Password security is in the news again, as it is revealed that hackers had managed to break into the accounts of many Twitter users.
Many of the affected Twitter users had previously registered on P2P file-sharing sites - and hackers had been able to enter the sites through a backdoor and grab their account information (including email address and password).
Although a username and password for a torrent-downloading website may not seem very valuable, it does have a significant worth if the same email address and password is being used for a social networking site like Twitter too.
As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.
Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.
Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Don't delay, be sensible and make your passwords more secure today.
Follow @gcluley* Image source: canonsnapper's Flickr photostream (Creative Commons)
![Have your say - LulzSec: helpful, harmless or hideous? [VOTE NOW]](http://sophosnews.files.wordpress.com/2013/05/lulzsec-poll-thumb.jpg?w=75&h=75&crop=1)
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
I disagree with "Unique passwords are a requirement, not a luxury". This is not practical, hardly anyone follows this advice, and I'd be curious to know whether Chester Wisniewski follows his own advice in this regard (and if so, how many sites is he registered with?)
My advice is to have 2 low-security passwords: one widely used one for non-sensitive sites and another less often used one for more sensitive sites, PLUS a unique password for each internet banking/paypal type account.
And of course all web sites should use salted cryptographic hashes, salted with the username plus a secret site-specific salt.
I'd take the focus of this article a step further and say, "A good password MANAGER is a requirement, not a luxury." I had to watch the entire video to catch the segue from how to create a password you can barely remember or type, to how to leverage that one good password to let you into all your accounts which have even stronger and totally unique passwords - by using a password manager.
I think people need to know which managers are the most secure and the easiest to use.
To that end I have just written a Password Manager Feature Manifesto to help compare one password manager against another: http://glenpeterson.blogspot.com/2011/01/top-10-t...
A good password manager can reduce the average user's password-related hassles while making them orders of magnitude more secure online.
The biggest causes of insecure passwords, besides user laziness, are:
1. Refusal of some sites to allow numerals, special symbols and punctuation.
2. Refusal of some sites to allow spaces. A short sentence, even if it's only lower case, vastly increases the difficulty of a brute-force attack.
3. Refusal of some sites to accept passwords without non-literal characters. They apparently rate security solely on the types of characters, not length. So users are forced to use passwords with hard to remember spelling, even if they're savvy enough to use long sentences instead.
4. Most mind boggling, some sites set ridiculously short length limits for passwords, 10 or 12 characters.
I have 88 passwords stored in KeePass, which is secured by a long password. The passwords include not only websites, but hardware, like my wireless router. All of the passwords are very long unless the website is too stupid to support long passwords (there are at least two I can think of).
I've found that I have to memorize 5 passwords using KeePass: one for KeePass, one for the PC at home, one for the Debian GNU/Linux root (admin), one for the PC at work, and one for my encrypted flash drive (using TrueCrypt). I suppose I could keep the root password in there, but that just seems lazy, and when I need it I have to enter it often, so KeePass is more annoying than useful.
I was also successful at getting my wife to store her passwords in the KeePass database and setting her passwords to long, random digits. She even memorized a long random password for her email. So she has to remember one password primarily (email) and occasionally she needs one from the database.
Passphrases. Simple letter substitutions and special characters are easily guessed by smart password crackers. The only thing that protects you is a very long password and only passphrases can be long and easily memorized
I would say this is a great video to start. At the very least, it gets users thinking about how to create a stronger password than say, Ch@ngeme1!
As systems get more powerful and cracking tools smarter, longer passwords (or phrases) will be the required minimum but even then, the dictionaries will store entire popular phrases, quotes, verses & lyrics! Your best bet is to create a nonsensical phrase such as, "If all the elephants, monkeys and zebras in the world went on strike tomorrow, would you notice?" Even if you decide to break it down, it would be longer than 15 characters. Also note probabilities - "z" is a unlikely character. For the sake of time, many crackers leave out least-used characters (or at least I have and have been quite successful in my testing). They also tend to know that the phrase will begin with a capital letter and most likely end in a number or punctuation symbol.
Don't forget, mis-spelling a word can help. If you type the phrase, "I have a pet elephant and the zoo keeper is jealous!" as, "eye(I) h(ave) 1(a) p(pet) 3(elephant) &(and) D(the) z(zoo) k(keeper) iz(is) j(jealous) _(!)," you may add entropy or at least stymy the cracker using traditional substitutions. After all, "the" sounds like "Z" or "D", "before" can be "B4", "baby" sounds like "bay-b", and "pound your fist and make a bang" can be represented as "# yer fist N make a !"
Perhaps the new rules should simply be, be creative and have fun!
I think the base generation of a password is great and the presentation is awesom, I have a password that is different at every site. I create done using the method described, but I have a unique way of identifying the site by 3 letters and those are placed in a specific spot in the base password. So if someone does my password they have to.
A) work out what the base password is
B) workout my method of uniquely identifying each site
C) work out where I use it within the password..
No password manager for me, just a unique way of remembering it.