Oct 16 2011

Password security

Category: SoftwareSpiller @ 00:39

After about 3 years of using the same password I decided it was about to create a new one. I simple don’t think my password is secure enough. But how do you make a secure password?

Common guidelines:[1]

  • Keep the password at least 8 characters long.
  • Use mixed case letters and mix in numbers. Include special characters if possible.
  • Use different passwords for different sites.
  • Change passwords every 3 months.
  • Do not include personal information.
  • Do not include sequences or repeated characters.
  • Do not include dictionary words, abbreviations or common misspellings.
  • Do not write your password down (or at least keep it inaccessible for unauthorized people).

I will admit that I use the same password everywhere and I do not think it is feasible to have a separate password for each site. Since you have to create logins for about every site out there, you easily end up having to remember 20-30 passwords. To have a separate password for each site you easily end up making a list of them which is potentially unsafe. And then you have to change all the passwords once in a while which is honestly a pain to do.

Avoiding security

It is near impossible to keep security to a maximum everywhere you go, so why even try? Actually, wouldn’t it be better to avoid the need of having security at all?

How many of the 20 to 30 accounts are actually important to keep safe? I tried making a list and I would say I only have one, my “NemID” account which gives access to banking accounts and services by the government.

So what makes an account important? The importance of an account is equal to the loss you experience when it is hijacked. Based on this I make three categories of web-accounts:

  • Sites dealing with money (banks, stores, casino)
  • Personal content (personal websites, blogs, YouTube)
  • Social networking (Facebook, chats, forums)

Minimizing loss

Instead of just accepting how important an account is it is much better to actively make it less important, in order words, minimizing the loss in the worst case scenario.

With sites dealing with money, to the greatest amount as possible, make sure they are only dealing with an account which can’t be overdrawn and only have a small amount of money in that account at a given time.

If the site contains personal content like WordPress, YouTube, and deviantART, always keep a local backup so you can create a new account and restore the content. You might lose ratings and similar it is still the content which is important.

My plan

Important accounts will have a strong password and is changed every 3 months. (Actually, the only account in this category is my bank account.) Passwords will be automatically generated.

Semi-important accounts like my WordPress and SourceForge accounts will have a single medium-strong password which will rarely be changed. Backups will be taken of personal content. The password will most be an obfuscated passphrase which is easy to write.

Unimportant accounts (which are about 75%) will just use the old password.


Tags: ,