Password Threats and Defenses
The Password Paradox
Passwords are an inconvenient but necessary way to prevent others from accessing our online accounts, computers, files, etc. The paradox when creating and using passwords is choosing passwords that are easy enough to remember and type yet complex enough to prevent being hacked. Many of us choose convenience over security by using a simple password that can be guessed or hacked, using a common password for multiple accounts, or writing down passwords, which exposes us to password threats.
Password Threats
 |
Phishing
Imposter emails trick us into entering usernames and passwords into websites that pose as legitimate, typically financial services accounts, auction sites, and payment processors. |
 |
Guessing
Many of our passwords can be guessed because they are commonly used, for example default passwords (e.g. no password, “password”, “passcode”, “admin”), a row of letters from a keyboard (e.g. “qwerty”, “asdf”), names (e.g. user, pet, relative, significant other), dates (birth, marriage), or combinations of the above. |
 |
Password reset questions
Even if our passwords are not easily guessable, the answers to password reset questions, e.g. Mother’s Maiden Name, that websites offer in case we forget our password can be guessed by someone who knows us or looks for personal information about us online. (This is how Sarah Palin’s Yahoo! email account was hacked.) |
 |
Dictionary attack
Hackers trying to guess our passwords use programs that try every word in the dictionary and combinations. |
 |
Shoulder surfing
In public areas such as cafes, libraries, airports and airplanes, people can “look over our shoulders” to see our passwords written on sticky notes or entered as we type, similar to people looking over our shoulder at an ATM. |
 |
Keylogging / Keystroke logging
Viruses and Trojan horses can surreptitiously install programs that capture and communicate what we type on our keyboard. |
| Good Password Practices |
Defends against |
Don't click on links within emails. Instead:
From your Internet browser go directly to the company’s website homepage by typing in the URL
Do a Google search for the company and click on the first organic (not paid advertising) search result
After doing one of the above, save the URL as a shortcut in your Internet browser |
Phishing
|
Use "strong" passwords, meaning passwords that are:
Long (at least 8 characters)
Include upper case and lower case letters, numbers and symbols
Not guessable
Not based on publicly available personal information
Not based on words in the dictionary |
Guessing
Dictionary attack |
Use different passwords for different websites.
That way if someone discovers one of your passwords, they don’t have the “keys to the kingdom” to access other accounts. |
Partially defends against:
Phishing
Guessing
Dictionary attack
Shoulder surfing |
Use passphrases
One way to choose a complex password that is easy to remember is using the first letter from each word of a memorable phrase, like using the passphrase “My favorite movie in 2008 is Batman Dark Knight!” to create the password “Mfmi08iBDK!” |
Guessing
Dictionary attack |
Don’t use simple password reset questions and answers
Avoid common options like Mother’s Maiden Name, Pet’s Name and City of Birth. Use a less common option, or if permitted create your own unique question. Or use an answer that doesn’t necessarily answer the question, for example for Mother’s Maiden Name, answer with a random strong password or a passphrase. |
Password reset attack |
Password Tools
 |
Use a password generator
These programs generate random, strong passwords |
 |
Use a password generator + password manager
Once you have created a bunch of unique, strong passwords, use a password manager to:
- Save your passwords in a safe place
- Access your accounts via shortcuts
- Replay all of your passwords with one master password |
 |
Use a password generator + password manager + fingerprint reader
Fingerprint readers often come with password management software, so they provide the benefits of password managers (see above) plus:
- Allows you to use a strong “master password” since you don’t have to remember or type it
- Counters the threat of someone getting a hold of your master password and the “keys to the kingdom”
- Eliminates the temptation to leave your password manager unlocked at all times |
Created on 4/17/2012 8:56:51 AM