We don’t mean to alarm you, but – well, actually we do. Your password strategy, if you have one at all, might be seriously out-of-date.
In the past year, several well-publicised attacks on major online services exposed users’ passwords. For example, in June 2012, more than six million LinkedIn passwords were stolen and posted online. Just over a month later, more than 450,000 Yahoo passwords were leaked.
The direct damage resulting from public disclosure of the passwords was bad enough, but the security breaches also revealed that vast numbers of people follow dangerous password practices that can result in far worse problems.
If you haven’t examined your approach to making and using passwords recently, now is a good time to rethink your assumptions. Here are a few important facts about passwords you may not have realised – and what they mean for you.
WHAT YOU DON’T KNOW ABOUT PASSWORDS
Here are some key points to bear in mind as you create new passwords
Password reuse is a major danger
You know how it is – every time you turn around, another website or online service wants you to create a new password. Because that’s so tedious to do, you may be tempted to rely on shortcuts. But those shortcuts can get you in trouble. As a case in point, consider the common practice of using the same password for multiple sites.
Suppose you signed up for a LinkedIn account, and you used the same password that you previously chose for your Gmail account. Then, in June, you were one of the unlucky people whose LinkedIn password was leaked. An enterprising hacker who knew your LinkedIn password could have easily tried it with other popular services, so gaining access to your Gmail account would suddenly be child’s play.
That’s a problem, not just because someone could read or delete your email, but because you might use your Gmail address to access or reset other passwords. After clicking the Forgot Password link on other sites, the hacker could check your email to get access to accounts that use those other passwords. Even reusing a single password in two places could, in this way, cause cascading problems.
The best way to overcome a password reuse habit is to use a password manager, such as 1Password ($51.99 on the Mac App Store) or LastPass (free; US$12 per year for premium service via lastpass.com). These tools auto-generate passwords, store them securely and let you fill them in on websites with a single click or keystroke.
Hackers know your password tricks
When people are faced with the need to come up with a new password, their next biggest crutch after reusing passwords is to pick something that’s extremely easy to remember and type. As the lists of stolen passwords and other security research show, a lot of people still use ‘123456’, ‘password’ and other simple strings. Naturally these and the next several thousand most common passwords will be the first ones a hacker tries when attempting to break into an account. Likewise, you should avoid names, dates and common dictionary words.
Appending a number to a common word (password1, say) is an often-used method for complying with ‘Must contain a digit’ rules. And so are substituting numbers or symbols for letters – things like ‘p@ssw0rd’ – and using patterns of keyboard keys such as ‘edcrfvtgb’. The problem is, hackers are well-aware of such techniques.
As soon as you invent a new method for creating better passwords (such as padding a shorter password with repeated punctuation), the bad guys adapt accordingly. So don’t count on cleverness to protect your password. It might take a few milliseconds longer to guess ‘1d0ntkn0w’ than ‘Idontknow’, but remember that you’re up against machines that can make any substitution in the blink of an eye.
You want to make your passwords ‘unguessable’, even by someone who is smarter than you. The best way to do this is to construct them from random strings of characters, including uppercase and lowercase letters, numbers` and punctuation. Though it’s very hard for a human to create a truly random password, it’s quite easy for a computer to do. So once again, it’s better to rely on a password manager than on your brain.
14 is the new 8
Let’s imagine that an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step for the hacker is to use brute force, trying every possible password one by one.
Unfortunately, it’s getting easier and easier to find a match with this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that number.
As a result, the advice you’ve read in the past about what constitutes a secure password may no longer be valid. For example, a password with eight or nine random characters is no longer sufficient to protect against a brute-force attack. Experts today recommend that you use longer passwords, often 12 to 14 characters. And that’s for passwords randomly generated by a computer. Passwords you create by hand must be even longer to have the equivalent strength.
All password managers allow you to select the password length you want; and our advice is that for any password that can be entered for you by an app (or copied and pasted), you might as well use the longest password the target service will accept. After all, the same keystroke that fills in a nine-character password can fill in one with 14 characters.
Of course, you must still commit certain passwords to memory or, for one reason or another, enter them manually. For such passwords, you can use a longer but less complex character string to achieve comparable security.
HOW TO REMEMBER PASSWORDS
As we’ve said, the best way to ensure that you never forget your passwords is to offload the task of remembering them to a password manager like 1Password. Most of the time, that’s the only trick you’ll need.
But no matter what tools you use, you’ll have to memorise at least a few passwords. Because those are among your most important, you don’t want to trade security for memorability.
Here are tips that can help you make sure your brain doesn’t betray you.
Pick which passwords to memorise
We have no idea what 99 percent of our passwords are. They’re long strings of random computer-generated characters. When we need to use them, we let our password manager fill them in for us, or we copy and paste them if necessary.
However, one password we’ve memorised cold is the one that we use to unlock all of the other passwords stored in our password manager. We’ve also memorised our OS X user account passwords, because we enter them many times a day and, since we use OS X’s FileVault, we need these passwords to start up our Macs before we can access any automated tools. Also, we’re frequently prompted to enter the passwords for our iCloud, Gmail and Dropbox accounts, so we’ve memorised those, too.
Your list may differ, but most people can get by with committing no more than half-a-dozen passwords to memory.
Choose a path to high entropy
Once you know which passwords you need to memorise, your next job is to choose passwords that are strong enough to defeat automated hacking attempts, yet memorable enough that you can produce them instantly – and for bonus points, they should be convenient to type.
You undoubtedly know the basic drill: all things being equal, longer passwords are better than shorter ones; random passwords are better than those that follow a pattern; and the best passwords combine upper- and lowercase letters, numbers and symbols.
It turns out, though, that a password doesn’t need to possess all of those qualities in order to be secure; for example, a long but simple password can be just as secure as a short but complex one. This is provable through a concept called entropy, which, in this context, refers to the mathematical approximation of how difficult a given password is to guess.
Depending on how you perform the calculation, the passwords ‘7H#e2U&dY4’ (10 random characters) and ‘blanketsensory’ (14 non-random characters) are approximately equal in strength, but the latter is much easier to remember and type. Even though it contains only lowercase letters, and blanket and sensory are both ordinary English words, the password’s entropy is high enough that a concerted brute-force attack would take days or weeks to crack it.
If your memory is excellent and limiting your passwords to the fewest possible characters is your biggest consideration, then go with a shorter random password – but remember that whereas short used to mean eight or nine characters, nowadays using 12 to 14 keystrokes is safer. Nevertheless, since most people can type long words faster than short bursts of random characters, you may find that a 25-character phrase is more convenient to enter in daily use than a 12-character string of nonsense.
Let a computer pick your passwords
We’ve sometimes advised people to use mnemonic cues to remember passwords. For example, taking a sentence such as ‘I once drank three cups of coffee before realising it was decaf’, and using just the first letter of each word, with a capital and a number thrown in, creates ‘Iod3cocbriwd’ – a reasonably strong password.
But because humans unconsciously tend to introduce patterns into passwords produced through these means (which makes guessing the password easier), we let a computer create a selection of random (but memorable) passwords, and then we choose one that sounds good.
You have numerous ways to do this.
If you open Keychain Access on your Mac (in /Applications/Utilities), choose File > New Password Item, and click the key icon next to the Password field, a Password Assistant window will appear. Choose Memorable from the Type pop-up menu, and select a password length.
The utility will produce a password consisting of a combination of words, numbers and symbols (such as ‘nineteenth8590.middlingly’ or ‘baiting325@ certifications’). Don’t like the first suggestion that you see? Click the pop-up menu to generate more, or choose More Suggestions from that menu to get another list.
1Password’s password generator also has a mode that creates a series of pronounceable syllables (not necessarily English words), with or without intervening digits or hyphens – such as ‘liegnicroci’, l’ieg7ni2croc5i’ or ‘lieg-ni-croc-i’.
To generate them in the 1Password app, choose File > New Item > New Password, click Pronounceable and select the separator and length that you prefer. Click the Refresh button to see another password choice. (The directions are similar when you’re using 1Password’s browser extensions, although the layout and options are slightly different.)
Have backup plans
If you’re afraid you’ll forget your memorable passwords, you can write them down, as long as you keep that paper in a safe place. Your wallet may be a fine location (indeed, security expert Bruce Schneier recommends it – see www.schneier. com). Also, consider giving a copy to your spouse or a trusted friend, or putting it in a safe deposit box. If something happened to you, and your family or business associates urgently needed access to your data, the security of storing your passwords only in your head would work against you.
MANAGING PASSWORDS WITH KEYCHAIN ACCESS
In the innocent days of our computing youth, many of us had to memorise just one password – the one we used to send and retrieve our email over a glacially slow dial-up connection. User-account passwords? For geeks. Shopping-site passwords? What shopping sites? iTunes Store? App Store? Didn’t exist.
In what may seem like a giant step backward, we now juggle dozens of passwords. Fortunately, our Macs can store those passwords and, in many cases, automatically fill them in when needed. But there’s more to know about passwords and the Mac’s ability to store them. Here’s a quick guide to what you can – and can’t – do with OS X’s passwords.
Keychains are key
Ever since Mac OS 8.6, the Mac has managed passwords with Keychain, Apple’s password- management system. The Keychain Access application (/Applications/Utilities) is the front-end to that system. It stores a wide range of items
– including passwords for email, websites, servers, network shares, Wi-Fi networks and encrypted disk images. Whenever you save a password, it’s stored in the Mac’s keychain.
The Mac places its various keychain files in multiple locations: /System/Library/Keychains; /Library/ Keychains; and youruserfolder/Library/Keychains. Thankfully, the contents of these different keychain files are combined into Keychain Access, so you needn’t worry about where they reside.
Launch Keychain Access, and you’ll see that the window is divided into three panes. The top-left pane lists keychains that are accessible to you. Below that is the Category pane, where you can view specific kinds of things stored in the keychain – passwords, secure notes, certificates associated with your account, encryption keys and certificates used broadly by your Mac.
The largest pane, to the right, displays the contents of selected category items – for example, all of the items that have a password associated with them. Except in the case of certificates, you can double-click on one of these items to open a window where you can view the item’s attributes – name, kind, associated account, location (a website or network address) – as well as its access control (meaning the applications and services that are allowed to access the item).
If you want to retrieve a forgotten password, Keychain Access is the place to go. To learn the identity of a password, select All Items or Passwords in the Category pane, find the item that you want the password for and double-click it. In the resulting window, enable the Show Password option. You’ll be prompted for the password for the login keychain. Enter that and click Allow, and the password will appear in the Password field.
Change the login keychain’s password
When you first set up a user account, the account’s login password is also assigned to the login keychain, where new passwords are stored by default. So you can simply enter the password you use with your account to uncover a keychain item’s secrets.
If there’s a flaw in the Keychain Access security setup, this is it. Anyone who knows your account’s password can access the items in this keychain and then discover your other passwords. If you’re concerned about that vulnerability, you can easily change the password for the login keychain.
In Keychain Access, select the login keychain and choose Edit > Change Password For Keychain ‘login’. You’ll be prompted to enter your current password (the one you now use for your user account) and then enter and verify a new password. To do this, log out of your account and then back in; when the Mac needs to use one of the passwords stored in the login keychain, you’ll be prompted to enter it.
Auto-lock the keychain
By default, once you’ve logged in, your keychain will be unlocked, which isn’t terribly secure if others can access your Mac when you’re not around. You can add a level of security that auto-locks your keychain. To do that, launch Keychain Access, select your login keychain and choose Edit > Change Settings for Keychain login.
The sheet that appears shows two options: ‘Lock After X Minutes of Inactivity’ and ‘Lock When Sleeping’. If you choose the first option and configure it to read something like five minutes, your keychain will automatically lock if it hasn’t been accessed in the previous five minutes.
If an application needs access to your keychain after that time limit has expired, you’ll be prompted for your login keychain password. If you enable the ‘Lock When Sleeping’ option, your keychain will lock when your Mac goes to sleep. Click Save to implement the options you selected.
If you forget
You’ve changed the login keychain’s password and forgotten the new password. Is there any hope? Regrettably, no. Apple uses the Triple Digital Encryption Security standard, or 3DES, to secure the keychain. You’ll just have to start over.
Remove the old login keychain from Keychain Access and create a new one: in the Finder, select Go > Go to Folder, and enter youruserfolder/ Library/Keychains. A Keychains folder containing your personal keychains will open. Find the login.keychain file, and drag it to a safe place on your Mac.
Now launch Keychain Access and select the login item that appears in the Keychains pane. It appears as an empty box, indicating that it’s missing from the Keychains folder. Choose File > Delete Keychain ‘login’. In the resulting sheet, click Delete References.
Now choose File > New Keychain. In the resulting Save dialogue box, name the new keychain ‘login’ and save it to the default location (your account’s Keychains folder). You’ll be prompted to create and verify a password for this keychain. The passwords that you add will now appear in this keychain. And, yes, you’ll have to re-enter passwords stored in the old keychain when prompted.
Share your login keychain
If you have multiple Macs, you may find it convenient for each computer to have access to the same keychain. Here’s how to do it: first, make a copy of the login.keychain file inside the Keychains folder on the Mac that has the most complete set of passwords, and copy it to your other Macs.
Remove the login.keychain file from each Mac’s Keychains folder and put it in a safe place in case something goes wrong. Place the copied login keychain file in the user’s Keychains folder. Log out and then log back in. If the login password on the Mac you’re currently using is different from the one on this master Mac, you’ll receive a prompt asking you to provide the login keychain’s password. Once you enter it, you should have access to the same passwords as that master Mac.
HOW TO MAKE SECURITY QUESTIONS MORE SECURE
When you create a password, you may choose to store it in a password manager, write it down or commit it to memory. Sometimes, however, things go wrong: you find yourself without access to your password manager, you lose the paper on which you recorded your passwords, you forget a password you thought you had memorised or you remember it incorrectly too many times and get locked out of the account.
In such cases, online services need a secondary way of granting you access to your account or your data. Sometimes, the provider lets you click a link to have your existing password, a new password or password-reset instructions sent to the email address you have on file. But if those mechanisms seem too insecure, the site may ask you to respond to some verification questions for which you’ve previously provided the answers.
Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hacked – or of being unable to respond correctly to one of these questions – by following a few simple tips.
Prevent password-reset mischief
Of all your passwords, the one for your email account may be the most valuable. That’s because whoever has access to your email account can read and click links included in any password-reset messages you receive (such as when you click an ‘I Forgot My Password’ link). A hacker who has guessed or stolen just that one password can unlock many of your other accounts and do all sorts of damage.
You can limit your risk here in a couple of ways.
Set up a dedicated password-reset account
Consider setting up a new email account for yourself (using a free service such as Gmail) with an address that you’ll never share or post publicly.
Use this account only when you’re prompted to supply an email address for the purpose of verifying or resetting a password. That way, even if someone breaks into your main email account, your other accounts won’t be compromised.
Take extra care with your email account password
Choose an especially secure password for your email account. Make sure to set your email client to communicate securely with the mail server – using Secure Sockets Layer (SSL) protocols for example – so that your password never travels over the air unencrypted. In Apple’s Mail, select Mail > Preferences, click Accounts, choose an email account from the list and click Advanced. There you’ll see the option Use SSL.
Question the questions
Security questions are supposed to have answers that you’ll remember, but that most other people won’t be able to guess. Unfortunately, most of the questions you’ll see aren’t secure at all.
Your mother’s maiden name, for example, is a matter of public record; and if you ever wrote a Facebook post about your first pet, that is in the public domain, too. Some questions could have multiple answers. Where did you meet your spouse? That might be in Sydney or at the Opera House.
Devise memorable lies
To address such problems, lie. And don’t just lie, but come up with one or more answers that follow the same rules as other passwords, to prevent guessability. Use either a reasonably long (but memorable) phrase or a series of random characters.
So, what was the name of my first pet? Why, it was ‘bookends-qualitative’. My mother’s maiden name? Her dad was ‘Mr. E27jrdU!8’. It doesn’t matter what answers you give, as long as you and only you know what they are.
One security expert says that he normally uses the same pseudo-random answer everywhere, although some companies (including Apple) require you to give different answers to each of several questions – meaning that you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that stop you from accessing your password could prevent you from accessing your security answers. You might make up a little story for yourself about fictional parents, cars, pets and the like that you can then draw on when asked for security answers on different sites.
Keep answers phone-friendly
Remember that you could wind up in a situation where you have to supply these answers over the phone. Both you and the person on the other end will have an easier time coping with a series of plain-English words than with a bunch of random characters.
Update your Apple info
To change the questions or answers for an Apple ID (which you use for iCloud, for example), go to the Apple ID page (appleid.apple.com), click Manage your Apple ID, enter your username and password, and click Sign in. On the left, choose Password and Security. Answer your existing security questions, and click Continue. Then you can choose new questions and answers. Click Save.
Update your Google info
If you have a Google account, log in as you normally would. Click the gear icon located in the upper-right corner of the window and choose Settings from the pop-up menu. Click Accounts and Import, followed by Change password recovery options. Under Security question, click Edit. Choose one of the existing questions or write your own, and fill in your answer. If you also want to change your secondary address, click the Edit link in the ‘Recovery email address’ section and fill in the new address. Then click Save.
By Joe Kissell