Password Security Primer 1

This weekend my sister's Twitter account was a victim of one sort of attack or another. She spammed me some advertising over direct message. It could be one of several things, but I'm going to drop some password advice for everybody.

Most sites and applications use a password for the base of their security and their ability to identify and authorize you to change things on your account with them. Having some knowledge about how to make and use good passwords is very important to staying secure online.

Why you should use good password practices:

1. It's the key to your house. Maybe not yet, but it's probably the only thing between your bank account and a bad guy. It's almost certainly the only thing between all your emails and a bad guy. Some may put out advertisements as if they came from you which can be embarrassing and can even ruin your reputation.
2. You don't know who you're trusting. Every time you type your password in, you're not sure who you're trusting with your password and what they're doing with it. In many cases you also aren't sure that it is only you and the other site who are in the "conversation". Having good password practices helps minimize your vulnerability. Some sites might have very good password policies, others might just keep a list of your passwords next to your email.

Following the below principles makes your password harder to crack if it is found, and makes is so that if someone finds your Facebook password, they can't get into your bank account (for example).

How to make a good password:

1. Make it long. Typically, the longer the better, at least 16 characters should be your aim.
2. Nothing associated with you personally. Not your birthday, not your grade school. Not your grandmother's first name.
3. Use a phrase. Not one from a book or one that's been written down before, but one you can make up and remember.

Maybe aim for like, 6 or more words, the more random/obscure the better, and if you can mix in uppercase, lowercase, numbers and symbols, that's better.

What to do when a password is no longer good:

1. Change it. Typically this is under your account settings, your user profile, you can also figure this out typically by clicking the "forgot password" link on the sign in page or searching the web for "Change (twitter) password".
2. Review which 3rd party applications you've allowed to use your data. Twitter, Facebook, Google and many other popular services allow you to share and give permission to other apps. Review that list and remove anything you don't actively use, and especially anything which you don't recognize.

How to use a good password:

1. Don't use it in two places. If you're going to ignore this advice, then you should at least know that anything with out the HTTPS (green) lock and bar on the web, and anything you do over email is as secure as a postcard Anybody in the middle can read it. Don't reuse passwords between protected and unprotected sites under any circumstances. Any password you have ever used on an unprotected (HTTP) site, you should assume is insecure.
2. Change it frequently. Set a date, maybe your half-birthday or the Ides of March, and change all your passwords, maybe even totally deactivate accounts you don't use any more.
3. Don't share them. This is semi obvious, but you shouldn't share passwords with other people. Most services allow some sort of multi-user capabilities if you're meant to work together with things. Share projects and accounts, not passwords.

A nice program which I like for this process is 1Password, it's available for Windows, Mac, iPhone and Android, and it can stay in sync over wifi or with Dropbox. There are plusses and minuses of syncing over dropbox, but for the large part, you're better off than if you use the same password everywhere. It has a browser plugin so that it can automatically save a different password for every site and automatically fill in that password when you go there. There are many others like it, PasswordSafe is one I previously used and is free, but there is no mobile client. LastPass is another one. It's "OK" but they do one thing in particular that I do not like which is effectively lying to you about sharing your passwords with others. They suggest that you can securely share passwords with others without them knowing the plain text password. This is not true and I have some resentment for any one who would suggest that it is possible.

You could do very very well for yourself by using 1password, making all of your other passwords totally random, and using a very long passphrase to use 1password. The first time you make it, write it down somewhere safe until you're sure you've memorized it. Don't tape it to your monitor, keep it on your person.

There are many other things which you should learn about protecting yourself, if you're interested, please let me know.

Thanks Donald Stufft for help with some of the specifics

16th October 2013