Archive for Monday, August 25, 2008

Strong passwords key to Internet security

Experts offer advice for creating complex codes that are easy to recall

August 25, 2008


On the street

Do you always use the same password, or do you come up with different ones?

I actually always use the same one. It’s two names put together. That way it’s nice and long.

More responses

Tips for creating safe passwords

¢ Use at least seven characters and include numbers, a special character like "&" and use both upper- and lowercase letters.

¢ Don't use simple words that refer to anything noticeable about yourself, like your spouse or child's name.

¢ Don't make it a word that appears in a dictionary.

¢ Use the first letter in words of a song lyric or phrase of something that will jog your memory, like "FfcBbc-08" for "Final Four college basketball champions 2008."

¢ If you write your password down, don't include any other personal information with it. Use a computer program that will encrypt and safely store passwords instead of just typing them in a Word document.

¢ Do not duplicate passwords.

Source: Kansas University IT security office

When Julie Fugett needs to log in to a Web site with a password, such as for her bank or credit card accounts, she hears music.

For example - this isn't one of her passwords - a fan of the band Journey might type in "Dsb!1hotTf".

It's the first letter of each word in the chorus to "Don't Stop Believin''" with a number and exclamation point included.

"People would look at that and say 'What on earth?' But to me, it means something because to remember my passwords, I sing a little song in my head," Fugett said.

It jogs her memory, and it's a method the Kansas University information security analyst recommends for creating secure and complex passwords to protect personal information and finances from computer hackers.

Selecting secure passwords - and finding a safe way to remember them - has become more important as more and more information is stored digitally, she said.

KU has similar guidelines that require students to change their passwords every semester on their school accounts. The passwords have to be complex: Seven characters with at least one being uppercase, at least one special character such as "&" and one number.

Accounts for school, banking, cell phones, credit cards, insurance, retirement assets and social networking sites all contain precious information.

It also can be inconvenient because it gives people a host of passwords they need to remember. It's frustrating when you can't remember a password, said George Martin, a KU freshman from Oak Park, Ill.

"I can only speak for my friends, but yeah, pretty much everybody keeps the same password so hopefully it won't get too complicated and they'll forget it," Martin said.

He'll vary them and add numbers and symbols on different accounts.

Fugett said it's very risky to use the same password over and over, especially on vital accounts.

"Some 'phishing' attacks are predicated on the notion that you use the same password for everything," Fugett said.

It can be difficult to remember too many passwords. If you have to write them down, she says, be smart about it and write only the password, not the login or any other information that could be helpful to snoopers.

Typing a password list in a word processor file is also a no-no, even if the file itself is protected by a password. Certain Web sites can crack those codes to open Microsoft Word files, for example, for $20, she said.

Instead, Fugett recommends locking your password list in a safe in your hard drive. Password Safe, an application, is free. It allows users to list passwords for their accounts, but the list is protected by one master password.

The master password protects the list, and it's also strongly encrypted, making it very difficult for anyone to crack, she said. Plus, it's much easier to have to remember one password instead of 10 or 15.

Her office receives calls sometimes from frustrated KU users who don't want to change their passwords to make them more complex, but that's better than having someone drain your bank account.

"The more complex it is, the more computationally expensive it is for a bad guy to crack it," Fugett said.

Strong passwords key to Internet security

Computer users generally want convenience, but security experts say if you're not careful your personal information could be at risk.


monkeyspunk 9 years, 7 months ago

'""People would look at that and say 'What on earth?' But to me, it means something because to remember my passwords, I sing a little song in my head," Fugett said."Umm, you show people your password? And you are an IT Security Analyst? Pretty basic stuff there Julie.

Soapdish 9 years, 7 months ago

Monkeyspunk-I think she meant that if someone were to ever know her password, they'd be baffled at it, not that she's finding random individuals and showing them her password.Pretty basic reading there, Monkey...

brainfreeze 9 years, 7 months ago

julie-you don't know how much i appreciate the journey reference at the beginning of this article. even from as far as texas, i can tell you haven't stopped believin'.great article, and miss all of you lawrencians!from tejas with love, brainfreeze

ronwell_dobbs 9 years, 7 months ago

As an REM fan I use the easy-to-remember mnemonic of "tg1swaebasaalbinae0thltytcwsiondsyonfi0aasgnstlstcwffdhwiafrsgaagfhaacs"

Bryan Moore 9 years, 7 months ago

I understand security but my company has three different computer systems or system areas (I don't know which I'm not an IT guy), one for logging into the local network to access your work, one for payroll/HR stuff and one for email/internet access. All three require passwords. Each password must be different from one another and must contain a combination of 8 - 11 letters and numbers but no puncuations, dollar signs, percentage signs, etc. No "runs" as they call them (1234abcd or even keyboard "runs" qwerty1) All passwords must be changed every 60 days and you can't use a password you've ever used in the past on any of the systems. So in 11+ years here I have now gone thru roughly 200 passwords and counting. I'm running out of adresses, dog names, songs, greek gods and swahili sur-names to base these things on. Try keeping 200 passwords in mind while trying to think up a new one. That doesn't even take into account the bank, 401k, phone company, gas company, electric company, DirecTV, retailer sites, newspaper sites etc that all want passwords! There has got to be a better way....though I have no idea what it is!

monkeyspunk 9 years, 7 months ago

I stand humbly corrected hail and soapdish thank you for pointing out my ignorance. Sorry Julie. Going to go back to my little hole now...

compmd 9 years, 7 months ago

arizona, I've worked on federal government computer systems that don't have such stringent password requirements; the one I use currently only makes sure you don't use one of your last three passwords in addition to fairly standard complexity requirements. I don't like forcing users to have to come up with new passwords all the time because this opens up the possibility that a user will say "screw this" and write his password on a sticky note and affix it to his monitor. There is such thing as a reasonable policy that keeps users happy and systems safe.Now, all that having been said, about half the time I sit down at a windows pc that I have never used before (but I know who owns it), I can guess one of the user passwords in less than 10 minutes. If I can't, I pop in a CD, reboot, and I get all its local account passwords and cached domain passwords in no more than 15 minutes. A lesson some people learn the hard way is that if an attacker has physical access to your machine, you must assume that any and all data (including passwords) have been compromised.

hail2oldku 9 years, 7 months ago

monkeyspunk (Anonymous) says: '""People would look at that and say 'What on earth?' But to me, it means something because to remember my passwords, I sing a little song in my head," Fugett said."Umm, you show people your password? And you are an IT Security Analyst?Pretty basic stuff there Julie.-----------------------------------------------------------------------"For example - this isn't one of her passwords - a fan of the band Journey might type in "Dsb!1hotTf"."Just for added emphasis - "this isn't one of her passwords" - Reading copmrehension monkeyspunk - it's pretty basic stuff.

hail2oldku 9 years, 7 months ago

It's all good monkeyspunk. Glad to see you could take it the s#it giving fun I intended.

Commenting has been disabled for this item.