Security Tip: 5 Easy Ways to Remember Your Strong Password

With all the information we keep on our computers, our USB drives, our email accounts, and all other kinds of digital systems, it’s not rare to easily collect half-a-dozen passwords, or even more, that one needs to remember. Strong passwords are important, of course. And many times you simply can’t have the same password for multiple applications; what one system demands for a password might not be the same as another. While multiple passwords will certainly make it harder for prying eyes to get a hold of your data, it can also be counterproductive. Keep reading for 5 easy ways that you can remember your strong password.

Password memory

Use a Password Manager

Alright, this might be cheating, as you won’t technically have to remember much. But a password manager is a welcomed solution to the problem of having countless passwords to remember. With a password manager, you just remember one, and it will handle all the rest. Unfortunately, though, password manager only work on computers that they’re installed on.

Use Random Words You Love

The most secure passwords are the ones that are long and full of random characters. This makes them almost impossible to guess. It also defeats the vast majority of hacking attempts that try to break in through the sheer brute force of constantly entering option after option.

Unfortunately, random characters can be very difficult to remember. Random words, on the other hand, are much easier to commit to memory. Best of all, they have proven to be almost as secure when it comes to protecting your data. Try your first pet’s name, the street you grew up on, and the day of the month you were born on. Or have it be your favorite animal, your dream car, and your mother’s maiden name. Though opinions may vary about this, you can probably afford to write down a reminder—somewhere safe, perhaps in your cell phone—that simply says, “favorite baseball player, sister’s birthday, dream vacation.” That makes for an easy reminder that practically no one should be able to figure out.

Use Mnemonic Devices

Because random characters are such a strong password, there’s a very good argument to choose them. “I always get my password on the first try”, for example, can be changed to “Iagmpot1t.” This is an extremely strong password that’s easy to remember.

Write Down Your Passwords and Keep Them Safe

If you’re particularly concerned about forgetting all your passwords, it’s ok to write them down. However, it’s then of the utmost importance that you store them somewhere safe. They should be nowhere near the computer you use them for. So, if your passwords are for an office computer, keep them locked away at home. If you have a home office, consider writing them down in the back of a favorite book kept on a shelf in another room.

Rotate Passwords

Most systems that require passwords also require you to change them regularly. When possible, simply rotate your passwords through systems. This helps keep you from making countless passwords that you’ll have a hard time remembering. So long as none of your systems have been compromised, there’s no point in wasting a strong password.

Source:
http://www.macworld.com/article/2014040/how-to-remember-passwords-and-which-ones-you-should.html
http://www.techrepublic.com/article/tips-to-help-users-remember-their-password/

Evernote User Accounts Compromised

Evernote, today, reported that they detected and blocked suspicious activity on their network. As a precaution, they say, they’ve implemented a password reset for all users. When I first read about this, it sounded as if they had already reset your password and you would need to have it emailed to you. Instead, an email sent out instructed users to log in and change their passwords upon login.

What Happened?

Anything I say here would be purely speculation. However, attacks are often as simple as a SQL injection. This usually happens when a website takes user input (like a contact form or blog comment form) and does not properly run it through the ringer before adding it to a database. It’s more common than you think. For anyone interested in a more technical view of security vulnerabilities, check out OWASP’s Top 10 Project. In reality, any number of things could have let in a hacker and it’s too early to say for sure.

Should I Worry?

This is a two-part answer. First, your Evernote account is fine. According to Evernote, no data stored was lost or accessed (other than your credentials, of course). Just reset your password and you should be OK. Your other accounts, may not be, however. Take a look at the most important part of Evernote’s statement:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

This tells me that my username, email and encrypted password are out there in the hands of a hacker and because Evernote is a large service, it wouldn’t surprise me if a torrent file of this information shows up for download by anyone with an internet connection. “hashed and salted” means that, like they said, it’s one-way encryption. A hacker can try to encrypt a word using the same methods and see if it matches the blob of characters next to your username, but they can’t directly decrypt your password. This is important, but if your password was cracked, the hackers would now have a username/email/password combination to try on many other services. If I were that hacker, I would start with other cloud services, namely Apple’s. If you use the same username and password anywhere else, you should change your password there, too.

How To Protect Yourself

While websites and online services have legal and ethical obligations when it comes to storing your information, you should have some rules of your own.

Use a secure password that you can remember. The word “password” is sadly not only the most insecure password, but also the most popular. If it was easy for you to come up with and type in, it’s likely easier to crack. Don’t use your birthday, any word that can be found in a dictionary, or anything someone could guess with a little information about you.

Don’t write it down if you can help it. If I was in your house and wanted to get into your computer, the first place I would look is under your computer. Shockingly often, people just put their password on a sticky note and stick it to their monitor. The password is only as good as the user. Protect it like you’re protecting what it gets access to. If you wouldn’t leave your life’s savings on your desk, don’t put your password to it there, either.

Split up your passwords. This is a hard pill to swallow, but you absolutely should use a different password for each site. The cost is convenience, but the reward is not having every account you have hacked just because one site let your password get out. If this is too hard for you, use individual passwords for any site with finances, or sensitive information and another “global” password for the 150 other sites that are less critical.

Don’t just stick to one rule, either. I know from experience that thinking you’re doing so awesome with one rule (like having an incredibly hard to crack password) excuses you from the other rules is a good way to get hacked.

Gawker Media Hack Is A Password Reminder

Over the weekend, Gawker Media was hacked, providing an encrypted password list (among other things) to the hackers. A group calling themselves Gnosis has taken credit for the hack and released a package full of server information, notes on the hack, Gawker Media site source code and worst, everyone’s passwords.

Gnosis hack on Gawker Media

Judging by the statement made by the hackers, it looks like someone at Gawker pissed them off. I was actually planning another post about web security before this happened, but that will wait for another day as it has to do with different perils of having online accounts.

Here’s the email Gawker Media sent out today:

This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we’re deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We’re
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media

How Does This Affect You?

If you’ve never commented on a web property in the Gawker Media network, you may not have anything to worry about. If you have, on the other hand, your password on that site has been compromised and you should think about where else you used that password and change it on all sites. In the quoted text above, Gawker points us to a post on Life Hacker full of answers. Of course, to minimize the effects of future hacks on Gawker or any site, it’s best to have a strong password (see below) and use different passwords for different sites. As an example, you wouldn’t want to use the same password on Gawker that you use for online banking.

Is Your Password Strong Enough

Surprisingly, too many people have passwords that are easy enough to crack or even just guessable. Without a doubt, the absolutely worst password you can use for any account is the word, “password”. Regardless, of the nearly 1.3 million accounts compromised, 1,959 had “password” as their passwords. Even if it’s not guessed by a hacker, the simplest brute force attack can crack this password in no time. So how do you know if your password is strong enough?

Is my Password Strong

I built a quick and easy password strength test site to help you test your password. This may be helpful but you can also get by with some quick password tips. To understand them, you should know a little about how a brute force attack works. Typically a script runs that tries one password after another until one works. A simple script might first try every word in a dictionary file. This is just a file full of known real words like “gamer”, “puppy”, or maybe, “password”. Failing that, it would start going through every character combination from aaa, aab, aac, for example, through to larger guesses like 9999999. A more time-consuming attack might make use of characters like $%!, etc. but this takes far longer. Having to check for upper vs lower case takes a lot longer as well. From this, we can assume that you can make your password stronger by making it longer and including numbers, mixed case, and special characters. By this logic, “Chr1Stm@s!!%” is a far more secure password than “christmas”.

Even if you were not affected directly by this, take this as a reminder to audit your password habits and make changes if needed. A little effort now can save you a lot of future headache.