Can you spell 'password' or The weakest link in security

| | No TrackBacks
Binary digits - viewing file

Strong password, weak password

Are your passwords strong?

An average Internet user registers at dozens of services; and almost everywhere one has to invent a password. There are few alternatives to good old password verification, some of them are useful, some are not so.

«Convenient, reliable, cheap: choose any two». To have your data secure and access them quickly, it is necessary to use authentication method both simple and reliable. So what are the typical approaches in creating a good, strong yet easy to remember password?

I say «easy to remember», but passwords, at times, need not be remembered literally. The method I use to invent hard to guess and easy to remember password is simple: several words are used, interspersed with commas, dots etc.; and a group of digits is placed somewhere inside. The words may be taken out of any source: the idea is to keep that source mostly unknown to everyone else.

I won't post long and solid recommendations on how to invent a password. There are many already on the Net; and if you're out of ideas how to make a password, there are many well-known pieces of software solving that task — starting with pwgen.

The question is, how to make many passwords without using the same password for several types of services (very insecure; if one of those leaks password somehow, a number of your other resources will become very vulnerable.

A true crypt for passwords

Well yes: I write passwords down to a file and store the file at hand. Insecure? Not quite.

First, I use Truecrypt freeware to generate encrypted volumes. A good means to store one's passwords and any other sensitive information. Yes, it also requires a password to mount Truecrypt volume; I also use keyfiles; if I lose my flash drive where a Truecrypt volume is stored, it won't be deciphered in absence of a keyfile.

The passwords are recorded in a file, but not in their plain form. I use mnemonic rules and tokens (to store only those parts of passwords that can be restored). A good approach as long as I remember the password for the encrypted volume.

Open your ID

OpenID can be a good alternative to storing many passwords: if a service supports OpenID authentication, you only have to remember the password for your OpenID provider account. There may be many. Google's user profile URL may serve as OpenID; LiveJournal account, Chi.mp and many other services, including openid.net

There are only two problems with OpenID solution of the password problem.

First, you need a reliable OpenID provider. If it's gone or changes owners, you can as well bid farewell to resources where you've used that OpenID identity.

Second, if you lose control over your OpenID account, you can lose all the resources where you did authenticate with it. It's like placing all the keys on a single keyring: it may be a good way to have all the keys at hand and lose them all as well.

Myself, I prefer to use either my own OpenID server or well-known provider, the one that will most probably stay with as for many years.

Other doors, other keys

OpenID isn't the single alternative to name and password combination. There are other protocols and techniques (say, OAuth), but in all of them you should remember at least one password. And it's better be long and really hard to guess.

It should be understood that you can't afford neglecting security the moment you have any sensible data on your computer or on the Net resource.

Weak password means a number of troubles, sooner or later (most probably sooner).

Security isn't a oine-time action. It's a mental discipline, the way of thinking. Create a reliable means to store passwords, to restore them; make sure they are all different; change them often — these mantras will remain important for good. yet not every people on our planet abides by them.

What is your way of making your data protected?

No TrackBacks

TrackBack URL: /blog/mt-tb.cgi/93

blog comments powered by Disqus

About this Entry

This page contains a single entry by Konstantin Boyandin published on March 17, 2010 5:38 PM.

A door with no keyhole: port knocking at work was the previous entry in this blog.

Blogging on: watch your blogs heartbeat is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.