Saturday, February 4, 2012

No, Birth Date is not a Good Password

 Security experts often joke that a typical internet user's idea of a secure password is adding 5 after 1234, which terrifyingly is still the most popular password on the web.

Recently a virus was floating around Facebook that infected 50,000 users. My brother was locked out of his account and like the typical Facebook user lost email access too. What these viruses were after were username / password information because the typical web-user uses the same password for Facebook, Gmail and bank accounts.

And more related to teachers, I cringe each time I assist a teacher and find out their password is still their birth date. I personally do not think personal security information such as social security numbers, birth dates, or a child's name make good passwords. The reason being that WHEN someone hacks your account they not only get your password, but personal identifiable information.

The general rule is a password should not be meaningful but should contain upper and lower case letters as well as numbers and symbols. Even at that there was a recent article on a tech news site that a graphics processor in a laptop could break a ten digit password following the above format in less that 5 seconds.

So what to do. Here are my suggestion in three easy steps.

  1.  Do Not use your birth date or other personal security information as your password.
  2. Come up with a secure 6 digit password to log into MMSD and Gmail. This includes upper and lowercase as well as numbers and symbols. Only use this password to log on to these services, nothing else. Change this password yearly.
  3. Use longer passwords (10-30 characters) with a program like KeePass. http://keepass.info/download.html It is available in Windows, Mac, Linux, I-Phone, and Android. Keepass will securely manage all of the passwords you have.

So, how does KeePass work. All of your passwords and related data are encrypted with a SH-256 algorithm which the NSA itself uses for its most secure information. The program will reside in your task bar and when needed you open the program and go to the account your need password information for.  KeePass will also create secure passwords for you in which you decide the number of characters needed.

While remaining encrypted you can copy username / password information to the clipboard for roughly 10 seconds.  You paste in your account information and proceed as you would if you typed it in manually. One function I use often is Auto Type which if you have your cursor in the first text field will automatically insert account username and go to password text field and insert the password, and then log you into your account.

The purpose of a program like KeePass is to use passwords that are impossible for you to remember yourself. You would not necessarily want to use longer passwords for your computer log on, but bank information, Gmail (personal), and social networking sites would be highly recommended. Sites differ in number of characters they will allow for passwords, the closer to 30 characters the more secure your password will be.

I can here it now, but Nate I understand bank information and maybe Gmail, but why such a long password for Facebook. We started this post with the recent Facebook virus. The hackers were most likely not very concerned that you liked the Justin Bieber photo, but were more interested in this great personal portfolio of information Facebook has created about you. Sharing is not Facebook's business model, that is just a means to an end. Their business model is aggregating personal information and relationships for their customers.