Create Strong Passwords and Keeping Them Safe!

The topic on computer passwords seem to have been discussed since the beginning of time. Well OK, maybe that’s a bit exaggerated but it has been the center of attention in the world of computer security for a long, long time. Almost every person in your IT department advise you to create strong, complex and hard to guess passwords. So, you can imagine how they cringe up every time they walk pass a cubicle and see a sticky note on the monitor with the user’s password written on it for everyone to see! It doesn’t matter if your password is 5 characters long or 17 characters long, it does you no good if other people also know about it! You’ll be surprised at how a lot of people fail to grasp that idea!
In this post, I will be talking quite a lot on this topic (yes I know, it’s another discussion on it) and why you need to change the habit of creating weak and easy to guess passwords, especially when it comes to online sites that host some of your personal information.

Passwords. To a lot of people, hearing that word simply mean that it’s just yet another cryptic word that they have to remember in their everyday lives in order to get their job done whether it may be purchasing some item on Ebay, logging into their personal email account or to pay their bills online. Because of this, users don’t usually see ‘what’ the password is actually trying to protect. Instead, all they see is a bothersome entry that needs to be typed over and over again to do the same thing. In reality, the password is there because it’s protecting their identity! Think about it for a second. If I have your username and password, what is stopping me from logging in as you, the real account holder? Exactly! Nothing at all! Now this could be a non-issue if I’m simply logging into a regular forum you visit (However, what if I start posting some material that you would have never posted yourself? That could tarnish your credibility on the site and might even get you banned on the forum) but what if I got into your financial website where personal information such as your credit card number and address are stored? That might not sound too pleasing I’m sure. Yet, many users still create very easy to guess passwords for these very important websites or they simply reuse the same password over and over again.

I have to admit though, that using passwords as a authenticating mechanism is getting weaker and weaker by the day. What I mean is that with super fast computer processors being offered in your local computer stores and armed with the right tools and knowledge, a hacker can crack passwords pretty easily! That’s mainly because passwords are simply words or letters strung together in a certain way, which makes them pretty static. With these fast processors and computers, a hacker is capable of trying millions of password combination’s in a second! But before we get into that, I want to briefly explain a couple of methods on how attackers can crack your password.

First there is what is known as the ‘brute force’ method. As the name suggests, a attacker will simply force their way into your account by trying to guess every single combination of letters, numbers and symbols in the right order. For example, first he will try the lowercase letter ‘a’. If that doesn’t work, he will then try an uppercase ‘A’. If that fails then he might try the combination of ‘Aa’, ‘aA’ or ‘ab’ etc etc. As you can see, this isn’t the most efficient method but do realize that the hacker isn’t typing all of this by himself/herself.! There are tons of brute force password cracking utilities out there that does the job. At first you might think it will take a super long time before they can brute force their way into your account but remember, a computer is capable of making millions of these guesses per second! Now your password of ‘Password’ doesn’t seem to strong does it! With a brute force attempt, that password can be cracked almost instantly. Check out this awesome chart detailing how long it takes to crack a password given it’s length, combination of input characters and computing power. You’ll be surprised.

The next type of attack is called a ‘dictionary attack’. Again, as its name suggests, its attack method is based on using common words that users would use as a password. For example, a lot of people like to use their pet’s name ‘Spike’ or ‘Fluffy’ as a password. Bad idea. Or how about the people who like to think they are outsmarting the bad guys by using ‘Pa$$w0rD’ instead of Password? Wrong move once again. These are all common words loaded into a dictionary file, which will then be used and processed to guess the passwords. Usually, dictionary attacks make a good method to use first before moving on to a brute force methods because there is a high chance that the user’s password is based on a common word in the ‘dictionary’.

If you checked out the chart earlier, you’ll probably realize that the longer and more characters you use for a password, the longer it will take for it to be cracked. If you use the 96 character set(mixed upper and lower case alphabet plus numbers and common symbols) along with 8 characters or more, it will take 23 years for someone with a dual core processor to crack it! 23 years! Of course, that time dramatically decreases as the attackers deploy more computers to work together to get the job done but as long as you make even more characters, you can defend yourself. The whole purpose is not to make an uncrackable password. That’s simply not possible. What we can do is make the job of the attacker that much more difficult.

OK. So you saw how easily passwords can be cracked. Now you want to change that weak password you are using on that financial website or on that Ebay account. How in the world are you going to remember a password such as ‘V(kG=|85z
By using a password manager, you can confidently create super long, random passwords without the fear of not remembering them. How is this possible? Well, the concept is relatively easy to grasp. The password database will consist of all your cryptic passwords. In turn, that database will then be encrypted with a master password which of course, is the only one you need to remember. Obviously, you will of course need the master password to be complex as well. The trick is, instead of creating a strong ‘password‘, you should instead think of creating a strong ‘passphrase‘. Occasionally, you get a user or two who thinks that can’t come up with a strong password because they can’t think of a 8-10 character word! A passphrase is much easier to create and much easier to remember as well. You can use a phrase you use often but insert different numbers and symbols in certain places to make it unique. For example, you can use something like ‘$ILovE^^my((comPuter))’.

A free password manager I have been using is called KeePass Password Safe. Once you create your master password, you can rest assure that your database of passwords will be locked away and tightly guarded with really good encryption. Basically, without the master password, it will be next to impossible to enter your database. Therefore, you need to make sure you don’t forget the master password! This free application is really easy to use and I’ll go over it to get you started. The really good news is that this application is totally portable. This means that you can simply dump the database in your USB thumb drive and be able to open it back up on any computer. It doesn’t need to be installed first. It just runs when you double click on it. This way, you can safely log into the various websites on different computers. KeePass includes a host of other features which I won’t discuss but for simplicity sake, once you enter in your master password to unlock your database, you can freely create passwords using their random password generator, copy passwords to insert into the password field of your website (as a security measure, you have 10 seconds from the time you copied the password to paste it otherwise it gets deleted from the memory and you’ll have to copy it again), create new password groups and basically manage all the other security features of the program if you so wish.

You can download KeePass Password Safe from here.

# Decide which version of KeePass you need
If you plan on putting KeePass onto your USB thumb drive, download the portable version. If you are using this on your main computer, you can download the regular version. The portable version works either way and so that is why I’ll be using that version here. Once you have downloaded the file, extract the resulting executable file to a new folder.

# Creating a new database
Startup KeePass and you will be presented with a blank slate. Simply go to the File Menu and select New. It will now ask you to create a master password to encrypt the entire database. Remember, if you lose or forget this password, you will never be able to get back in the database. It’s gone! Therefore, whatever you do, make a strong passphrase that you will remember.

Once you have verified the master password, you will then be presented with your database. KeePass by default have included some security groups to help you better manage your passwords by category. You can freely delete them or add your own.

# Creating your secure passwords
Now you will begin to add entries to your database. Go to the Edit Menu and select the ‘Add Entry’ option. It is here that you will add an entry for your banking website. First, fill in the information. In the password field, you’ll want KeePass to help you generate a truly random password. So, click on the ‘Generate a Random Password’ button.

Here, you can customize the resulting password KeePass will generate for you. You can customize the password length and which character set will be included. Some websites are really picky on what type of characters are allowed for their user’s password. So, although you’ll want to use the special character set, your website might prevent you from doing so. In any case, create the password first and then try it out. If it doesn’t work, then come back to this entry and generate another password without that character set. Another note to remember is that you do not have to remember the resulting password! If the website allows you to create a password with a maximum of 25 characters, do it! You have nothing to lose!

If you are satisfied with the resulting password, simply hit the ‘Accept’ button to bring you back to the main entry box with the newly created password entered in the password field. Once you hit ‘OK’, then that’s pretty much it! You now have an entry for your website. Repeat the steps to create other entries for other websites or services you use that should need a strong password.

# How to enter your passwords on the websites
Because most likely that you already have an existing password for the website or service you use, you’ll need to first login to that site and find the option in your profile to change your password.
Now, all you need to do is open up KeePass, type in your master password to decrypt the database, right click on correct entry and select ‘Copy Password’. You will now have 10 seconds to go back to the password screen of your website to paste it (ctrl+v) into the password field. Once the 10 seconds expire, the resulting password will be completely wiped out in your computer’s memory. You can test this out by trying to paste the password again after 10 seconds. You won’t be able to.

# Exiting KeePass
You will need to save your database after making entries to it so after you have made the changes, click on File and Save. It will ask you where you’ll want to save the database file so I usually recommend you save it back into the same folder as to where you stored the KeePass executable file. If this is on a USB thumb drive, make sure to save it back on your thumb drive! The resulting KeePass folder will have three files. Your KeePass executable to start the program, your main database file which is heavily encrypted with your master password, and a configuration file. When you are completely done with KeePass, select the ‘Exit’ option from the File menu.

That’s all there is to it! Anytime you want to login to that website, fire up KeePass and copy the password into the password field. You don’t have to remember one character! That’s the advantage of having a password manager like KeePass. However, the drawback is that anytime you want to login whether it be on your main home computer or on another computer that is not maintained by yourself, you will always need to open up KeePass first. Actually, you really can’t call this a drawback because this is keeping you much safer so you’ll have to sacrifice something for the fact that you don’t have to remember any of those passwords! In the portable version, you can safely use KeePass on another computer, even if it is not owned by you, and don’t have to worry because KeePass keeps everything encrypted and will never leave any trace on the computer even after you are done.

In my opinion, you should use KeePass to help you manage ‘only’ websites or services that contain your personal and sensitive information. I highly doubt that you want to open up KeePass every time just so you can login to a website to check out some sports schedule. Even if someone breaks into your account (very unlikely), there really isn’t much to steal. But when it comes to sensitive information like your social security number, debit/credit card numbers, address or PIN numbers, you have a lot more to lose if someone were to break in. Using KeePass with strong random passwords can go a long way.

You also have to remember that passwords are static by nature. All it consists of are letters, numbers and symbols. It is your job to make it as difficult as possible for the attackers. Once you stall enough time (I’m sure 20+ years is enough!), you’ll no doubt change the password by that time. Therefore, is your password crackable? Of course! But will it actually matter by the time they do? Probably not.