• A Password Security Theory


    A good password is difficult to come up with. You want it to be memorable, but not easy to guess; fast to type, but not easy enough that someone watching can figure it out; short, but long enough that cracking it would take a long time. Its often a tradeoff between convenience and security - so how can we better manage this?

    We all have our own idea of what a good password is - but when it comes to choosing a password, you usually have to adapt to someone else's rules. Some common ones are:

    • Minimum number of characters (usually 6 or 8 characters)

    • Use of characters - must have at least one of each uppercase, lowercase, numbers, symbols

    • Can't be a dictionary word

    • Can't contain your username

    • Can't be a previously used password

    • Must be changed every 90 days


    You can't use the same password for everything; sooner or later complexity requirements will make your password invalid. You don't want to remember 50 different passwords, and you don't want to write them all down. Perhaps a tradeoff is the way to go.

    Password Security Zones


    You can probably divide your logins into a few distinct areas. We'll look at three example "password security zones" to see what they might be used for.

    If each zone has its own password, we can limit the number of passwords we need to remember, and maintain higher levels of security for important things, and lower levels of security for the less important things. It's a good compromise between having a separate password for each account, and the same password for everything.

    High Security Zone


    Your most important services live here. These will be services that could cause financial loss or major problems if they were compromised. You need to think "What is the worst case scenario if someone got into this account?". In this zone, you'll want a strong password (see below), and I wouldn't recommend saving the password in your browser. You also shouldn't write the password down anywhere - you need to memorise it. Depending on the account, this might be the one time its worth having different passwords for each account - or at least variations.

    If the provider offers it, use a Security Token. These add complexity, but ensure nobody will be logging into the account without physical access to the token.

    When accessing the account, make sure you're using a trusted computer. If you think the computer might have a virus or malware of any kind, don't log in. Malware can be used to harvest account details - so using an untrusted computer is like shouting your ATM PIN out loud as you enter it into the machine while a group of suspicious looking characters watch.

    Accounts in this zone might include:

    • Online banking

    • Share trading

    • PayPal


    Medium Security Zone


    This is where your day to day accounts belong. Again, you have to consider the worst case scenario. These services probably have some personal data, but nothing you couldn't get out of a phone book or by doing some basic investigation. There probably won't be enough here to cause you any serious trouble if someone maliciously gets into the account, but it would still be a problem for you. You might log into these accounts from any old computer, but you'd want to log out of the site afterwards.

    Accounts in this zone might include:

    • Email

    • Apple ID

    • Shopping sites with saved shipping/contact details

    • Facebook

    • eBay


    Low Security Zone


    Low security accounts are the ones that don't contain anything of any value. The consequence of losing the account is minimal. These are the accounts where you wouldn't even bother logging out, and would let your browser save the password. You'd use them on any computer without much concern, and probably wouldn't care if someone watched you type in the password.

    • Forum site accounts (except MacTalk, of course)

    • Digg/Reddit/YouTube accounts

    • Throwaway email accounts

    • Miscellaneous sites that force registration


    Creating Strong Passwords


    Things you'll want to avoid in a password:

    • Any dictionary word

    • Any variation on a dictionary word (including substituting numbers for letters)

    • Patterns of characters (for example, alphabetic patterns "a1b2c3d4e5" or key placement patterns like "qazwsxedc")

    • Names, places, birthdays and ages

    • Usernames or part of the username

    • Repeating characters




    That rules out most basic passwords - so what next? Phrases. The trick here is to come up with a meaningful phrase, then cut it down to a jumble of characters that can form a password. The logic behind this method is that a meaningful phrase is easier to remember than a random jumble of letters. Let's try some examples:

    Phrase: Seinfeld is the greatest show ever made
    Password: sitgsem

    The problem here is the password is all lower case letters, and is only 7 characters in length. It's a pretty lousy password, and the Mac's built in Password Assistant tool agrees (see right).



    Let's add some numbers and punctuation, and a capital letter. The more randomness of characters we can add, the less predictable a password will be.

    Password: Sitgs3m.

    On paper, this password is pretty meaningless. For the owner (and anyone that knows the phrase we based it on), it's meaningful. The Mac's Password Assistant tool tells us this is considerably better.

    Let's try something more secure still by simply making the original phrase longer. Longer passwords take more time to crack - since each additional character could be any one of

    Phrase: I am the very model of a modern major general
    Password: 1atvmoamMG!

    These passwords aren't perfect, but they're certainly a good compromise. They're at least 8 characters, mean something only to the person that created them, and contain a mix of uppercase, lowercase, numbers, and punctuation.

    Variations


    Even with a strong password, you'll sometimes find a site that doesn't allow you to use certain characters, or might insist on having two capital letters. This is where things start to get messy. Generally, an 8 character password like above will be fine for the majority of sites - but if you have to satisfy another password requirement, a variation on the existing password might help you out.

    Variations allow you to stick to the same password (which you remember) and add something extra just to satisfy the password complexity requirement.

    For example, a site that requires at least two capital letters, or a 10 character password:

    Password: SItgs3m.
    Password: Sitgs3m.01

    Checking Your Password


    Unsure how strong your password is? Mac OS has a built in tool for generating and checking password strength (as seen in the examples above). You can access it a number of ways, but the easiest way is to open Keychain Access (found in /Applications/Utilities/), and select File -> New Password Item. Next to the Password field, click the key icon. The Password Assistant window will appear. Enter your current password to see an indication of its strength, or generate a random password using the popup menus and length slider.

    Storing Your Password


    With all these passwords and variations, you're probably tempted to start writing them down. Before you do this, consider creating an encrypted disk image of text files instead.

    This might seem like a bad idea, but if you do things right, it should be reasonably safe. The disk image should have a High Security Zone password, and be kept on a trusted computer. Create a text file for each account, and add any account details. Don't store the password, but rather a reference to it and any modification you've made.

    For example, a text file with your eBay password might contain:

    eBay Username: billsmith
    Password: medium + EB

    As long as you remember your medium security zone password, you can figure out what this means. If you forget to unmount the disk image, or someone manages to get a copy of the file, its fairly useless unless they know the password the hint was based on.

    Again, this is a compromise - but if it comes down to writing your account details on a series of Post-It notes, or having them in an organised secure disk image, I'd consider it a win for security.

    Further Reading


    Wikipedia - Password

    Wikipedia - Password cracking

    LockDown - Password Recovery Speeds
  • Dropdown

  • New Forum Posts

    avolve

    How important is getting an iPad with more storage?

    I had a 16GB iPad 1, and found it limiting. I now have a 64GB mini and never come close to filling it up (really like the size). A 32GB might be a happy

    avolve Today, 01:55 PM Go to last post
    MrJesseRoss

    mResell Australia's first second-hand Mac retailer?

    LOL no wonder they joined up then stopped replying. Buy refurbished computers in great condition from Apple - mResell.com.au

    Macworld trying

    MrJesseRoss Today, 01:49 PM Go to last post
    CrypticSquared

    Will Applecare fix my 5S Screen?

    I started with an iPhone 4s for 24 months and am now using an iPhone 5s. I used one otterbox commuter case on the 4s and dropped it a ton of times with

    CrypticSquared Today, 12:39 PM Go to last post
    Oldmacs

    Will Applecare fix my 5S Screen?

    Applecare + wasn't it? I recall it was released with the 4S but never came here? I tell you I'd buy it... having smashed my iPad twice, paying $279 both

    Oldmacs Today, 11:55 AM Go to last post
    Oldmacs

    How important is getting an iPad with more storage?

    I keep a lot of photos on my iPad.. i have an iPad 2 in 64 GB and I've got about 10 GB free to sync music on and off. I don't use iCloud to save space

    Oldmacs Today, 11:47 AM Go to last post
    Jinkst

    How important is getting an iPad with more storage?

    I had a 64GB iPad which I would find myself putting extra media and apps on that I would just never use for the sake of it. Once iCloud came about I downgraded

    Jinkst Today, 11:31 AM Go to last post
    The_Hawk

    Will Applecare fix my 5S Screen?

    Wasn't there some deal (at least in the states) which covered physical damage under AppleCare? Essentially covering the cost of the screen as an incentive

    The_Hawk Today, 11:02 AM Go to last post
    The_Hawk

    How important is getting an iPad with more storage?

    Video. For me it's video. Loading more and more eats up space quicker than a quick thing doing quick stuff.

    I found that I was always pushing

    The_Hawk Today, 11:00 AM Go to last post
    Oldmacs

    Will Applecare fix my 5S Screen?

    Apple can be nice and make exceptions but I wouldn't count on it

    Oldmacs Today, 09:31 AM Go to last post
    Geoff3DMN

    How important is getting an iPad with more storage?

    I don't find that the iPad mini is less useful for me than the full size iPad (we have both) with the sole exception of magazines, the text is too small

    Geoff3DMN Today, 09:12 AM Go to last post