other passwords might be. These people aren’t stupid so don’t let them get a foot in the door.
OK. So now we know: don’t use a password for more than one thing. That probably means going into some of your accounts and changing their passwords. But what should you change them to? Not to something easy to guess– not your dog’s name with a “1” at the end. But not something impossible to remember either. What you do is come up with a phrase— something easy for YOU to remember– and then take the first letter of each word. That’s your starting point.
For example, suppose your phrase is “I would like the brisket and sausage plate.” (That would be easy for ME to remember.) That gives me a starting point for a password that will be difficult to hack into: “Iwltbasp.” Good luck guessing that one, bad guys!
Nowadays many sites will require you to include at least one capital letter, and at least one number, and maybe punctuation. That is easy for me– I’ll capitalize the nouns, change my phrase to include a number, and add some punctuation. Like this:
“I would like 1 Brisket and Sausage Plate!”
I can remember that. Taking the first letter of each word, the password becomes “Iwl1BaSP!”
Not very guessable, and if you run that password through the “How Secure is my Password” site, you will see that it would take 275 days for a machine to brute-force figure out that password. Of course if they get it right on the first try it would not take as long (which might mean that starting a password with “z” would make it even harder, assuming they go alphabetically).
Note: change the pass phrase to “I would like 10 Brisket and Sausage Plates!” and the password would take 58 years to brute-force hack. Turns out a little extra length can make a lot of difference.
Now we have a terrific password. It’s easy for me to remember, and hard for someone to guess. If I had only one online account I would be all set. But of course I have a lot more than one online account, and I might forget which phrase goes with which account. That would be hard to keep track of.
What I need is a password manager (please, go back and click that link). The one I use is “1Password.” (You can buy it for iPhone, iPad, or Mac from the App Store and Mac App Store with these links.)
Basically, it’s a “safe” which stores all of my passwords and remembers what they’re used for– all behind one master password, the one that opens the safe. I remember the master password and 1Password remembers everything else. You should definitely check it out. Watch this video and see what it can do.
1Password can also generate passwords for you, the kind that look like this:
If I were you, apart from the “one password” you need to remember in order to unlock 1Password, I would let 1Password generate unique passwords for everything.
Now let’s talk about YOU
A lot of “hacking” isn’t hacking at all. It’s bad guys tricking people into giving up their passwords. It happens all the time but with education it isn’t going to happen to you. Let’s get educated.
You could start by reading (or re-reading) what I’ve written about “phishing” in a separate blog post. Or I could just tell you that “phishing” means someone sends you an email with a link to click, landing you on a web page that says something like “Please sign in with your email and password to continue!” Or “Please log in to verify your account!” You sign into web sites all the time, so you might just do it when asked… except with phishing, you’re not on the site that you think you’re on. Instead you’re on a copy, controlled by the bad guys, so when you “sign in” you’re really just saying “Here, Mr. Bad Guy. Here’s my email address and here’s my password.”
Think you’d never fall for it? You might. The invitations can be very targeted. If someone had gotten into your email account he would know a lot about you, so he would know whether you banked with Wells Fargo or US Bank etc. He could then send you what looked like an email from the right bank– your bank– with personal information in it to make it look legit. This technique of crafting personalized, targeted emails is known as “spear phishing.” Say that a few times around the water cooler and you will sound like a security expert.
One more thing about YOU. If you use a laptop on public networks– at the airport, the library, on a train, at Starbucks— avoid doing any actual “signing in” on any website. Read your mail, look at web pages, but don’t get complacent, because it’s not too hard for a hacker to monitor the traffic on an unsecured network, which means he could, theoretically, be “sniffing” for passwords as they’re typed in by others. Here’s a link to a story about how three guys wrote a program to capture every picture downloaded over a public network– at MacHack 2000! As you can see this sort of thing has been around for a long time.
Which brings us to this: there’s a lot more bad stuff going on than most of us know about. A lot more. It’s going on under our noses, and even when we think we’re secure, sometimes we’re not. Remember how the basis for Secure Sockets Layer (the software that hundreds of thousands of websites built their security around) turned out, itself, to be insecure? Software’s written by people, and people make mistakes. Keep that in mind.
Also keep in mind that as long as there is valuable stuff on the internet, whether it’s money, information, or pictures of naked female celebrities, someone is going to want to steal it. You should do what you can to not make it easy. The people who had their naked pictures stolen made it easy: they used weak passwords, and the bad guys guessed them. Don’t let it happen to you.
Summing it Up
- Use good passwords
- Use a password manager
- Avoid public networks
- Assume nothing’s really secure
And one more thing: if it’s important, don’t do it by email.
Got 60 seconds? Learn something about the Mac.
Visit my One-Minute Macman website!