On Passwords and Security

Posted on Multiply Feb. 24, 2009, 12:44 PM.

I just feel writing about this subject, sharing my thoughts and tips to common users.

The Internet has been a boom and a boon for mankind, especially in the field of security. While the Internet made the world even smaller (figuratively, of course), enabling anyone to contact other persons anywhere in the globe and promoting fast information sharing (such that we are literally being overloaded with information), it has also brought multiple security issues, as we have seen in the past. Although the Internet enables everyone to be anonymous (maybe being identified only via usernames, passwords and IP Addresses), it is also a double-edged sword, as it is obvious that this anonymity provided by the net, as we all call it today, is also being exploited by cybercriminals, ranging from spammers who fill our inboxes with unwanted messages (thanks also to the very low cost of e-mail) to the organized crime syndicates who make and distribute malware such as trojan horses and bots.

Anyway, security as a whole is a very broad issue, starting from the days man learned to build his own home. However, in our interconnected, electronic world today, security also evolved to being a complicated matter. Compared to the past that security had been only a factor of protecting our personal belongings from renegades (yeah, it is a strong word), it evolved into being a matter of protecting our physical devices (e.g. hard drives, thumb drives, etc.) and digital and analog data (e.g. company secrets, spreadsheets, etc.) from them. Coupled with the vastness of the Internet and the anonymity it promotes, and you can clearly see the whole picture.

Anyway, as I said, security is a very broad subject, divided into areas which are seemingly disconnected but are interrelated. With that established, let us look into a segment of security all users have control: passwords.

From the start, passwords have been a very important (and also somewhat easy to break) security measure. The idea is that for a specific task, there is a special word or phrase or series of symbols associated with it such that only a person or a group of persons who knew that codeword (let us refer to the special sequence of symbols as codeword) is/are the one/s who is/are capable of doing that specific task. The idea is a very noble, and somewhat elegant, one, for it creates an exclusive set of people who are the only ones who have the power to do that task. And that is a very secure model indeed. At least, in theory.

But sadly, we live not in a hypothetical, ideal world, where codewords are very secure and passwords are very secure. In our world, codewords are very poor, thus diminishing the security of the password model. In most cases, the following holds: (note: password and codeword may be used interchangeably)

1. Many do not set passwords, or do not even bother thinking about it. Most users just don’t see the importance of protecting their personal data, so they don’t bother setting a password.
2. If passwords are required, most users choose codewords poorly. Here are some common “mistakes” in codeword-making (note the quotation marks):
a. Simple dictionary words: cat, dog, house, pencil
b. Common phrases: I love you, I am here, etc.
c. Letters
d. Repeating sequences: aaa, lalalala, etc.
(and other such things; you get the picture).
3. If there are multiple accounts, users just default to using one (or two) codewords to all of them. This isn’t very secure (just analyze why; it’s a no-brainer).
4. Writing the codeword. Codewords (and passwords) are supposed to be stored on memory, not on paper.

And some others you might know of.

Just a disclaimer: I don’t say I do not commit these things (esp. #3). I am just enumerating the very common scenarios users do.

Moving on…

As we see, the weakest link (and which is also being repeated and reinforced by security companies) is the end-user. (This is also the reason why security companies benefit from selling security software). But then, I do believe that education is a very crucial role here. I do believe that when you educate the end user about such things, you can reduce the weakness of that link. As I have said, reduce, not remove, because there are also other factors (which I won’t enumerate here).

That said, let us get straight to the point. When choosing passwords, here are my tips:

1. Incorporate special characters in your codewords. This has been a no-brainer from the start, and also which is usually ignored by the user. Including spaces in your passwords alone can increase your security a little. Use the sparingly-used characters on your keyboard. They are not there merely for decoration; they are there for usage. Some characters commonly found in keyboards that can be used to increase the security of your codewords are:

~ ` ! @ # $ % ^ & * ( ) – _ + = { } [ ] ; : ‘ ” / ? . > , this site as a starting point. (Research people, research!)

4. Use longer codewords, preferably integrating the suggestions above. Remember though that it does not hold that the longer your password, the safer it is. It just gives the hacker a very difficult time to guess. (For example, for a codeword of length 10 in which the standard letters of the alphabet are allowed, case sensitive (i.e. 26*2 = 52 distinct characters), there are 52^10 =

1.44555106 × 1017

distinct possible passwords (computation from Google). Add the other characters above, and you see the sheer number of passwords that can be generated. This is only of length 10.)

5. Use Unicode, if possible. See Unicode characters here.

6. Use passphrases. What is the difference of a standard password to a passphrase? A password is ordinarily a series of symbols, while a passphrase, well, as its name suggest, is a phrase. E.g. “alhkhwuer” is a password, while “arigatou gozaimasu” can be classified as a passphrase. Generally, passphrases are easier to remember than standard passwords. But then, it is more secure to combine the two, for example, turning the passphrase “arigatou gozaimasu” to “~Ar1gaT0u g0zA1masu!!~”.

7. Never, ever write the passphrase or codeword. As I said a while ago, passphrases and codewords are supposed to be remembered, not written. (This also applies to ATM PIN numbers).

These are some of the tips you could use to strengthen your passwords. But then, remember, these do not guarantee your security, as there are many factors involved (for example, if you have a keylogger installed, this guide will be useless, unless you remove the keylogger). Just remember, the end-user is the weakest link, and PROPER education can turn this weak link into a very strong one, possibly stronger than the other links in the chain of cybersecurity.

Advertisements

1 Puna

Filed under Archives, Multiply, Scribbles

One response to “On Passwords and Security

  1. Pingback: el metodo gabriel

Mag-iwan ng Tugon

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Baguhin )

Twitter picture

You are commenting using your Twitter account. Log Out / Baguhin )

Facebook photo

You are commenting using your Facebook account. Log Out / Baguhin )

Google+ photo

You are commenting using your Google+ account. Log Out / Baguhin )

Connecting to %s