Get Serious About Password Security

*** Updated 25 February 2018 ***

I wish my clients didn’t keep telling me their wife’s, kids’ and pets’ names.

In my experience, most photographers take an astonishingly lax approach to online account security. More than other professionals? I don’t know. Too much? Definitely. Yet as small business owners they have so much to loose should things go wrong. By using their wife’s name as their password, they are playing Russian roulette with their online photo archives, their client list, their website, their bank accounts, their reputation and more.

Put simply, family names, dictionary words, countries, “123456”, “password” and “qwerty” don’t make good online passwords. Here is an even simpler rule: if you can remember your password, it’s a bad one. My advice: use specialized software to generate strong passwords and store them securely.

Brute Force Attacks

There are many technological and non-technological ways an ill-intentioned person can get hold of your login credentials (cf this Mr Robot scene). One of them is known as a ‘brute force attack’: an automated process of trial and error used to guess the “secret” protecting a system. Picture a powerful computer entering every word in the dictionary, every first name and then variations on them in your account login form. This is (probably) what happened to Twitter in 2008 when 750 user accounts were hacked.

Password reminders or so-called “security questions” can make it even easier. According to the Web Application Security Consortium:

(…) if the personal detail is “favorite color” then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color (…).

Need more? A recent study of a 32 million user password breach at RockYou, a Facebook application developer, found that the most common password, by far, was “123456”, followed by “12345”, “123456789”, “password” and “iloveyou.”

The Basics of Password Security

1. Use different passwords on different sites. If you use the same login for multiple sites the minute one gets compromised, they all are.
2. Don’t use common words or sequences. Instead use at least 8 — but preferably 12 — characters and 3 of the following character types: upper-case letters, lower-case letters, numbers and special characters. There are 26^8 possible permutations for an 8-character lowercase password, but 94^8 possible permutations for an 8-character password that cambines mixed-case letters, numbers and symbols. That’s over 6 quadrillion more possible variations.
3. Don’t base passwords on personal data — we share these bits of information with others more routinely than you think. Is your DOB listed on your Facebook page? I bet your dog’s name is.
4. Don’t leave your passwords somewhere visible. Take that post-it off your monitor and if you keep a list of passwords in a file on your computer, call it something a little less explicit than “passwords.”
5. Make sure your password recovery questions are also secure and not based on common-knowledge personal data either.

Use Specialized Tools

There are tricks to make secure passwords memorable but I find they require more work than suits my brain. I much prefer to use a specialized password management utility.

There are a number of them: Dashlane, LastPass.

I use 1Password and I highly recommend it. It’s simple and intuitive to use. It encrypts your usernames, passwords and other sensitive information from end to end on your device so you don’t have to remember any of it, which is great because it will generate impossible-to-remember passwords every time you need one. It constantly gets great reviews).

A few years ago 1Password switched from a one-time purchase to a subscription-based model ($2.99 per month for an individual account, $4.99 per month for a family account supporting five people).

And disable password storage by your browsers. As practical as it is to let your browser store your login info, they are very vulnerable. Even if the application encrypts the account information, it does so with a static key that can be easily deciphered. So turn it off and let 1Password or whatever tool you choose do the work.

Your Password Should Be At Least 12 Characters Long

In an interesting blog post Jeff Atwood explains that massive computing power available to those who want to crack passwords means that longer passwords are safer and that “safe” starts at 12 characters.

Here are the results of a cracking scenario he tests:

Password or Passphrase?

A passphrase is similar to a password but it is longer and is usually a sequence of words that is easier to memorize. So instead of jhwdugxas6%TGv2((jkhg you might use something like halter lavation noisette dad oppilate spunky. A passphrase’s strength stems from it’s length rather than its complexity.

Security experts debate the relative strengths of these two approaches in different use cases but I remain suspicious of them. The fact is most of us will find them attractive because they are easier to memorize. My hunch is that many people will reuse a passphrase they remember. Worse that that, many people will pick a phrase from pop culture — song lyrics, a line from a movie, etc. — and alter it with some capitalization or punctuation. That is simply too easy for a hacker to guess.