THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Buck Woody

Carpe Datum!

Online Password Security Tactics

Recently two more large databases were attacked and compromised, one at the popular Gawker Media sites and the other at McDonald’s. Every time this kind of thing happens (which is FAR too often) it should remind the technical professional to ensure that they secure their systems correctly. If you write software that stores passwords, it should be heavily encrypted, and not human-readable in any storage. I advocate a different store for the login and password, so that if one is compromised, the other is not. I also advocate that you set a bit flag when a user changes their password, and send out a reminder to change passwords if that bit isn’t changed every three or six months. 

 

But this post is about the *other* side – what to do to secure your own passwords, especially those you use online, either in a cloud service or at a provider. While you’re not in control of these breaches, there are some things you can do to help protect yourself. Most of these are obvious, but they contain a few little twists that make the process easier.

 

Use Complex Passwords

This is easily stated, and probably one of the most un-heeded piece of advice. There are three main concepts here:

·         Don’t use a dictionary-based word

·         Use mixed case

·         Use punctuation, special characters and so on

 

So this: password

Isn’t nearly as safe as this: P@ssw03d

 

Of course, this only helps if the site that stores your password encrypts it. Gawker does, so theoretically if you had the second password you’re in better shape, at least, than the first. Dictionary words are quickly broken, regardless of the encryption, so the more unusual characters you use, and the farther away from the dictionary words you get, the better.

 

Of course, this doesn’t help, not even a little, if the site stores the passwords in clear text, or the key to their encryption is broken. In that case…

 

Use a Different Password at Every Site

What? I have hundreds of sites! Are you kidding me? Nope – I’m not. If you use the same password at every site, when a site gets attacked, the attacker will store your name and password value for attacks at other sites. So the only safe thing to do is to use different names or passwords (or both) at each site. Of course, most sites use your e-mail as a username, so you’re kind of hosed there. So even though you have hundreds of sites you visit, you need to have at least a different password at each site.

 

But it’s easier than you think – if you use an algorithm.

 

What I’m describing is to pick a “root” password, and then modify that based on the site or purpose. That way, if the site is compromised, you can still use that root password for the other sites.

 

Let’s take that second password:

P@ssw03d

 

And now you can append, prepend or intersperse that password with other characters to make it unique to the site. That way you can easily remember the root password, but make it unique to the site. For instance, perhaps you read a lot of information on Gawker – how about these:

 

P@ssw03dRead

ReadP@ssw03d

PR@esasdw03d

 

If you have lots of sites, tracking even this can be difficult, so I recommend you use password software such as Password Safe or some other tool to have a secure database of your passwords at each site. DO NOT store this on the web. DO NOT use an Office document (Microsoft or otherwise) that is “encrypted” – the encryption office automation packages use is very trivial, and easily broken. A quick web search for tools to do that should show you how bad a choice this is.

 

Change Your Password on a Schedule

I know. It’s a real pain. And it doesn’t seem worth it…until your account gets hacked. A quick note here – whenever a site gets hacked (and I find out about it) I change the password at that site immediately (or quit doing business with them) and then change the root password on every site, as quickly as I can.

 

If you follow the tip above, it’s not as hard. Just add another number, year, month, day, something like that into the mix. It’s not unlike making a Primary Key in an RDBMS.

 

P@ssw03dRead10242010

 

Change the site, and then update your password database. I do this about once a month, on the first or last day, during staff meetings. (J)

 

If you have other tips, post them here. We can all learn from each other on this.

Published Tuesday, December 14, 2010 7:11 AM by BuckWoody

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Wes W. said:

The best solution I've found:  LastPass (http://www.lastpass.com)

(I'm in no way affiliated other than a happy user.)

Then just use the password generator to create a unique login username and unique password for every site.

Steve Gibson did a nice analysis on the security implementation of LastPass:  http://www.grc.com/sn/sn-256.htm

December 14, 2010 10:41 AM
 

Nick said:

KeePass.

http://keepass.info/

http://en.wikipedia.org/wiki/KeePass

It's open source, free and available on most platform (and phones). Can even run from your USB key on windows.

December 14, 2010 5:45 PM
 

DonRWatters said:

Another tip is to make sure that your password is easy to type, so that shoulder surfers can't pick up on your typing.  If your password is complex but hard to type, it'll be really easy for folks to pick up on it.

December 14, 2010 7:20 PM

Leave a Comment

(required) 
(required) 
Submit

About BuckWoody

http://buckwoody.com/BResume.html

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement