simple secure passwords
TRANSCRIPT
-
8/2/2019 Simple Secure Passwords
1/26
-
8/2/2019 Simple Secure Passwords
2/26
The Mozilla PocketPassword PrimerWhat You Should Know About
Keeping Your Identity SafeOn the Internet
2010 Mozilla
The contents of this publication are available underthe Creative Commons Attribution-Share Alike 3.0
Unported license.
-
8/2/2019 Simple Secure Passwords
3/26
-
8/2/2019 Simple Secure Passwords
4/26
Passwords
It's hard to get through a day on the internetwithout encountering dozens of requests for yourusername and password. With more and more ofour work and leisure time spent online, mostpeople find that remembering a unique passwordfor each account they have is an impossible task.
It's made harder when sites have strange rulesabout how you must form your passwords. Somesites prohibit special characters like &, %, #, and @in passwords. Other sites require them. Some siteshave maximum length limits on passwords that areshorter than the minimum length required by other
sites. What is the modern, internet-savvy usersupposed to do?
Certainly not what most of us do now...
Are there little yellow notes stuck to theside of your monitor with usernames and
passwords scribbled on them?
Do you have at least one computer or onlineaccount where the password is "password"?
-
8/2/2019 Simple Secure Passwords
5/26
Do you use your pet's name as a password,
and tell yourself you're making it moresecure by adding "123" to the end?
Do you have accounts on 387 websites andlog into all of them with one of threefavorite, easy-to-remember passwords?
Did you last change the password for your
bank account shortly after the turn of thecentury? Before?
If you've secretly answered "yes, but..." to any ofthese, don't worry. We won't tell anyone, and inthis guide we'll show you how to create and
manage strong, secure passwords without breakinga sweat. We'll also show you how to memorizeonly one password and still have a uniquepassword for every site you visit.
You'll sleep better at night knowing you're saferfrom identity theft, and with the tricks you'll learn
here you can help your friends and relatives besafer online as well.
-
8/2/2019 Simple Secure Passwords
6/26
Passwords Are Compromises
Any password is a compromise between a secure(long, random and unique) string of characters andan easy to remember word or phrase. As we needmore and more passwords to get through the day,we all tend to push the compromise in the directionof easy to remember more than we should. A bit
later, we'll show you a technique creatingpasswords that will keep your's memorable withoutmaking them easy to guess. We'll also show youways to let your computer manage all yourpasswords so you don't have to remember them.
Threats to Your Passwords
The threats to your passwords fall into three majorcategories:
Social Engineering: The more an identity thiefknows about you, the less secure passwordsassociated with your everyday life become. Don't
assume that the names of your children, pets orfriends make secure passwords. They aren't.Similarly, if you keep passwords written down in a"secret place", anyone watching your day-to-dayactivity will quickly learn where they're hidden.
-
8/2/2019 Simple Secure Passwords
7/26
Brute Force Attacks: If your passwords are
insecure, an identity thief needs little more thanyour username to mount an attack against youraccounts. Cracking software that uses lists ofdictionary words in combination with commonpassword configuration information quickly opensaccounts with passwords such as "Jennifer3" and
"Bobcat123". A security audit of a universitycomputer system found that 20% of the accountscould be accessed using only a list of the 20 mostpopular female names followed by a single numericdigit.
Breaching Insecure Systems: If the
administrators of a website use poor securitypractices, such as storing passwords unencrypted,identity thieves that manage to breach systemsecurity can steal the entire list of passwords andusernames. Tht's a huge security problem for you ifyou've used the same password on other sites,
particularly ones with access to your bank accountor other sensitive information.
-
8/2/2019 Simple Secure Passwords
8/26
The lessons are clear:
Use as secure a password as possible
Change your passwords periodically
Try not to reuse passwords between sites
If that last rule is impossible to follow, then be
sure that sites holding sensitive information don'tuse shared passwords.
What Not To Use In Your Password
There are some things you should not use whenyou're creating a password. All of the following are
chosen as passwords so frequently that passwordcracking software has been developed to takeadvantage of their inherent weaknesses:
Your name, or the name of your spouse,parent, child, or pet
The name of a friend (real or imaginary),your boss or a coworker
The name of popular fantasy characters orwords like "wizard", "guru", "gandalf", etc.
-
8/2/2019 Simple Secure Passwords
9/26
The name of the operating system you're
using, or the hostname of your computerYour phone number, license plate number orany part of your social security number
Birth dates or other easily obtainedinformation about you, your family or yourfriends
A proper noun (the name of a particularperson, place or thing)
A dictionary word, either English or foreign
Passwords of all the same letter
Simple patterns on the keyboard, like"qwerty"
Any of the above followed or prepended bya single digit or a sequence of ordered digits(like 123)
Any of the above spelled backwards
-
8/2/2019 Simple Secure Passwords
10/26
An I n t e r n e t u se r n a me d N e r o ,An I n t e r n et u se r n a me d N e r o ,
S e t h i s o n - l i n e b a n k p as s wo r d t o " H er o ",S e t h i s o n - l i ne b a nk p a s sw o rd t o " H er o ",
Af t e r l u n c h he c a me b a c k ,Af t e r l u n c h he c a me b a c k ,
T o a p a sswo r d a t t ac k ,T o a p a sswo r d a t t ac k ,
An d a b a n k a c c o un t b a l a nc e o f z e r o .An d a b a n k a c c o un t b a l a nc e o f z e r o .
...and one more thing to remember. You shouldnever use a password that has been used as anexample in an article about how to create goodpasswords. That includes this guide. Once apassword has been published, it's no longer useful.
If this seems like we've eliminated any passwordthat has a prayer of being memorable, don't worry!
We'll show you how to avoid all of those pitfalls.
-
8/2/2019 Simple Secure Passwords
11/26
Choosing a secure password
Good passwords have a fairly simple set ofproperties:
They have both upper and lower case letters
They have digits and/or punctuationcharacters as well as letters
They are easy to remember, so they do nothave to be written down
They are at least seven or eight characterslong, but the longer the better.
They can be typed quickly, so someone else
cannot easily look over your shoulder
So the puzzle before us is to create a passwordwith all of the good properties without having anyof the bad properties.
-
8/2/2019 Simple Secure Passwords
12/26
Passwords from a Passphrase
You can create a memorable, secure passwordstarting with a simple phrase. We call these"passphrases". For example, let's use a quote fromOgden Nash:
"Happiness is having a scratch for every itch."
If we use the first letter of each word, andsubstitute 4 for "for", we get:
Hihas4eiHihas4ei
This is a reasonably strong password but we canimprove it a bit by adding some special characters:
#Hihas4ei:#Hihas4ei:
Associating Web Sites
We can use our new password on several differentwebsites by adding a suffix with a mnemonic link
to a particular site. Let's use the first letter and thenext two consonants in the site name.
-
8/2/2019 Simple Secure Passwords
13/26
Just to add a bit more randomness we'll alternate
upper-case and lower case, and if the firstcharacter in the site name is a vowel we'll start withupper-case. To mix things up a bit more we'll usethe same rule to decide whether to add the sitemnemonic to the left side or the right side.
#Hihas4ei:AmZ#Hihas4ei:AmZ for Amazon
bGz#Hihas4ei:bGz#Hihas4ei: for Bugzilla
#Hihas4ei:YtB#Hihas4ei:YtB for YouTube
dRm#Hihas4ei:dRm#Hihas4ei: for Drumbeat
While this technique lets us reuse the phrase-generated part of the password on a number ofdifferent websites, it would still be a bad idea touse it on a site like a bank account which containshigh-value information. Sites like that deserve theirown password selection phrase, perhaps somethinglike the old English proverb:
"A penny saved is a penny earned."
So for our bank, this would give us a passwordsimilar to:
bNk#Apsiape:bNk#Apsiape:
-
8/2/2019 Simple Secure Passwords
14/26
This password lacks numeric characters because
our phrase contains neither numbers nor the words"to" or "for". We could strengthen it a bit by addinga rule to put in a digit or two if none are providedby the phrase:
bNk#8Apsiape2:bNk#8Apsiape2:
But even without doing that our rule based systemgives us strong, easy to remember passwords thatare unique to each website.
The Power of Rules
Notice that by using a simple set of rules, we're
able to construct a longer than average passwordtht's still easy to remember. Here are the rules weused:
Choose a memorable phrase and use thefirst letter of each word.
Add special characters (we chose # and : ).Use the first character of the website nameand the next two consonants in the name asa site identifier.
-
8/2/2019 Simple Secure Passwords
15/26
If the website name starts with a vowel,
capitalize the first and third characters andadd it to the right side of our password.
If the website name starts with a consonant,capitalize the second letter and add it to theleft side of our password.
If there are no numbers in the password add
a digit or two. (we chose to add them at thebeginning and end of our phrase).
Memorizing Your Passphrase
You will find that passphrases are more memorablethan simple passwords. However, if you have
trouble remembering the passphrase you can resortto an old-fashoned memorization trick fromelementary school. Take a piece of paper and writedown your passphrase 10 times in a row. Realpaper and pen work better than typing, but anyform of repetition will help. Just be sure to dispose
of the paper securely.
-
8/2/2019 Simple Secure Passwords
16/26
Changing Your Passwords
If you work for an organization that requires youto change your password periodically, you shouldconsider changing all of your passwords at thattime as well. You don't have to visit all your sites,just choose a new secret phrase and as you visiteach site make the change.
If nobody requires periodic changes, you shouldconsider changing your password at least twice ayear. A convenient way to remember to change isto pick a new secret phrase when you set yourclocks when the time changes in the spring andautumn.
-
8/2/2019 Simple Secure Passwords
17/26
-
8/2/2019 Simple Secure Passwords
18/26
Password Recovery Questions
Many websites use a "secret question and answer"to allow you to reset or recover your password.These are often implemented in less than a securemanner. The security problem exists when the siterequires you to select from a limited set ofquestions. Choosing a question such as "In what
city were you born?" presents an obvious securityhole. Knowing where you were born gives anyoneaccess to your password. If the site doesn't let youwrite your own question, and many don't, you'rebetter off tricking the system into being secure.Here's how:
Select a passphrase create a password youwill use for password recovery.
No matter which "secret question" youselect, use your new password as the"secret answer".
-
8/2/2019 Simple Secure Passwords
19/26
The answer doesn't make sense in the context of
the question, but the password recovery systemdoesn't know this. It only checks that the answeryou give when you ask to recover or reset yourpassword matches the answer you supplied whenou set up the account. This trick will ensure thateven a website that chooses insecure "secretquestions" won't compromise the security of youraccount.
Passwords in Email
Emailing passwords is always a bad idea. Mostemail systems transmit the body of the message inplain text, and so an identity theif could look inside
messages addressed to you. This means that if awebsite "recovered" your password and emailed itto you, you should consider that passwordcompromised and change it immediately.
-
8/2/2019 Simple Secure Passwords
20/26
Managing Your Passwords
Even with tricks like using phrases to generatepasswords, remembering passwords for dozens ofsites can be a bit taxing. There are software toolsthat will manage your passwords for you. There areonline services and stand alone programs that willsave your passwords, and you can ask most
modern web browsers to remember passwords.But you should choose your password managementsoftware carefully and only use a program orservice that you're sure you can trust with yourmost sensitive information.
The Firefox browser from Mozilla, the most trusted
name on the Internet, has secure, world-classpassword management. When you enter ausername and password into a website, Firefoxasks if you want to remember that password. Ifyou answer yes, Firefox stores the password inyour user profile. You can (and should) turn on
Firefox's Master Password feature to ensure thatyour saved passwords are securely encrypted.
-
8/2/2019 Simple Secure Passwords
21/26
Combining Firefox's Master Password with Firefox
Sync lets you manage all your passwords on all themachines you use securely and effortlessly. Best ofall, if you use the password manager, the FirefoxMaster Password is the only password you'll everhave to remember yourself.
The Firefox Master Password
To keep the passwords you save in Firefox'spassword manager secure, you should turn on theMaster Password. If you haven't already set aMaster Password, it's easy to do.
Before you start, carefully choose a phrase to
create your Master Password. Since the MasterPassword is used to secure all of your otherpasswords, a long phrase would be advisable.
-
8/2/2019 Simple Secure Passwords
22/26
In Firefox for Windows:
From the Tools menu select Options.
Click on the Security icon and check the"Use a master password" checkbox.
The Master Password dialog box willappear.
Enter your Master Password into the "Enternew password:" and "Re-enter Password:"text boxes and hit the OK button.
in Firefox for MacOS:
From the Firefox menu select Preferences.
Click on the Security icon and check the"Use a master password" checkbox.
The Master Password dialog box willappear.
Enter your Master Password into the "Enter
new password:" and "Re-enter Password:"text boxes and hit the OK button.
-
8/2/2019 Simple Secure Passwords
23/26
Many people prefer to have Firefox ask for the
Master Password only once at the beginning ofeach session. There is a Firefox Add-on calledStartupMaster that enables this behavior. To addStartupMaster to Firefox, pick Add-ons from theTools menu, click on Get Add-ons, and then typeStartupMaster into the search box.
All Your Passwords On All YourComputers
Firefox Sync can ensure that all your passwords aresaved on all the computers you use. Tell Firefox toremember a password on your desktop computer athome, Firefox Sync will make that password
available to Firefox on your notebook computer,and any other computer (or mobile device) onwhich you use Firefox.
Firefox Sync not only synchronizes yourpasswords, but also your bookmarks, browsing
history, preferences, and tabs across all of yourbrowsers.
-
8/2/2019 Simple Secure Passwords
24/26
One thing that Firefox does not sync across all of
your computers is your Master Password, so besure to set that up on each machine when youconfigure Firefox Sync.
Firefox Sync is built into Firefox 4, and is availableas an add-on for Firefox 3.5 and later. To addFirefox Sync to Firefox, pick Add-ons from the
Tools menu, click on Get Add-ons, and then typeFirefox Sync into the search box.
When you set up Firefox Sync, it will ask for apassword and pass phrase. You can safely use yourMaster Password and the phrase you used to
create it here.
When you have Firefox Sync installed on all yourmachines it will ensure that passwords youremember on one machine are available on all of themachines on which you run Firefox. That includesSmartphones and mobile devices running Firefox
Mobile and Firefox Sync, so you can carry all yourpasswords with you all the time.
-
8/2/2019 Simple Secure Passwords
25/26
Become a Password Security Ninja
Faithfully using the tips and techniques in thisguide will put you in the top 10% of all internetusers when it comes to password securityawareness.
Use your newfound power wisely and help spread
the word by showing your friends and family howthey can be safer online by using more securepasswords.
-
8/2/2019 Simple Secure Passwords
26/26
ColophonThe ebook versions of this publication wereprepared using the Sigil open source editor forebooks. Learn more about Sigil athttp://code.google.com/p/sigil.
Characters from Le Geektionnerd are remixed from
the Wikimedia Commons under the CreativeCommons Attribution-Share Alike 3.0 Unportedlicense.
Tim Buckley's CTRL+ALT+DEL cartoon is remixedfrom the Wikimedia Commons under the CreativeCommons Attribution-Share Alike 3.0 Unported
license.
The contents of this publication are available under
the Creative Commons Attribution-Share Alike 3.0Unported license.