Do You Have Password Fatigue?
Last week it was revealed that a malware worm was used to siphon off 45,000 user credentials (login and password combinations) from Facebook (www.darkreading.com). Facebook credentials and Facebook profile information have already been successfully used to target user accounts of corporate and financial systems. Recently, a Twitter executive’s personal email account was compromised and the hacker was able to leverage that to expose hundreds of sensitive corporate documents in Google Apps. This week it was revealed that 25,000,000 customer’s personal information and passwords were stolen from Zappos. So, this seems like an apt moment to encourage good password management and reduce your risk of being exploited and financially injured.
First, let’s look at why your password is worth protecting:
Reason #1. Your password can provide a foot in the door to a computer system where higher level access is desired, or
Reason #2. Your password can be used to gain more of your personal information which can be used to facilitate identify theft and further and deeper access to your personal data and financial systems. Basically, ruin your life.
Next, let’s explore the nature of passwords and of humans. If you just want a basic understanding of password risks, then keep reading. If you want deeper knowledge, there is a lot more “geeky” information on this topic in my longer post.
The main points follow:
Point #1. Long, complex passwords are more secure than short, simple ones. Unfortunately, the ability to remember even a few complex passwords is beyond the capability or desire of most humans. So we either adopt a strategy for writing down and storing our complex passwords or we fall back to passwords that are shorter and easier to remember that just meet the requirements.
Point #2. Changing passwords frequently reduces risk. It also leads to what I call password fatigue. A torture device in the “IT dungeon”, changing passwords on a regular basis is designed to outwit the time required by crackers to brute force your password, but often has the counter effect of increasing the simplicity of passwords and the amount of password re-use.
Point #3 Users consistently fail in their password practices. We as a user population are settling for shorter, easier to remember passwords, and reusing a small set of them, gaming the constraints of a given system to establish a workable rotation. Sound familiar?
Finally, now that you know why you should protect yourself and how human nature can get in the way, apply a bit of risk management to reduce the number of personal passwords you have from a dozens to a manageable handful, each with the appropriate strength.
Step 1. Categorize your passwords based on risk. I work with 3 categories (surprise) that seems to be the safe path between too few and too many and corresponds nicely to standard risk management categories of high, medium, and low.
- High Risk - Passwords that can expose your most critical personal information. These passwords would give access to websites that give direct or indirect access to financial data, like online banking and bill paying sites, university and institutional portals, commercial sites where you have stored credit card information (Amazon, iTunes), and sites that have your date of birth, SSN, or other personal information that could result in identity theft. Of particular concern in this category are email services, secure shell accounts, and computer system logins since they can be monitored or mined for more personal information, including password recovery emails.
- Medium Risk - Passwords that expose personal information that is already generally available, such as your contact information for mailing or shipping destinations, but no financial information.
- Low Risk - Passwords that expose inconsequential information, like logins required for news sites or blogs.
Step 2. Create appropriate strength passwords. Passwords that protect high-risk content should be strong and unique for each account. Every banking or financial website should have a unique and hard to crack password. Every email account should have a unique and hard to crack password. I encourage using a strong password generator and password manager for high risk sites. If, like my bank, you are limited on your password complexity, take advantage of two-factor authentication offerings that might be available. Two-factor authentication requires that you use a one-time key obtained through some separate medium (phone, text, email, or advance) that is combined with your password to allow you access to your private information.
Medium risk passwords should be strong, but need not be unique for every site. Do not reuse passwords for high-risk content here. Many of the sites that represent medium risk may also have very questionable security practices, making it more likely your information may be compromised, for example, social networking sites like Facebook and Twitter.
Low risk passwords can be anything that, if compromised, does not give away any personal information or clues to passwords protecting medium- or high-risk information. One of my most frustrating experiences is trying to implement a simple password on an extremely low-risk content site and finding that the site requires an incredibly complex password.
Actviity: Test some of your favorite passwords using a secure password tool - for example, https://www.microsoft.com/security/pc-security/password-checker.aspx
Step 3. Use a password manager to safely store and protect passwords that are difficult to remember. Such systems often use a master password to protect the “password store”, so be sure that this password is really strong. This means a password that is at least 20 characters long made of random alpha-numeric characters.[c] Even better, throw in some symbolic characters if allowed.
There are password managers built-in to some operating systems and there are commercial ones like “1Password” (https://agilebits.com/onepassword). I prefer open-source software when dealing with encryption applications, because in theory, a lot of really smart people review the encryption algorithm and its implementations for imperfections and bugs. I’ve been using “KeePass” (http://keepass.info/download.html), which is open-source and cross-platform. It uses encrypted storage and also has a good password generator. It can be stored on and run from a flash drive and can be secured with a key-file, in addition to a password. There are versions for smartphones as well.
Yes, this is a big hassle, but there is a lot at stake - mainly, your life’s important information.
I hope this article helps you to better manage your password and adds to your confidence when securing your information. Protecting yourself from the temptation of password re-use is your most important strategy.
I encourage you to discuss your reactions to these strategies and share your experiences with passwords by leaving a comment to this forum post.
Copyright 2010-2012 James W Brunt