In 2009, another blogger posted an article on password problems that suggests 10 hard-to-follow rules.
The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.
Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.
Let me take a stab at my own list of recommendations.
The easiest way to create a strong password is to pick up a book. Open the book to a random page. Pick a word off that page. Now, pick a different page. Pick another word. Pick a digit, punctuation character, or other special character. Put it between the two words. If you pick longer words, you have a stronger password. If you choose words from "Make Way For Ducklings" the password won't be quite so strong. But it's going to beat "aaaaa" every time.
If the system puts constraints on passwords, change the password to comply. You can capitalize one of the words, add or remove punctuation, or stick in a digit as required.
Such passwords can easily resist one in a million attacks. Longer passwords can resist billions or tens of billions of attempts. If you need something better (and sometimes you do) then randomly choose letters and throw in some digits and punctuation.
This problem is slooowly going away, but it crops up occasionally. Back in the dark days of the 1990s, Microsoft "protected" passwords with a poorly designed mechanism called "LANMAN hashing." The mechanism protected passwords in 7-character chunks. Password hacking programs exploit this by checking passwords 7 characters at a time.
If the first - or second - or third - 7 characters of your password form a word or some other easily recognizable chunk, then the cracking programs can easily find that part of your password. For example, I used to have this password:
The cracking software didn't retrieve the ";balsam" part but it retrieved the "2" at the end.
Most of us can't instantly memorize a strong password. If the biggest risks are on the Internet, your safest bet is to pick stronger passwords and write them down.
In some work environments, this might not be an option. For example, if you work in certain defense programs, it may be borderline illegal to keep copies of passwords. Check with your security officer.
This should be obvious, but it's worth pointing out. If you store them on your smart phone, be sure they are protected if your phone is borrowed or stolen. My password storage software uses a separate password and applies its own encryption. That, of course, needs to be a strong password.
Occasionally we need to leave passwords in essentially unprotected locations. For example, my web site software insist that I embed a password in each site's configuration file. Be sure that you keep those files under control. Anyone who grabs those files can build back doors into your web sites.
This is tough for most people - how do you identify unsafe situations? Here are some common places where you should not type in passwords:
Now, this can be a bit of a burden - what if you really, really need to visit a site even though things are risky? You have to decide if the risk is worth the reward. And afterward, you should change your password if you don't want to be hacked.
This, incidentally, is why you want to use different passwords for different sites, or at least for different kinds of sites. If you leak your "post comments on silly blog" password, that might not matter unless you use the same password for your banking site.
Remember: your main e-mail account is a high value target. Most web sites use your e-mail address to reset your password. If an attacker can read your e-mail, the attacker can reset your password and crack into other accounts.
Recently I foolishly handed over a portable hard drive that contained my "crown jewels" - configuration files for my web sites. I don't know for sure that the temporary custodian was untrustworthy, but my drive was out of sight for too, too long.
I've just finished the process of changing database passwords - annoying!
It's less annoying to change the passwords than to have someone install a back door in your blog site.