Tuesday, May 18, 2010

How to Keep Track and Have Strong Passwords With Ease

I am reading Kevin Mitnick's book, The Art of Intrusion, about real-life stories of corporate security attacks.  A frequent oversight in security that becomes repetitious is the failure to compose secure passwords.  It is quite surprising that system administrators or network administrators will have blank, weak, or one decent password for multiple authentication points into sensitive materials.  Furthermore, there has been plenty of security attacks in the news  of corporations having weak or blank passwords behind their firewall for access to sensitive information; most notably, the TJX hack.

I used to fall into the category of having a weak password and the same password for multiple websites - multiple e-mail's, on-line banking, social networking, etc.  Weak password is generally categorized as anything that would be found in a dictionary or a commonly used term and less than eight characters.   I did not know the risk involved in having weak passwords and if someone has access to one website, they will have access to all the websites.  I am sure a lot of people are in the same situation and are unaware of their vulnerability and the sophisticated password cracking tools that can break weak passwords in minutes.

Now, I use a completely different password for each website with the maximum amount of characters they will allow.  How?  KeePass Password Safe.  A free and open source software product.

Keepass is a portable database for all your passwords.  You only have to remember one password to access the database and you can carry it on your USB stick.  I recommend making a password of 20 or more characters - uppercase, lowercase, and special characters - to access the database.  The database is encrypted with AES (Advanced Encryption Standard) which is adopted by the U.S. government and used by banks.  In other words, if your password to access the database is complicated and long enough, it is near impossible for anyone to crack.

Additionally, you don't have make up every single password.  KeePass comes with a password generator that you could customize the number and type of characters you would like for your password.  The next time you logon for whatever website, you just drag-and-drop the user name/password into the textbox.  No re-typing the long generated passwords every single time.

I have been using this product for a while and feel more secure with having strong passwords.  With this ease, I recommend changing your passwords every couple of months for sensitive information; such as, online banking or your main e-mail.  Below is the necessary information to get you started:
a.       Download the Classic Edition 1.17
b.      Download the Portable KeePass if you plan on carrying it on your USB stick.  If it is strictly for home use, then you can download KeePass 1.17 (Installer EXE for Windows).

 *Edit: I found a site that generates a more complex password from the computer's RAM (random access memory).  This site adds to the security side since it is generated from the RAM and there is no way for anyone to predict what password was generated from your computer.  I am going to start using this site and paste the password into KeePass for certain sites.  The website is Generate a Secure Password.

No comments:

Post a Comment