The below
XKCD comic has led me (and others) to consider Password Security the past week. The webcartoonist
defends his math here, though it should be noted, very few are arguing the underlying message.
First, since this is a Genealogy-focused blog, let me tie Password Security to Genealogy. It's rather simple. As a Genealogist you probably have an account for at least one of the following:
If you are into social networking you may have an account at
If you buy stuff online you may have an account at
And of course, if you pay bills online
Not everyone realizes this, but it is recommended that your password be different on every website. That way, if a website is hacked and your password there is discovered, it's not easy for the hackers to sign in to your other accounts.
This is why some suggest
The Only Secure Password is the One You Can't Remember.
Using software such as
LastPass,
KeePass, or
1Password, you can let the software remember all but one of your passwords. Each time you log into an account, the sofware will ask you for the master password, and then enter that particular website's password for you.
This seems to be a great solution, if you have one computer. All your passwords are stored encrypted on that one machine.
But I have:
- A computer at home
- One at work
- A BlackBerry
- An iPod.
- I occasionally house-sit for members of my family, and I may log into one of my accounts from their computers.
- When I'm at the library I may log on to one of their computers, because while I could use one of my mobile devices, I like the larger screen.
- I have been known to check my email on my friend's computers, though those days may be behind me now with the mobile devices.
Some suggest a workaround for some of the above is
Dropbox, LiveMesh, SpiderOak, SugarSync, or Wuala. (The link compares the software for each.) Each of these allow you to sync files across multiple computers. However, the most popular of these, Dropbox,
recently had a security issue. The most secure of these five programs are SpiderOak and Wuala, because they allow you to encrypt your data locally before sending it to their website. "Your data encryption key is only saved on your computer." Unfortunately, for me, neither SpiderOak nor Wuala works on a BlackBerry.
And, of course, none of these help you with computers that aren't synched -- those at the home of a family member, a friend, or at the library.
Is it safe to write down all your passwords on a piece of paper?
I'm not an expert, but I think it depends upon who you think you are hiding the information from, and how it is written down.
If I had a piece of paper that looked like this:
A/R - Password1
FN - Password2
GB - Password3
GS - Passord4
F - Password5
T - Password6
G - Password7
AZ - Password8
A - Password9
B - Password10
P - Password11
I could record the passwords for all of the sites I listed above. I wouldn't put my name on it. I wouldn't include my usernames. If the piece of paper was left behind on the seat of a taxi, or at the library, and someone picked it up, what good would it do them? Even if a fellow genealogist picked it up, and figured out the code, without knowing whose it was it wouldn't be useful.
If your spouse, or kid picked it up -- yes, they could figure it out. So if you have an issue of trust with someone in your household, this might not be a solution.
One possible compromise.
Use one of the Password Management systems for any website you are willing to limit your use to one computer (or more if you are willing to trust the synching software.) For the handful of websites you feel you need to be able to access on other computers, you can write those down on a piece of paper.
For example, I know the only websites that I access from my Blackberry are my email, and social networking accounts. So I could set up a LastPass, KeePass, or 1Password account using Wuala or SpiderSync for everything else, and still feel pretty secure.
So,whether you are creating one master password to control all your other passwords, or you are creating multiple passwords you will write down on a piece of paper, we are back to asking which passwords are the most secure. Not from your spouse or kid who might be able to guess that your password is G3n34l0gy! But from a computer hacker who knows nothing about you. Because unless you are somebody important, no one is going to be trying to hack your accounts specifically. You're only at risk if your password is one of the 'low hanging fruit' passwords the hackers find before they're satisfied.
Randall Munroe, webcartoonist for XKCD, isn't the first to suggest that
Multi-Word Phrases are More Secure than Incomprehensible Gibberish.
Once the hacker has to resort to "brute strength" - that is, trying every possible combination of letters, numbers, and symbols - the length of the password matters more than anything else. Even if the characters are a series of periods, dashes, or spaces.
How Big is Your Haystack helps you compute the strength of a password.
A password such as:
D0g.......... (10 periods), according to this calculator, would take at least 100 centuries to crack using brute strength. (However, since
How Big is Your Haystack mentions the D0g.......... password, it's advisable to use something else. You want your password to be unique.)
It is important to remember that some longer passwords might be tried before brute strength. If multiple word passwords become common, you can expect hackers to feed movie and book quotes into their databases. So the following passwords likely will not be secure:
- Help me, Obi-Wan Kenobi. You're my only hope.
- To be, or not to be, that is the question.
- Hello. My name is Inigo Montoya. You killed my father. Prepare to die.
- As you sow, so shall you reap.
Posts
