Last time we caught up with our team of geeks-in-residence, our discussion about wireless network security ended with an obvious step: the importance of selecting good passwords.
But despite all the preaching by information technology professionals, even power users dont often follow habits that can help keep systems safe. According to IT firm Trustwaves 2012 Global Security Report, released last month, weak passwords were responsible for 80 percent of the security breaches the study examined at both small and large organizations.
Bill Chu, chair of the department of software and information systems at UNC Charlotte, said the most common method for hackers to crack passwords is by using dictionary attacks, which try commonly used patterns to infiltrate a system.
Trustwaves analysis of 2.5 million passwords showed users arent always making things hard to guess. Password1 was the most common, and the word password and welcome appeared in more than 6 percent of the sample.
To avoid dictionary attacks, Chu said users should avoid common names and words and mix up a minimum eight-character password with upper- and lower-case letters, numbers and special characters.
And as common as it is, substituting numbers and special characters in place of similar letters doesnt really count as adding complexity.
Unfortunately substituting 3 for e, for example, is an old trick and it is not as effective as choosing numbers not based on that strategy, Chu said.
Choosing complex passwords wont necessarily stop brute-force password crackers, which try using all possible character combinations on systems that dont limit the number of attempted log-ins. Against theses attacks, Trustwaves report points out that length is the way to go, since adding another character exponentially increases the possible password combinations.
In cases where your system allows greater password length, Chu says pass phrases chains of unrelated words can be particularly effective. Theyre easier to remember than a jumbled mess of characters, and the longer they are, the better.
Jeff Crume, distinguished engineer and IT security architect at IBM, also says passwords should be unique for each site and system and changed regularly, limiting any damage in case of an issue.
But keeping up with such guidelines isnt easy. Crume has hundreds of passwords an impossible number for many to manage.
All this is to make the password hard to guess, Crume said. The problem is that things that are hard to guess often tend to be hard to remember, which is why people naturally bristle at such guidance.
The result is that users select passwords just complex enough to slide in under an IT administrator requirements and P@ssw0rd ends up in Trustwaves top-25 list.
One solution Crume uses is password storage and single sign-on software, which helps users generate passwords and keep them locked in a vault of sorts.
I have literally hundreds of passwords all unique and none that I actually know. But with tools like these, I only need to keep up with the one password that unlocks the tool and it keeps up with the rest, Crume said.
There are several options, both free and paid, but Crumes had success with a free program called Password Safe (passwordsafe.sourceforge.net/), which is open source and available at SourceForge.net.
Your solution may vary depending on the number of systems you use and how comfortable you are with risk, but its important not to dismiss good password practices as arbitrary or unnecessary.
There are countless ways protecting your private information is out of your control. But by eliminating human error with a few basic steps, you can take ownership of making your data much safer.
Send technology questions to firstname.lastname@example.org. Please include your name, city and daytime phone number. Sorry, we cant answer every question.