Many are aware of the dangers of Internet, the more data we have available online the more exposed we are to online crime, and this information is, in most cases, just protected by a thin layer. Login and Password!
Because login is often public, the password is the user ultimate defense.
But despite being aware of all the dangers many users doesn't give much a thought when picking their password. Unlike username that have to be unique, very few site enforce some kind of password policy. This way is up to the user be self-disciplined and find a secure way of protection.
There are some guidelines we can follow when creating a password:
From CERN IT Department we have a few guidelines on How to choose good passwords
A good password is:
* private: it is used and known by one person only
* secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal
* easily remembered: so there is no need to write it down
* at least 8 characters
* a mixture of at least 3 of the following: upper case letters, lower case letters, digits and punctuation
* not guessable by any program in a reasonable time, for instance less than one week.
If you choose a password under these parameters you will end-up with a fairly secure password.
But like any security expert will tell you, having a password for every account is suicide. But i also recognize that having a password for each account, the best-case scenario, is almost impossible. You'll end up forgetting some of the passwords...
So we face a problem... Having one password is insecure, but having many is too! Let's find something in between!
My way of dealing with this situation is having a short number of different password that i use according to the site I'm registering.
It can be depicted as levels of security. The higher the level, the complex is the password.
I use four levels, or four different passwords.
The first level password (the easier), i use for public foruns, have-to-register-to-see websites and other websites of unknown ownership! This password is very simple, and doesn't obey even one of the guidelines...
But attention, although this is meant to be a simple password, it hasn't to be a stupid password. Never, but never, use login (or any combination of that word) for password and, if you can, try to avoid the top most common passwords. You can find a list of the top 10 here.
Second level, for social-network websites, instant messaging, secondary mail accounts, every site that evolves some kind of personal information, but nothing sensitive. This password will have to be much more complex than the first. And fulfill every guideline, at least.
Third level, primary email and every site that has sensitive private information (like financial...). This has to be a very strong password, you have examples of strong passwords in this Wikipedia article.
Fourth level, not so much because of the complexity of the password, but by the times it is changed... Meaning it isn't just a password but a group of them! This passwords are used for logging at systems that require a periodical change of password. I recommend this password be as complex as second level one, and the group make sense when putted together in a phrase.
The more users are aware of how to create a secure password, the harder it will be to compromise account someone's account.
Absolute safety is a myth but nothing wrong comes from trying!
3 comentários:
Nice article. Are you in the IT security realm? Or you just blogging for fun?
If the first is true, I would like to hear your comments on a few things.
Great article though. Password policies are a companies first line of defense, and most don't even take the time to establish one.
As i said in some other post i work as programmer and webdesigner;
So i don't really work in IT security , i just use the concepts in my life as programmer ;)
The reason I ask is because of a product called nFront Password Filter. Was just wondering if you had ever gave it a shot.
Oh well...probably not.
But again, great article. Thanks!
Post a Comment