The Secret Password Is...
Anyone who was a geek in the 1990s knows that all the cool kids would use numbers in their user names. Whether it was l33th@ck3r or z3r0c00l (or shawnp0wers), substituting numbers and characters for letters does add a layer of complexity. It's certainly not enough on its own—don't think the crafty use of an @ symbol or a few "3"s for "e"s will keep you safe—but if you add that to the mnemonic method, it certainly will help. "sIpmnwn1il,bInetb" looks similar to the eye to my password above, but it is much more resistant to a brute-force attack.
In addition to the above-mentioned methods for increasing complexity, a great way to make your password even more secure basically is to have two passwords separated by a string of numbers or characters. Continuing with our booger-picking example above, what if instead of using a comma to separate the phrases, I used a short string of numbers? On its own, something like 6229 is horribly insecure, but if you do something like "sIpmnwn1il6229bInetb", it becomes a really impressive password that is simple to remember. Because I'm talking about the middle of a character string, using an easy-to-remember number is acceptable here.
Based on just a few tricks, I've managed to come up with an excellent password that is easy to remember and not terribly difficult to type. Yay! I'm done! Well, yes and no.
Hey, That's My Luggage Combination!
The problem is that most people log in to more than one computer system or Web site. Some Web site designers have started to adopt an OpenID sort of authentication system, which allows authentication without actually using a separate password, but that isn't the case everywhere. At least in the near future, we'll be stuck with logins and passwords for multiple Web sites. In a perfect world where Web sites store only well-encrypted passwords, and bad guys never steal password databases, a single well-made password would suffice. That is not the world we live in.
It seems every day there's a company whose Web site has been compromised, and passwords have been leaked. Granted, it's often fun to see what sorts of passwords other people use, but it's a sinking feeling to find your password on the list of compromised—especially if it's the same password you use everywhere. The problem is, coming up with a new password for every Web site is difficult to manage.
If you're consistent and sneaky enough, you might be able to have a "pattern" that only you know. For example:
wIvljdc_Iapmn = when I visit Linux Journal dot com, I always pick my nose.
wIvadc_Iapmn = when I visit Apple dot com, I always pick my nose.
wIvwpdo_Iapmn = when I visit Wikipedia dot org, I always pick my nose.
Yes, looking at them side by side, it's easy to tell what the pattern is, but if only one is compromised, it's not terribly clear. Also, in the above examples, I used what letters made sense to me, but they don't line up with syllables, rather with how the word separation occurs in my head.
One Ring to Rule Them All
For many security-conscious readers, possibly even you, these lessons in good password practice may make you angry. For you, if a password isn't 128-characters long, with a combination of letters, symbols, numbers and fairy spells, it's not good enough. I understand—really, I do. Sadly, I also understand that most of the world still thinks "abc123" is a perfectly cromulent password. For you, my cyborg friend, there are password management tools.
When every site has a password like "af&6fw^faew^@f88*hlDSLjfe8wlsfyy&&8s0##~", it goes beyond simple mnemonics to remember. Thankfully, there are tools like KeePassX, which is an excellent password manager for Linux, discussed at length by Anthony Dean in the May 2010 issue (http://www.linuxjournal.com/content/keepassx-keeping-your-passwords-safe).
The idea behind programs like KeePassX, or the popular browser-based LastPass, is that you can keep your passwords as complex, and even as random, as you like. The programs keep your passwords encrypted and require a master password to unlock them. (When creating a master password, it's very important to follow some sort of complexity strategy, like I outlined earlier in this article.)
With a password manager, you can let your brain keep track of a single password, knowing you can retrieve whatever ultra-safe password you need for a site or computer at any time. Granted, this means relying on a program to keep track of your information, so you'll have to use the program to retrieve it, but with programs like LastPass, there are applications for pretty much every operating system, browser and smartphone in existence. It is usually the only practical way to keep truly random passwords in order. If you can train yourself to use a program or service to manage passwords, it can change the way you think of security. It also can keep you safe if a particular account is hacked. The system is only as secure as the master password, however, so be sure that's a good one!
Not Quite a Retina Scan...
Thankfully, some companies are taking an honest look at users and realizing password security isn't something they can force feed. Regardless of articles like this, people still will use the names of their dogs to secure their bank accounts. Some companies have begun to use two-step authentication, which adds a physical response to a password challenge.
Someone certainly can steal your password, but what if in order to log in to your e-mail account, you not only had to enter your password correctly, but also had to respond to a text message sent to your phone? It certainly would eliminate the long-distance hacks, because it's unlikely hackers even would know your cell-phone number, much less be able to respond to a text message sent to it.
Two-step, or two-factor, authentication isn't terribly popular yet, but the concept is powerful. If we can continue to come up with complex, yet convenient methods for proving authentication, we will make the world safer and safer. That doesn't mean we can become lax on how we create our passwords, however. Because at least for the near future, secure passwords are the only way to keep our data private.
So Class, What Did You Learn?
You all learned that Shawn apparently picks his nose—at every Web site he visits. Seriously though, hopefully this article has helped you figure out your own method for creating passwords. Please don't use my exact method, but rather use it to come up with your own. Until we can have retinal scanners on every laptop, we're going to have to secure our passwords the old-fashioned way, like barbarians. So remember, "Sdrphn,iwoae!" (Shawn doesn't really pick his nose, it was only an example.)
Password image via Shutterstock.com.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Death of RoboVM
- The US Government and Open-Source Software
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
- ACI Worldwide's UP Retail Payments