The paranoid user's guide to password protection: 10 steps to better security

Yes, they are out to get you. Yes, they want your passwords. And if you're like most folks out there, you've given them plenty of ways to take them from you. If you're dead serious about securing your online life, here's the crazy serious approach to locking down and protecting your accounts.

1. Do not use the same password for more than one account - ever. This is the #1 mistake people make, says Joe Siegrist, CEO at password management software vendor LastPass. Once someone penetrates one account they can start breaking down doors to your other accounts. They also may be able to gain access to other information that's useful in hacking into your other accounts, such as your email address, billing address, the email address you have set up for password reset, the last four digits of your credit card and the answers to the challenge questions set up for that account. Changing out all of those duplicate passwords is time consuming, but it's time well spent.

2. Make challenge questions more challenging. Don't use real answers, and don't use the same answer more than once. Security challenge questions such as where you were born or your first pet's name are supposed to provide an extra assurance that the person logging into your account is really you by posing questions only you would know. They don't. The reality is that, in the era of social networking, other people either know or can find out many of the answers. What's more, the security question answers gleaned from a compromised account can be used to help attackers break into others. Siegrist uses randomly generated passwords as challenge question answers and stores them in his password manager profile for each site.

3. Use strong passwords for all of your accounts. If you're like me, you probably use a strong password for online banking and weaker, easier to remember passwords for less important accounts, such as that New York Times online subscription or the Pandora music streaming service. Perhaps you even reuse the same password for many of these second-tier accounts. It's easier that way. After all, what's the worst that can happen if someone accesses your New York Times subscription?

Audit those sites and see for yourself. "You give up a lot more than you remember, and they store that," says Siegrist.

4. Get a password management program - and use it. If you're going to instill some discipline into your approach to password management you're going to need a way to track all of those details. A good password manager will generate strong passwords for you, store them in encrypted form, and fill in the blanks when you visit a site for which it has stored your login credentials. But your master password becomes the key to the kingdom. It needs to be more than just strong. It needs to be big.

5. Don't just go strong. Go long. A strong eight-character password is easier to crack than a longer, weak password, according to a Carnegie Mellon study. Siegrist agrees. You can test this yourself at Passfault.com. For example, randomly generated 8-character passphrase "Lr2ZvyaE" can be broken in 1 month, 4 days using software designed to crack passwords, while "thisismypasswordforgmail" would take more than a billion centuries. How much longer would it really take a hacker to crack a 12- or 24-character string versus the typical eight characters? That depends in part on how the password was hashed and how many rounds of hashing were used. "You don't know how sites are storing your password, so you have to assume the worst," Siegrist says. But there is a law of diminishing returns at work here. Extending passwords from 8 to 12 characters should suffice in most cases, he says. (The randomly generated 12-digit password "jO7SlY5zerHT" would take 1565 centuries to break, according to Passfault.com).

But hacker techniques are always improving, and with a password manager you don't have to remember or type in passwords, so why not go longer? "I'm hesitant to tell people they should be going insanely long everywhere," Seigrist says. "So long as you're not reusing passwords you're relatively safe with a 12-character string," he says. But, he adds, "If the answer is that no matter what, no one should ever be able to break into an account then by all means make it nice and long." Just remember, he warns: If you reuse that password on even one other site you've done more harm than using a different, shorter one for each.

Unfortunately, there's a rather discouraging problem you're bound to run across when implementing a go-long strategy: Many sites still don't allow more than eight characters. While my bank and LastPass do not place a limit on password length, other accounts are limited to as few as eight characters. That's a common problem, Siegrist says. And many sites don't allow the use of special characters such as # or $ or & either.

There's nothing you can do about this, except maybe take your business elsewhere. When a database doesn't allow longer passwords or special characters that's a huge red flag, Siegrist says, because it means that the site is probably storing passwords incorrectly. Decades ago, when the database was created, the password field may have been designed to have a short short maximum length and limit characters to letters and numbers. Changing the database requires a lot of work, he says, so many institutions simply don't do it.

6. Create strong user account names as well as passwords. Your user name is 50% of the information a criminal needs to crack your account. You wouldn't create a password that's easy to guess. Why do that with your login ID?

How easy are user names to guess? An account ID issued by a bank or credit card company may follow a predictable formula that's easy to guess, such as the first four characters of your last name followed by the last four digits of your social security number. In other cases a site may require that you use your email address as your account name (as LastPass does). When people do create user names they go with ones that are easy to guess, such as first initial and last name or last name followed by year of birth.

Some sites, including LastPass, require you to use your email address as your account user name. To get around that, you can add the "+" character to the end of your email user ID followed by extra characters to make the user name harder to guess. The user ID will still work, says Siegrist, and it's more secure. For example, rmitchell@computerworld.com could be changed to rmitchell+vN41Mvkoq1Lf@computerworld.com.

Siegrist uses the password generator function in LastPass to create strong user account names. Since the password manager remembers both the user name and the password, you don't have to remember what the account name is anyway, he says. So why not be more secure?

7. Use two-factor authentication. This is doubly important if you use a laptop that can be stolen or you store sensitive data in the cloud. If someone guesses or steals the password to your account, they'll still need a special code, which is typically sent to a mobile phone, to gain access.

With two-factor authentication a person logging into your account needs something you know (your password) and something you have -- typically a single-use code that's texted to your phone or generated by a program such as Google Authenticator. The latter, which issues a six-digit number, is particularly useful if you use other Google products such as Gmail or Google Docs.

However, the site you're using has to support the two-factor authentication app you're using. Dropbox supports Google Authenticator, as does LastPass, which at the time I began using it was the only password manager to offer two-factor authentication options.  Unfortunately, many sites don't support two-factor authentication, including all of my online banking, investment and credit card accounts.

"The adoption of two-factor hasn't been as high as we'd hoped with LastPass," says Siegrist, but that's starting to change. "With Google Authenticator being free we're seeing a nice uptick in its use."

8. Use an alternative email account for password resets. An intruder will expect password reset information to go to your public email account, which is easier to discover than is a secondary account created specifically for password resets.

9. Use the strongest mix of protections on the most critical accounts. In addition to the obvious online banking and finance accounts, two of the most important online accounts to protect include your email accounts and the master password to your password management software. A compromised password management program would be catastrophic. And since your email address is probably used by most online accounts for password reset, a compromised email account can have a cascading effect. All the attacker needs to know is where you have accounts, your user ID and the answers to a few security questions.

For each of these accounts I use strong user names, strong, long passwords and two-factor authentication.

10. Consider biometrics - eventually.  Early attempts at biometric identification based on fingerprint and face scan sensing haven't performed well, nor has the technology caught on in a big way with users or device makers. But that could change with Apple's recent acquisition of AuthenTec, a maker of biometric sensors that could eventually be integrated into the iPhone. "There have been some weaknesses with biometrics, but those are finally being resolved. It's finally coming," says Siegrist.

In the mean time, see items 1-9.

Related Stories

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon