StopSign Internet Security Blog

There’s a really interesting article from Georgia Tech that talks about how the advanced computing power that’s readily available today may actually be making password length an even more important factor for creating a secure password. Using graphics processors, researchers are able to quickly, and cheaply, break 8 character passwords in a matter of hours. From the article:

Georgia Tech researchers are investigating whether this new calculating power might change the security landscape worldwide. They’re concerned that these desktop marvels might soon compromise a critical part of the world’s cyber-security infrastructure — password protection.

We’re big proponents of secure passwords here at StopSign, so this story really spoke to us. It confirms that any password less than 8 characters in length is pretty much useless, and even 8 character passwords are now not exactly cutting edge. The new recommendation for the total number of characters in a password? The article says:

…any password shorter than 12 characters could be vulnerable — if not now, soon

Brute force attacks on passwords that are 12 characters would currently take approximately 17,134 years, while an 11 character password would take around 180 years. It’s amazing what one character difference can make.

As usual, we recommend not only longer passwords, but also that you use a mix of uppercase and lowercase letters, as well as other characters and symbols such as the asterisk (“*“), hash sign (“#“), ampersand (“&“), and the like. Doing so will greatly increase the time it takes to break your password. For more on creating strong passwords, check out our article “12 Tips for Making a Good Password.“.

OK, we can’t get your passwords to become faster, but certainly we can give you tips on how to make them better and stronger (read: harder to break). Our last post on passwords gave a lot of information on how good passwords can be easily created, and we’ve come up with more ideas for you to secure your passwords.

A strong password is the first line of defense against anyone who would want to break into your account, so the tougher you make it on them, the less likely it will be that they get what they want. Use these tips to create a bionic password that will make it tougher to crack.

• Get creative with words:

  You can get a lot of traction out of one word if you can figure out different ways to use it in your password. For example the word “crystal” is pretty clear (pun intended), but you can muddy it up a bit by doing things like removing all vowels, changing how it’s spelled, or reversing certain letters. Examples include “crstl”, “krYs+al”, and “ltsrc” (the first one, only backwards). Mix that up with another word to increase the length of the password and you’ll be good to go.

• The same word, only different:

  Maybe you like birds, and your favorite bird is the Pine Grosbeak bullfinch. Well, as we all know (sarcasm) the genus for those birds is “Pinicola”. Maybe you also happen to love Coca-Cola. You take out the “cola”, insert “Coke”, and now you have a 2-word password that’s easy to remember: “PiniCoke”. Substitute some of the characters to something like this: “p1niCok3″ and you’re good to go.

• Don’t use common number patterns:

  Your phone number, street address, even your jersey number from the high school football team… these are all very bad things to use in a password as they are. If you plan on using one of them, be sure to mix things up. If you live on 1313 Mockingbird Lane (Quick… what TV show is that address from? The first person to comment on the blog with the right answer gets a free year of StopSign.), you could use the street number like this: “+h1rT3en13″.

• Mix it up:

  Using only alpha-characters or only numbers isn’t a very good idea for a password at all. Your password is a digital cocktail. Mix. It. Up. If a decent password is made up of 8 or more characters, you should try to use at least 2 numbers and one non-alphanumeric character (a hash symbol “#”, an exclamation mark “!”, etc.).

• Use multiple passwords:

  Ideally you should have a unique password for every account that you have. Your home email, work email, computer login, bank account, Twitter… any account you have that requires a user name and password should have its own unique password.

These suggestions are not the end-all, be-all and we don’t necessarily advocate using every single password tip listed. But they can be food for thought when devising a new password. You’ve seen my repeated suggestion to mix things up, and that’s a big thing. Keep things fresh, get creative, and you’ll be far and away ahead of the pack when it comes to creating a strong (and difficult to crack) password.

Twitter is like a giant party in a community of over 18 million people, and there’s bound to be a few apples in the bunch who want to cause trouble. You can get around some of those problems by locking down your Twitter account and being aware of some of the potential problems you might run into when you’re tweeting. Just follow these simple Twitter tips and use your common sense, and you’ll be much ahead of the “safe twittering” curve.

1. Good, strong passwords.

   The creation of a good password cannot be stressed enough! Make sure to create a password that’s difficult for others to figure out and contains a mix of letters and numbers. Also try to use a different password than you use on other social networking sites in case one of the passwords gets cracked or is leaked out. Read more about how to create a strong password on our blog.

2. URL shorteners.

   Sites like bit.ly, ow.ly, and cli.gs are great URL shortening services, especially when someone wants to link to websites in 140 characters or less. But if you don’t know the person who tweeted with a shortened URL, you’re never quite sure what you’re going to get. (OK, that’s not 100% true*) Be careful what you click on!

3. Are you (literally) on Twitter.com?

   Scammers and spammers love to build lookalike sites to try and trick you into submitting your user names and passwords to them instead of the real thing. Before you log in, check the address bar to make sure you’re actually on Twitter.com and not some scam website. Learn more about how to figure out if you’re on a fake website or a real one on the StopSign blog.

4. Third party access.

   There are some really neat services out there like We Follow and Twitter Grader that help enhance your Twitter experience and learn more about your tweeting habits; but there are also some fishy ones too. Make sure to regularly check your Connections settings in Twitter to clear out any unexpected or suspect applications that have been given access to your account. And if they offer it, connect using OAuth, as it’s much safer than supplying your user name and password to a strange website.

5. Phishy phish.

   You’ve got to be diligent about reading DM’s and @ mentions (there’s a particularly nasty trick going around now where a scammer will @ mention you regarding something you’ve tweeted about and there’s a shortened URL to a spam site in the mention – do NOT click on it!). There always seems to be a phishing scams of some kind happening on Twitter, so make sure you know what you’re clicking on or responding to.

6. Don’t get too personal.

   It’s really important that you don’t expose too much information about yourself or your family online. The wrong tweet can get you on a spammers list, or at worst, can lead crazies on the Internet right to your front door. We’ve got tips on how to stay safe online and offline.

For more information on Twitter security, check out the official Twitter help article on safe tweeting.

*OK, technically you can preview any bit.ly URL by adding a “+” to the end of the URL. Other sites and/or services may do the same; but the main issue is that URL shorteners, by default and by design, do not natively display the destination URL. Back to the top

Banking websites, email accounts, instant message software and social networking sites like Facebook and MySpace all have one thing in common: passwords. Not having a good password makes it easier for hackers to break into your online accounts. Don’t feel bad though, because even businesses like Twitter.com aren’t above using a bad password.

Creating and using a good password is very important, but it’s only one layer of internet security and it’s certain not foolproof. Given enough time and computing power virtually any password can be broken. What we’re presenting is a list of several rules (suggestions, really) for creating a safe and secure a password without it being a big hassle.

First off is the don’t list. It’s one of those “including, but not limited to” things, so be sure to use your own judgment along with our suggestions. While no password is 100% secure, the more you can do to make it difficult to brute force, the better.

1. Don’t use a single common word or phrase such as “password”, “qwerty” or “apple”. Anything found in a dictionary or is common knowledge is a bad idea. Also steer clear of abbreviations, movie names, book titles, etc. Use multiple words if at all possible.
2. Don’t use a proper noun. Steer clear of using your name, the name of your kids or spouse, a state capital, etc.
3. Don’t write it down. While you can argue that you have a secret/safe place that no one will ever find (under your keyboard, in your wallet, under a filing cabinet drawer, etc.) trust us… it’s not secret and it’s not safe. Keep that password in your head, not in your hand.
4. Don’t use your password on a public computer. As tempting as it is to check your Gmail account at the library, you have no idea if anyone has installed a key logger or other password sniffing software. It’s safer to wait until you get home.
5. Don’t give your password to anyone. Anyone. No site or service worth its salt will ever ask you for your password. Any attempt by a CSR, website, or even an email asking for your password is a scam, period.
6. Don’t reuse a password. If you somehow have a password compromised (whether you know it or not), reusing a previously good password has now opened you up to trouble.

Next up is the do list. These tips are here to help you create not only a good password, but also to to make it difficult for someone else to crack it. Not easily, at least. :)

7. Do make it memorable, but not easily guessed. Using a mnemonic, or memory aid, is a great way to remember passwords.
8. Do use at least 6 characters. Use 8 or more if you can swing it.
9. Do use more than one password. Each site or account, or at the very least the important ones (banks, etc.) should have it’s own, unique password.
10. Do avoid sequences of letters or numbers. “1223334444″ is an example of a very bad password.
11. Do change your password. Every 3-6 months should be fine for personal accounts.
12. Do feel free to be creative with spelling. There’s no reason you can’t do things like substitute an “i” with a “y” every now and again, use upper- and lower-case letters, and even use numbers, punctuation, or special characters if possible.

Sounds like a lot to have to think about, right? Actually it’s not as bad as it sounds; making a good password is more about common sense than anything else.

In closing, here are some samples of a good 8-character password. While the samples below are great for educational purposes, please don’t use them for your real password because that would go against the tip that you don’t reuse a password.

• phU+$sHu: This is a combination of “foot” and “shoe”. Notice how the “f” is replaced with a “ph”, the “oo” with a “U” and so on.
• Tyg3rtLE: This is a combination of “tiger” and “tail”. The “i” in tiger is changed to a “y”, “tail” was replaced with an alternate spelling (“tale”) and a vowel is removed to keep the password at 8 characters.
• 2ND-d0*R: This is a combination of “second” and “door”. Similar character substitutions as the first 2 examples abound in this one, too.

Update: 12/27/2009 Mashable has a new article on banned Twitter passwords.