In This Article
- How Do Our Password Protections Fail?
- Windows and BIOS Passwords
- Website Passwords
- Password Saving Tools
- An Extra Physical Security Layer
- Choosing Passwords
- When Should You Change Your Passwords?
- Your Three Most Important Passwords
- Two-Factor Authentication
- Use a Different Email Address for Security-Important Sites
- OAuth and OpenID
- Recovering Forgotten Passwords
Though this blog—and thus this article—is focused on travel and location independence, the advice I will offer regarding passwords should be useful for anyone trying to protect a computer or online activity.
It might seem a bit negative to start with the weaknesses of passwords, but the fact is that passwords are a security measure, not a guarantee. Like any security measure, passwords must walk a line between effectiveness, convenience and privacy. Gain ground in one direction and lose it in another. The fact that a password isn’t foolproof, however, does not mean it isn’t a worthwhile precaution. Still, knowledge is power, and you should know the main ways passwords are defeated in practice, namely:
- they are guessed because they are simple (e.g., “password,” “12345,” your child’s birthday)
- they are guessed by reuse (one account is compromised and the same credentials are reused with other accounts)
- they are stolen from a third party (usually by hacking a company or website)
- they are stolen with a keylogger or other form of malware
- they are stolen physically (if written down, either on paper or in an unprotected file that a thief can access)
- they are obtained via social-engineering techniques (the art of manipulating people into divulging confidential information; phishing is a common form)
- they are discovered (“cracked”) by brute force computer programs
- they are obtained by a linked account (for example, your email is hacked and it is connected to other accounts)
- they are reset (by social engineering or by a compromised linked account)
For more insight into how passwords are cracked in real life, check out Nate Anderson’s article, “How I became a password cracker,” in which he discusses how he—a self-described “script kiddie”—learned how to crack passwords. The article offers a step-by-step illustration of the process, which at the same time helps illustrate some of the items listed above.
It may not provide serious protection if confronting a determined hacker, but the first place to start in protecting your Windows computer is by setting a login password. You might have already done so when you first setup your computer, but if not, simply launch the Control Panel and select the User Accounts and Family Safety link. From there you can add or remove user accounts, change your account picture, or change your Windows password. It may also be a good idea to create a guest account if you plan to share your computer with others or if you actually want to allow a thief to access your computer because you are using tracking and recovery software like Prey.
A less commonly used security feature is a BIOS password, which will make the process of circumventing a Windows password more difficult by requiring you to enter your BIOS password before Windows can even start to load. The exact method for doing this will vary by computer so do a search online for your model.
Your most sensitive data, including online banking and credit card information, will be stored and used on various websites. The key to protecting these is twofold: protect your passwords and protect your use of them.
The first step in protecting your passwords (and usernames) is to never allow a browser to save login details for websites. I know that doing so may seem a great convenience for you, especially considering the proliferation of sites and passwords we are required to remember. The problem is that—even with a master password—anyone who gets access to your computer will also have access to this saved information. Some browsers make it easy to view a list of your saved login credentials, including the site, username, and password while others make it a bit more complicated, but even with the latter utilities like WebBrowserPassView can easily access them.
It’s not my goal to make you paranoid, but if you sync your browser across computers using an email account, and if that account is ever compromised, someone could then setup a sync on their computer and get access to your password information that way. Chrome does let you specify another passphrase to add an extra layer of protection, and you should do so (see below).
While I don’t recommended letting your browser save passwords, if you think the convenience overrides the security risk, use Firefox, since it lets you set a master password which you must enter the first time you use a saved password, once per browser session. Additionally, even though you enter the master password the first time, you must always enter it before you can view saved passwords via the list in the Firefox settings. This is a great feature to help prevent casual snooping of your passwords, and it even prevents most third-party utilities from recovering them. For even more protection, consider the Master Password Timeout add-on, which locks the master security device after a predefined period of inactivity. And for more convenience, check out the Master Password+ add-on.
Here’s a quick look at how to change your browser’s settings and/or to delete any password information you may already have saved:
Tools > Options > Security > Passwords section
Tools > Clear browsing data (be sure to specify the time frame in the drop-down box)
Settings > Show advanced settings… > Passwords and forms section
Settings > Sign in > Advanced sync settings… > Encryption passphrase > Choose my own passphrase
Tools > Internet Options > Content tab > Settings button > AutoComplete section
All this talk of protecting your passwords may seem quite a challenge when you are worried first and foremost about being able to remember them. And, of course, the number of passwords can really get overwhelming. I personally have more than 500! Fortunately, there are some great password management programs available to address this issue. So, now you can stop using post-it notes or storing all your passwords in a text document or spreadsheet for the whole world to see.
The most popular programs are KeePass, KeePassX, LastPass, Password Safe, Dashlane, Keeper, SplashID, 1Password, and RoboForm. The last three are not free and many “free” programs do charge for premium features or for mobile support.
I personally use KeePass and not only because it is free and I am cheap. I also like that it is open source and portable, it supports plugins, it can work (via extensions) with my browser, there are mobile versions, and it also has a great array of security features. In addition, KeePass prevents dictionary attacks against your master password, keeps your passwords encrypted while the program is running, and has security-enhanced password edit controls. You can use a key file instead of a master password for increased security or combine the key file and password methods to further secure your data. In fact, besides using it to just store passwords, I also store notes that I want to keep secure.
KeePass and the other choices listed are fairly similar in operation; the big difference is that some store your passwords online and others don’t. The advantage of storing online is the ability to easily sync across computers and mobile devices, though using a syncing program like Dropbox is possible with the local-storage programs as well.
Whichever password manager you choose, to get the most out of it you will want to install an appropriate extension for your browser of choice. For example, with KeePass you can use KeeFox with Firefox, ChromeIPass with Chrome and KeeForm with Internet Explorer. If you have a smartphone, also download the appropriate app. For KeePass there is KeePassDroid for Android and several for iOS, though I use MiniKeePass. Also, keep in mind that the master password is going to be the key to accessing all your saved passwords, so make sure you never forget it and don’t leave it written somewhere prying eyes can find it. And, don’t forget to close the program when you put your computer in sleep or hibernation mode or if you are going to leave it unattended. Alternatively, some programs, including KeePass, offer the option of timing out so you will have to re-enter your master password after a certain amount of inactivity.
I think for the vast majority of us, the tips and tools I am presenting already are more than sufficient for our privacy needs. Still, if you are unusually worried about your privacy and concerned about your password management, there is a hardware authentication device called the Yubikey that might be of some help. I honestly think it is overkill so I won’t go into the details, but if you are interested, Lifehacker tells you how you can use it with a password manager.
I doubt I need to point out the importance of choosing good passwords, so what I will do is focus on making sure you do so consistently. Here are a couple of questions to get your started:
- Do you always create unique passwords such that you never use the same one twice?
- Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they “strong?”
If you can’t answer “yes” to both these questions, you need to reconsider your approach to choosing passwords. The first question illustrates the contagion effect of a hacked password. If someone gets hold of one password that is used for multiple purposes, the damage will be multiplied, especially when you consider that most of us regularly reuse usernames. The second question hints at what actually makes a password strong, which is what you want to prevent someone from hacking it. More specifically, a strong password is one which has a high degree of entropy, or in simple terms, one that is as long and as random (in terms of both character types and sequence), as possible. These days, many sites actually require strong passwords, but there are still plenty that don’t. For a short and simple look at what makes a password strong or weak, read Thomas Baekdal’s “The Usability of Passwords.” Equally interesting are the Lifehacker articles, “Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers” and “How I’d Hack Your Weak Passwords.”
If you already have reused a password and are going to continue doing so, at least take the precaution of not doing so for any site that saves your credit card or banking information. Likewise, always use unique passwords for all email and social media accounts. If you want to reuse an easy-to-remember and easy-to-crack password on that cookie lovers forum and the daily astrology site, maybe the consequences aren’t going to be too severe, though it’s just as easy to remember a phrase as a word, which is many times more secure, so whatever you do, don’t use a word found in a dictionary.
If you’re convinced of the evils of reusing passwords, but don’t know where to start, here is an idea: use an algorithm to create unique passwords. You’ll want something that will consistently create a password of sufficient length (8-10 characters should probably suffice), with a mix of lower and upper case letters, and that uses at least one number and at least one special character (though your algorithm should allow for cases where special characters are not permitted).
Come up with your own algorithm or search online for one you like, but here is one to help you get a better feel for things. Take the website you are visiting. Start with the number of letters in the main part of the URL (so, acme.com would be four letters) and subtract one (4-1=3). Add the second letter of the same main name (“c”). Now add a favorite word of yours, perhaps with the first and last letters as uppercase (“SlideR”). Start and/or end with one or more symbols (“&<”). This last part will be dropped for sites that don’t allow special characters to be used. So, for acme.com our password would be “3cSlideR&<.” Want to make it a bit stronger? Add a letter or character in the middle of your favorite word (“Sl1deR” or “Sl!deR” instead of “SlideR”). To make the application of the algorithm slightly more robust, change it (say, use a different favorite word), depending on the type of site. In other words, treat sites that store credit card or banking details as one type of site using one favorite word, social media sites as another, sites you don’t care about as a third, etc. Or, you could use one word for sites that begin with the letters “A” to “M” and another word for those that begin with “N” to “Z.”
If you read the Thomas Baekdal article reference earlier, you’ll know that for a combination of password strength and ease of recall, it is hard to beat the use of multiple, simple words. Thus, an alternative algorithm to consider would create such a phrase. For example, you could use the name of the site combined with the type of site it is (banking, social, news) and a word of your choosing. Thus, acme.com could become “Acme Banking Bumblebee” and facebook.com would be “Facebook Social Bumblebee.”
Using an algorithm as just described has the benefit of creating fairly strong passwords that you can quite easily remember by just recreating them based on the site you are visiting. The big downside to this approach is the question of how easily someone might reverse engineer your algorithm if they have gotten access to one or more of your passwords. For one compromised password, you might be pretty safe, but if more than one password using the same algorithm falls into the wrong hands, you might have a problem.
If you’re happy using an algorithm and think the potential risk it poses is acceptable, you might rest easy now. On the other hand, if you use one of the password managers already discussed, there really is no reason to ever need to remember a password. In that case, why not make truly random and strong passwords for every site? Many password managers offer a feature to generate a secure password for you (KeePass has a nice tool for this). If yours doesn’t, search for an online password generator site (e.g., xkcd Password Generator).
It is almost certain that you already have many accounts with weak passwords. You probably can’t even remember them all. For those that you can, you should take some time to revisit and update them, adding them to your password manager while doing so (use a browser extension for your password manager of choice to make it easy). I know it seems like a great inconvenience and who has the time, but if one of your accounts ever becomes compromised, it will be too late to start thinking about password security. Even if you don’t update your passwords right now, do so every time you visit a site that requires you to login.
By the way, whenever you create a new account or update and existing one, carefully consider any security question offered (or required). Typically, a service will ask a security question like, “What is your mother’s maiden name?” The problem is that this is information that is easily found on the Internet or via social engineering. One solution is to use a security question that has an uncommon answer. However, many services provide only a limited choice of questions. In that case, consider using blogger Danah Boyd’s security question algorithm or, alternatively, use a false answer to a common question. For example, instead of your mother’s actual maiden name, make one up. Whatever security questions you choose, don’t use a plausible answer, but rather one you can remember or that you make a note of in your password manager entry for that account.
Some employers and websites require you to occasionally change your password. Whether there is any actual security value to this practice is subject to debate, but if you have no choice then consider accounting for this need in your password algorithm (by, say, adding or changing a number or character for the previous password). When you do have a choice, follow Bruce Schneier’s advice:
You don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.
Also consider regularly changing passwords for any communication-type sites that don’t have two-factor authentication: email, IM, Skype, teleconferencing services, etc., since these are more snoop-friendly services where hackers might listen in for months before you find out.
If you suspect that some of your current passwords—especially those being used on sensitive sites—are weak, you should update those as well. Some password managers, notably LastPass can run a “security challenge,” which can save you some time identifying the candidates. Otherwise, you can manually check each password at the How Secure Is My Password site.
While the above discussion concerns proactively changing passwords, there’s reactive updating as well. If a password is hacked or otherwise compromised, you’ll need to update all sites where you may have used that same password. If you have your accounts well organized with a password manager, this should be easy to do. Just search for all entries with that password.
On the topic of hacked passwords, with the increasing number of websites that have been hacked in recent years, it is possible that one of your accounts has been compromised without your knowledge. Should I Change My Password? and Have I Been Pwned? are two simple websites that can tell you if you may be at risk. Just enter any email address you use for various accounts, click Check it! or pwned? (respectively) and the site will search a large database of compromised account passwords and their associated email addresses. A similar site, PwnedList, also offers free daily monitoring.
By now you have an appreciation for the importance of unique, strong passwords and good password management. It is probably clear that the master password to your password management program is the most important password to remember and protect. The other two most important passwords to remember are for your computer and your email account. In fact, this last one is usually a goldmine for those who hack it, containing far more personal information than you will be comfortable having exposed (while you are thinking of it, search for the word “password” or “account” within your email account and see what shows up). Even if there isn’t much sensitive data to be found directly in your email account, your address is probably connected to your online banking or other sensitive accounts. Once the email account is compromised, a hacker can login to the bank site and tell it you’ve forgotten your password to have it e-mailed to you, where they will be waiting to get it, delete the evidence and use it to wipe you out.
Further on the topic of email, if you want to protect the actual emails in your account, you can encrypt them with something called Pretty Good Privacy (PGP). I think doing so is overkill and not needed by very many people, but if you are interested, Mailvelope offers free, easy-to-use PGP encryption for Gmail, Outlook, and other webmail services. Even if you are just curious how it works, check out the Gpg4win explanation and the Mailvelope help page.
Along with a secure password, the best thing you can do to make your email and other important accounts more secure is to enable two-step (two-factor) authentication, a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone). After you enter your password, a second code will be sent to your phone, and only after you enter it will you get into your account. Not every online service offers two-factor authentication, but an increasing number do, including Google, Yahoo! Mail, Facebook, Dropbox, Apple, some Microsoft products, PayPal, and Amazon Web Services. Some services, including WordPress and the password manager LastPass, do this via the Authenticator app (Android, iOS, Windows Phone).
The obvious problem with two-step verification is its inconvenience. There is also the question of what happens if you don’t have a working phone with you. I can’t speak for other sites, but Google has taken steps to alleviate these concerns. First, you can choose to have Google remember your computer so that you will only have to enter a verification code every 30 days. Second, you can specify a backup phone number (friend, family member) to use in the case your phone is unavailable for whatever reason. Third, if you use an Android or iOS device, you can install the Authenticator app already mentioned and use it to generate the verification code rather than receiving it via SMS (and this app works offline). Fourth, if all else fails, you can print out 10 one-time rescue codes, each of which can be used if you are without access to a phone or the authenticator app. Finally, there is also a one-time verification code system for authorizing access to your Google account via a smartphone or tablet app. Based on all these precautions, there is little reason not to start using two-factor verification, at least with your Google account. If still in doubt, check out the useful video and Matt Cutt’s discussion of two-factor verification.
Passwords go hand in hand with usernames and many times our username is our email address. I’ve already discussed how important protecting your email account is, but for a bit of extra security when using your most sensitive sites, use an email address that isn’t your everyday account. You can set the alternate account to forward to your primary account and cancel that forwarding if your main account is compromised.
Equally important is using a unique email address for password recoveries. Ideally, create a special account you don’t use for anything else and be sure to choose a username that isn’t tied to your name or easily guessed.
You have most likely noticed the increasing option of logging in to sites using your Google, Facebook, or Twitter account rather than creating a new registration. The technology that makes this possible is called OAuth and perhaps you’ve wondered what it is all about and whether it is a good idea or not. The answer, as with so many things, depends. On one hand, using OAuth is more secure than creating a new account because the website you are using will never see or store your password. I like the way Lifehacker describes it:
Instead of giving the keys to your entire house, you’ve given a special key that only opens one room you want them to access. But, in order to use this key, they have to go get it from the guard, and he can take it away from them at any time.
Thus, by using OAuth, you only have to rely on Google, Twitter or Facebook to protect your login credentials, and they are likely in a better position to do so than whatever site you are accessing.
So, from a security point of view, thumbs up to OAuth. On the other hand, you usually have to grant certain permissions (the “room” they can access) to any site you access via your social media account. This commonly includes the ability for the site to post to your Twitter feed or Facebook wall, which may be far more permission than you are comfortable with. You also generally forego any anonymity when commenting or adding any kind of content to a site you accessed with OAuth, which, for some legitimate reasons, isn’t always what you want. The good news, however, is that you can easily and immediately end these permissions by visiting your Google, Twitter, or Facebook settings and revoking access to any site or app you have already authorized.
A compromise to get the extra security that OAuth represents but without the privacy concerns, is to create a dummy account with Google, Facebook or Twitter and use it for authorizing sites. The downside to this is that you will have to logout of your legitimate account and into your dummy account to actually authorize a site, which can be a hassle.
Along with—or instead of—OAuth, you may see an option to login via OpenID. The two are basically the same concept, but OpenID uses a different set of core providers, including Yahoo!, Google, WordPress, and LiveJournal.
Finally, as you start to use either OAuth or OpenID, be sure to occasionally revisit your authorizations and revoke those that you no longer wish to use.
Assuming you have password-protected some files on your computer and you can no longer remember the password, what options exist? If it is a zipped file, try Ultimate ZIP Cracker. For MS Word or Excel files, try Free Word Excel Password Recovery Wizard or Word Password Recovery Master. For PDF files, try Wondershare PDF Password Remover (free trial limited to 5 pages). To recover a Windows password, try Ophcrack or LCP. Alternatively, you can remove or reset a Windows password by creating a bootable CD or USB drive with Lazesoft Recover My Password, Trinity Rescue Kit (TRK), Windows Key, Windows Password Unlocker or Windows Password Recovery Bootdisk. Finally, NirSoft offers a large number of specialized password recovery utilities covering things such as your email client (e.g., Outlook), your browser, your IM client, and your network (LAN or Wi-Fi).
While these programs may prove useful to you, realize that they are just as available to those who would access your files. Even if you haven’t forgotten your passwords, you might try one or more of these to test how secure your files really are. If you’re interested in general in the ways one can break into a computer (whether you or a thief or hacker), read the Lifehacker article, “How to Break Into a Computer (And Prevent It from Happening to You),” which covers both PCs and Macs.
Finally, don’t forget to store the passwords for individual computer files in your password manager of choice so that in the future such programs will not be necessary.