Blog Post

How secure should my passwords be?

 

The first thing to know about your on line Identity, LIE.  You need at lest two on line profiles, one that is the true you that is very secure, and one that is nothing like you.

 

Create a false ID

Every body wants your information, but not everybody needs it.  When a company asks for your email and your personal information, if they don't need the real thing LIE, give them a false name and information.

 

                False ID Tips

                Be consistent, use the same false Name and ID information

                Do not use any true information about yourself

                Write down the details and keep them handy

                A web site that can help is http:\\fakenamegenarator.com

 

You can take this a step farther and create multiple Semi False Identities.  Create a free email address with a service like Gmail, and create it under a false name and personal information, then forward that mail box to your regular email.  When a company asks for your email and information, give them the Fake First Name, and the Company Name as the Last Name.  By the junk mail you get you will know who is selling your information. 

 

What are login credentials?

In many cases it is a User Name and a Password.  A User Name is like your name in the Phone Book, this is not security, it is identity.  A User Name identifies what information is associated with your account.  A Password is your proof of identity, like a digital driver’s license.  For secure logins a second factor of identification is a good idea.

 

When to use Low, Medium and High security credentials

               

Use Low Security when the login credentials will have access to only information that does not identify you

                Low security login credential should be.

                                A. User Name that does not identify anything about you.

                                B. Password that is at least

                                                1. Minimum 8 Characters

                                                2. Different from any other password you have

                                               

Use Medium Security when the login credentials will have access to 3 or fewer facts about you that are in the phone book

                                Name, Address, Phone Number

                Medium security login credential should be.

                                A. User Name that does not reveal any personal data

                                B. Password that is at least

                                                1. Minimum 12 Characters

                                                                Upper and Lower case

                                                                At least one number

                                                2. Not in the Dictionary

                                                3. Different from any other password you have

                                                4. Change the password every year

 

 

Use High Security when the login credentials will have access to...

                                Your Money (Bank Account, Credit Union...)

                                Your Credit (Credit cards, Mortgage...)

                                Your Assets (House, Car, Boat...)

                                Your Health Care (Doctor, Pharmacy...)

                                Your Private Information (Social Security Number, Drivers License...)

                High security login credential should be.

                                A. User Name that is unique

                                B. Password that is a least

                                                1. Minimum 16 Characters

                                                                Upper and Lower case

                                                                At least 2 numbers

                                                                At least 1 special character

                                                2. Not    in the Dictionary

                                                3. Different from any other password you have

                                                4. Change the password every 6 months

                                C. Two Factor Authentication

 

 

What is Two factor authentication?

This can be summed up as “Something you know” and “Something you have”.

 

What is Not Two factor authentication?

When you log into a site that asks for more than a password, like the color of your first car, this is multi step authentication but is still one factor.  Another common misconception is the example of an ATM card, because when you have the Card, and you Know your PIN, but this information on the card is static, it can easily be copied and it does not change, this is still one factor multi step.

 

Examples of Two factor authentication

The second factor can be something like a Google Authenticator, YubiKey or RSAIt is something you have that preforms a calculation and outputs a onetime password.  If you lose the thing you have, the bad guy cannot use it without the thing you know, they will be able to guess the password, but you have time to change that and get a new second factor.

 

How secure do web sites keep my login information.

That depends a totally on the administrators of the site.  That varies between no securities at all to levels of cryptography that may never be broken.  There is no way of knowing, but it is a very safe bet that at least one site that you login to has been or will have your account login credentials stolen.  So Never use the same password for more than one site!  And it is a good idea to change that password on a regular basis.

 

How the Internet passes data.

By default all data on the Internet is open for everyone to look at and it is Not secure.  So by default everything you do is open to anyone listing, that includes email and web sites.  There are many ways to secure your transactions, the first and easiest is to look at the web address of the site you are on.  If it starts with http:// it is Not secure, any information you enter into this site is open to the world.  If it starts with https:// it is a secure connection between your PC and the Host, that one little “s” changes it to s secure connection.  An example is if you use Google’s Gmail, when you connect to gmail.com you will see that they only use https:// so all of the information between you and gmail is secure, however if you send an email from gmail it is Not secure, the email is sent in clear text and is open to the world.  This applies for the email you receive also.  Do not send information over normal email that you would not share with the world, because you are sharing it with the world. 

                Most finical institutions only accept secure https:// connections, and they require more than a User Name and Password.  The ideal situation is a way to identify your User Name is really you and not someone who guessed or intercepted your password, so they normally have some security questions added on to the login.

 

Password Managers

You only need to remember one Password to open your password manager and it will manage all of your different login credentials for you.

 

There are two good password managers on the market that I have researched and used, LastPass and KeePass. 

 

LastPass is an online storage that hosts your password totally encrypted so you can access them from any internet connected device including smart phones and public computers, your password is only unencrypted in the browser and entered directly into the website.  The LastPass site does not have the keys to unencrypt your data so if your database is stolen from LastPass it is useless to the thieves.  The downside is there is a yearly fee for to use all of the features.

 

KeePass is very similar but it only works with a local database, it does not have an online component and it will not work on your smart phone, it is not a full featured, but it is free.

 

Words into Algorithms

                ^ Use the “Shift” Key

                # Use the Number pad equivalent

                                1=Space 2=abc 3=def 4=ghi 5=jkl 6=mno 7=prs 8=tuv 9=wky 0=qz

                *  Insert Password number

                x  No change

                A  Insert Capitalized character

 

A         ^#*xA

B          x*Z^

1A       southfield                    S61uAthfield

2A       september                    S22pAtember

3A       president                      P73eAsident

4A       costco              C64sAtco

5B        pocket              p5ZOcket

6B        atomic              a6ZTomic

           

 

Password Card

What is it?

It is a credit card sized piece of paper that has 8 Rows and 29 columns of characters.

 

How to use it?

Cut the card out and keep it in your wallet. Laminate it if you can.

Pick a starting point, like Green Diamond and a number of characters.  Then read off your new secure password.

 

---Solutions---

Words into algorithms
Pass phrases
Password Card
LastPass
KeePass
Google Authenticator with LastPass
YubiKey with LastPass
YubiKey with KeePass

 

 

Short Cut to Security

1. Order a Yubikey with LastPass

2. Print out 2 identical Password Cards

3. Create a False ID, write it on the back of the Password Cards

4. Laminate the cards

5. Put one card in your safe, and one in your wallet.

6. When you get the Yubikey set up your LastPass account with a Master Password from your Password Card. Spend an hour to read all of the documentation.

7. Put the Yubikey on your keyring.

8. Install LastPass on all of your computers and mobile devices.

9. Change every password you have with generated passwords from LastPass.