Skip to content

Lost in the Password Storage Maze

August 6, 2013
We read all about the toll hackers take on companies financially, but rarely consider the “soft” toll they take on our productivity.
 
Consider the cost of creating, maintaining and storing our passwords.
 
Time was, you could get away with simple passwords like your middle name or your dog’s name or your street name or your company name or your initials or any other easily remembered password.
 
But with hackers able to crack such passwords in minutes if not seconds, we now have to:
  • Set up strong passwords.
  • Change them regularly.
  • Use different passwords for different logins.
  •  Bypass passwords altogether for key fobs that create new passwords every time we log in if we deal with sensitive data like real estate or finance.
  • Use biometrics such as our fingerprints or eyeballs to access network resources if we work with highly sensitive data.
And if we follow all of the above, except for the fobs, we will likely lose even more time after we’ve locked ourselves out of our accounts because we couldn’t remember the password for a specific account.
 
We have online criminals to thank for this.
 
Creating Strong Passwords
If you’re not required to use key fobs or other forms of multi-factor authentication, you should use STRONG passwords.
 
A strong password uses a combination of:
  • Upper and lower case letters
  • Numbers
  • Symbols that are at least 8 characters in length (the more characters the better)
Even Better, A Passphrase
Of course, they can be cracked, too, so conventional wisdom now is to use a password phrase like “I l0v3 Hot Dog$”, assuming the resource you are protecting allows passphrases. Some won’t allow spaces, so consider a phrase separated by dashes, as in “I-l0v3-Hot-Dog$”.
 
According to the Intel site linked to below, that passphrase would take 727,499 years to crack.
 
Here are some passphrase creation tips from the security software vendor Sophos: http://www.sophos.com/en-us/security-news-trends/it-security-dos-and-donts/password-quick-tips.aspx.
 
Here’s another technique at http://blog.ideashower.com/post/15147137496/remember-just-one-password-thats-unique-for-every-site that involves developing an easier to remember phrase and then pulling letters from each word of the phrase to develop your password.
 
You can see just how ridiculous this is getting, I’m sure. By the time you figure out which combination of letters pulled from phrases you have used for which site, you will probably lock yourself out of your account.
 
So Much Effort
Still, there are no good answers here that don’t involve money or reliance on your memory. You must protect your company’s data.
 
Don’t duplicate passwords? It simply isn’t reasonable to expect the average employee to go to the effort of creating a different password for every computer, web site, email address and network resource they log into. 
 
You can use password management software to do this, but again, there is lost productivity in opening the software and finding the password you need. And don’t forget the password to the password manager, which obviously should not be the same as any other password …
 
Test Your Password Creation Skills
If you want to test your password creation skills, try the test at the web site https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html provided by Intel.
 
NOTE: DO NOT TO ENTER YOUR REAL PASSWORD HERE. Just use it to test different types of password combinations to get a feel for how long it would take a hacker to crack your real password. If it wouldn’t take years to crack, you need to change it.
 
The bottom line: if your password is strong enough that a hacker can’t crack it quickly (i.e., hours), the hacker will move on to easier prey unless he/she believes your system possesses something valuable enough to justify the effort.
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: