How To Create Difficult Passwords
Have you ever had your server hacked? Pray you never do. Trust me when I tell you it’s one almighty headache. You have to change all of your FTP passwords and then try to find and undo the damage inflicted on your websites.
But that’s the easy part. The real stomach-clenching, cold-sweat inducing nightmare, is trying to figure out HOW it happened so you can stop it from happening again. There are many possibilities:
- An unsecured script that allows a hacker to sneak through.
- A rubbish password that a hacker cracked with brute force.
- A devious programmer that you thought you could trust with your log-in details.
- A crook working for your server hosts (basically, an inside job).
- Spyware that steals the passwords right off your PC.
In my case the problem was most likely the last on this list. Yes, I have a premium antivirus program running 24/7, but it turns out that even commercial security systems can miss some of the nastier spyware. I found the likely culprits by running two standalone programs in addition to my regular antivirus.
MalwareBytes http://www.malwarebytes.org
TrendMicro http://housecall.trendmicro.com
All of which got me thinking about the wisdom of using passwords as a security device. I have some long complex passwords, setup to protect my servers but that only stops someone from guessing my passwords. It doesn’t do squat to protect me from someone stealing the passwords from under my nose. The reality is that there is no security system in the world that can claim 100% infallibility. There is ALWAYS a way in just waiting to be discovered.
One of my favourite works of fiction of recent times is Little Brother by Cory Doctorow (if you have even a tiny bit of geek in your soul, this book offers several hours of solid entertainment – http://amzn.to/MycJzC). One of the themes of the story is encryption and how to protect your identity on the net. The point is made that anyone can create an encryption method that they personally cannot crack. But encryption that someone smarter than you can’t break is a lot harder to come by.
So does that mean you shouldn’t try? Of course not. It’s like the joke about the two hikers that see a bear running towards them. The first hiker bends down and starts tightening his shoelaces and the second hiker says, “Don’t be a fool, you can’t run faster than a bear.” To which the first hiker replies, “I don’t have to run faster than a bear, I just have to run faster than you.”
Tighten Your Shoelaces
There may never be a completely bullet-proof security system but, if you at least make it as hard as possible, then it’s more likely that the crooks will go after easier targets. With this in mind I set my sights on shoring up my defences. Here’s what I came up with.
1) Don’t upload old scripts onto your server. Stick with popular scripts that have large communities and regular updates (WordPress, phpBB, etc).
2) If you allow a programmer access to your server, don’t give them your main FTP log-in. Create a new FTP log-in that only allows access to the areas they need to accomplish their work. Once they’re finished, delete the log-in altogether.
3) Install a competent virus checker and firewall and keep it running in the background. Supplement this with additional spyware scans on a regular basis.
4) Don’t bookmark your FTP log-in details within your FTP software unless it has an option to encrypt this information behind a master password (CuteFTP let’s you do this – http://www.globalscape.com/products/ftp_clients.aspx).
5) Get good at creating complicated passwords.
The last of these points bears some additional scrutiny. Creating passwords that are hard to guess is easy. Creating passwords that are hard to guess AND easy for you to recall is a whole other ball-game. Most online guides to creating difficult passwords encourage mixing up lowercase and uppercase letters with numbers and special characters (such as: !ӣ$%^&*). However, most also recommend using a different password for EVERY single site for which you have a log-in.
An Internet Marketer could easily be registered with 100+ websites. Imagine trying to create 100 different, complex passwords and then trying to keep them all in your head at the same time!
The most straightforward solution to this problem is to use password manager software (eg – www.roboform.com) to create and store all of your passwords. The software is usually secured by a master password that you enter before creating or recalling log-in details for a site. This is arguably the most practical method for creating lots of different, complex passwords, but it isn’t a perfect solution. If, for example, you are away from your regular machine then your password manager may not be available and you won’t be able to access anything that requires a log-in. The other drawback with the software approach is that there is only ONE password between a hacker and access to all the sites to which you belong.
Bizarrely, an even safer solution is to physically write your password details down somewhere. This may sound ridiculously low-tech but you’re far more likely to have an account hacked online, than to have someone break into your house and steal your book of passwords. You can make this technique a little bit safer by using a secret system when writing down your passwords. For example, you could always use uppercase for the vowels in your password, but write all your passwords down in lowercase.
The only real drawback of this system is that it will become a bit tiresome having to look up the password every time you log-in somewhere. And, again, if you’re away from your office, you’ll need to have your book of passwords with you, or you’ll be stuck.
Last, but not least, you can invent your own method of cryptology. Seriously, just go with me on this.
Homemade Cryptography
Cryptography works by using a secret method (called a cipher) to encrypt information into meaningless data. The cipher can also be used in reverse to turn the encrypted data back into readable text. Only people who know the cipher can create the code or decipher the encrypted information. A simple example would be substituting the letter A with the letter B, the letter B with the letter C, and so on. With me so far?
Obviously this would be a pretty easy code to break, so ciphers are made stronger by using a key that is different for every message. The key is combined with the cipher to create the code, so now if you want to understand the data, you need to know not only the cipher, but also the specific key that was used. The result of using a cipher AND a key is that even if someone figures out the cipher and decodes one message, they won’t be able to decode any other messages unless they have the unique key.
Let’s see how we can use this system to create a unique, encrypted password that we can easily decipher the next time we want to log-in. For this exercise, our cipher is going to be a pattern on the keyboard, and the key will be the name of the program for which we’re creating the log-in. This will make more sense by looking at an example.
Keyboard Pattern (cipher)
The pattern needs to be complex, but easy to remember. I’m going to go with a 3-character pattern that starts with a letter, moves two keys to the right and then finishes with the number or character at the top of the column.
So, if my starting letter was D, then my 3-character pattern would be: dg5
If my starting letter was R, then my 3-character pattern would be: ry6
If my starting letter was C, then my 3-character pattern would be: cb5
Make the pattern as complex as you can cope with. You could create a four or five character pattern instead. For an additional level of complexity, repeat a variation of the pattern while holding down the SHIFT key. For example, using the same 3-character pattern as before, I’m going to repeat the pattern backwards, while holding down the SHIFT key. Thus:
dg5 becomes dg5%GD
ry6 becomes ry6^YR
cb5 becomes cb5%BC
Get creative and come up with your own unique pattern.
Selecting the Starting Letters (key)
In the above example, the starting letters were D, R and C. To decide what the starting letters are going to be, we’re going to create a variable key; the name of the website will be used for inspiration. For the purpose of this example, let’s say that my key is the last two letters of the website name. So, if I’m creating a log-in password for www.myspaCE.com, my two starting letters would be C and E. If the website is www.hubpagES.com, then my two starting letters are E and S. If the website is www.twittER.com, then my two starting letters are E and R. Got it?
Instead of using the last two letters as your key, you could use the first two letters, or the first and last letter, or the first two consonants, and so on. You can add extra complexity by using a key made up of three or four letters.
Whatever key you create, you then need to combine your starting letters (key) with your keyboard pattern (cipher). Let’s look at some examples, using the last two letters of the website name, along with the 3-character pattern (plus the backwards and SHIFT modifier) I used previously.
Example 1 – Myspace
Starting letters are C and E.
C becomes: cb5%BC E becomes: et5%TE
Put them together and the Myspace password becomes: cb5%BCet5%TE
Example 2 – Hubpages
Starting letters are E and S.
E becomes: et5%TE S becomes: sf4$FS
Put them together and the Hubpages password becomes: et5%TEsf4$FS
Example 3 – Twitter
Starting letters are E and R.
E becomes: et5%TE R becomes: ry6^YR
Put them together and the Twitter password becomes: et5%TEry6^YR
This may initially seem a little complicated but consider that all you have to remember in every case, is the key to picking your starting letters, and the keyboard pattern cipher that you combine it with. The power of muscle memory means that, in a very short period of time, you’ll become very adept at creating and recalling passwords.
The passwords that this system creates are not only suitably complex, they are also very difficult to reverse engineer. Even if someone manages to crack the password of one program, using that information to figure out your keyboard pattern AND how you arrive at your starting letters is no easy feat.
Is this system flawless? No. But then a totally secure solution doesn’t exist and probably never will. The hackers will find new ways to circumvent security measures, and the programmers will find new ways to secure your systems. Maybe at some point in the future we’ll ditch the passwords and rely on fingerprint or retinal scans.
Then all we’ll have to worry about are criminals desperate enough to break into our house and remove our appendages.
Yeah, that’s a thought that’s going to fester.
In the meanwhile, take a few extra measures to protect your log-ins. Believing that it only happens to other people feels pretty silly once you get caught out. Remember, you don’t need a flawless security system, just make it as tough as possible and the odds are good that the hackers will leave you alone and focus on someone who can’t run quite as fast.