Client Login

Security Part II - Passwords

Friday, December 12, 2008

This is Part II of an ongoing series in basic internet security for web users. Last time, we talked about email accounts and how important it is to keep them secure. This post, I want to talk about passwords - how to keep them "strong" and the best practices for creating them.

In short, there are 3 habits to keeping your online passwords secure:

  1. Use a unique password for every important online account (banks, etc.).
  2. Create “strong” passwords, which are harder for hackers to obtain.
  3. Look for “HTTPS”, which ensures that your transactions are secure.

1. Important Accounts Need Unique Passwords

This point relates somewhat to the previous security post. While most of us have one password we use for every website, doing so is very dangerous. If a hacker were to steal your password from one website, that person could probably login to every site where you have an account (especially he or she knew your email address). Think of it like this - if you had your life savings stashed in 10 different safes, would you give them all the same combination code?

If you want more motivation, think about how many people work on or around the average website. For all your online accounts, do you trust every programmer, subcontractor, temp worker, or janitor who works for each company? You might be surprised at how accessible your information is - personally, that scares me more than the prospect of an outside hacker stealing information.

To keep your web activity secure, every online account you have with a bank or financial site needs a unique password. No exceptions. As I mentioned last time, your email needs a separate password too.

I know remembering all these passwords won't be easy. However, there are a few tools to help you out. For example, CP-Lab makes an encrypted software program to store your passwords. You can even copy them to clipboard for easy pasting into a login page. Or, there is the Handy Password Manager, which has similar functionality. Both of these utilities sell for around $30.

2. Strong Passwords - Why Websites Make You Enter Weird Characters

Many sites require numbers, non-text character, and/or minimum password lengths. Annoying? Yes, especially if the addition doesn't fit into your normal password that well. However, it keeps your password from being a common word or phrase, which is the next important part of password security.

You might think that strong passwords are important because the extra characters make your password your harder to guess, but that’s not the main purpose (although that might helper keep your kids out of your online accounts). The real benefit is that they make your password less likely to be in a hacker's "password dictionary". If you're willing to listen, I’ll explain why you should care about that.

[A small aside - please accept my apologies for the overly technical explanation in the following paragraphs. If you're not interested in the gooey details of strong passwords, please feel free to skip to the next section. Just remember that passwords for EVERY critical website should include numbers and non-text characters, whether the site requires them or not.

Password dictionaries come into to play with websites that store what are called “hashed” passwords. Instead of storing passwords in plain text, these websites use hashing functions to turn them into long strings of letters and numbers. These new strings can’t be decoded – if I told you the hashed version of my password for this blog, you couldn’t decode it into my actual password. How does a website log you in if it doesn’t know your password? It hashes the password you provide when you login and compares it to the stored version (which is also hashed, remember). You can learn more abut a popular hashing function called SHA1 here.

OK, here’s how this applies to strong passwords. Hackers, of course, know about hashing and have found a countermeasure. These are actually only a few hashing functions around (they’re pretty hard to write – the few that exist were written by MIT and the NSA). Hackers realized they could create databases that store common passwords and their most common hashed versions. Then, when they gain access to a website's password database, they can look up the hashed password in their database and find your real one. This is why you need a strong password - you are ensuring that your password is not a common word and is therefore less likely to be in a hacker’s database.

[Another side note - for any programmers reading this, I know I am ignoring a few other security techniques, like password salts. Those are a bit outside the scope of this article, I am merely trying to show why strong passwords are a good idea for end users. If you want more information on password security, Keith Brown has written a nice article in MSDN.]

3. Always Look for 'HTTPS'

OK, this is the last habit to learn. HTTP is the protocol that makes the internet work. HTTPS is just like HTTP, but it operates over what's called SSL (Secure Socket Layer). Whereas HTTP works in clear text (that anyone could read), HTTPS in encrypted. The details of how this works are beyond this post, for now just understand that HTTPS ensures that your web transaction cannot be viewed by anyone but the website for which is it intended.

The reason you should look for HTTPS when entering important passwords is that the internet is, by definition, a very public place.. Your transmission must travel through a number of networks to reach its destination, exposing your password to more people than you might like. Using HTTPS makes your password unreadable during this transmission.

Making sure you do this isn’t hard. Whenever you login or enter your credit card number, make sure the web page is using HTTPS. This should be pretty obvious - the characters will be written in the address bar (i.e. “https://www.yourwebsite.com”). Also, your web browser may also display a padlock or change the color of the address bar for HTTPS sites.

Not all sites will use HTTPS for passwords, but important ones will. If a website doesn’t use it, make sure you are using a password that is not connected to any important accounts.

Conclusion

Protecting your passwords is far more important than most people think. Luckily though, it isn’t really that hard. These three habits can help you improve the security of your online accounts and identity.

Happy web travels.

Posted By:

Jeff Graham
Website Engineer

Pixalt News

For questions, feedback, or comments on this blog, please email blog@pixalt.com.

We do our best to answer as many emails as possible.

Recent Posts

Archive

September, 2009
August, 2009

Feeds


About Pixalt

Pixalt is a website and software company in New York City. Learn more on our about page.

Services

We make websites and custom software. We also do search engine optimization and have a complete list of services with more details.

Contact Us

115 Pacific Street #1
Brooklyn, NY 11201

866-406-7530|Email