Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology DBTA/Unisphere
PRIVACY/COOKIES POLICY
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



Vendors: For commercial reprints in print or digital form, contact LaShawn Fugate (lashawn@infotoday.com)

Magazines > Computers in Libraries > March 2014

Back Index Forward
SUBSCRIBE NOW!
Vol. 34 No. 2 — March 2014
PRACTICAL TECHNOLOGY
How to Use Better and Stronger Passwords for Yourself and Your Patrons
by Jessamyn West


It’s all about balance and trying to find the sweet spot that works for you personally.
While many of us will never be the victim of identity theft or credit card fraud, these occurrences are becoming more commonplace. While not entirely avoidable (even by people who do not interact or shop online), our exposure can be reduced by taking a few steps to make ourselves safer. I’m still living in a part of the country where people are learning to create their first passwords or are purchasing their first items online. Context-lacking, oogy boogy, “You are never truly safe!” messages do not help people make practical and personal choices about risk assessment versus convenience. You are never truly safe in the bathroom either, but we still manage to take showers and floss. It’s all about balance and trying to find the sweet spot that works for you personally. There is no right answer that will work for all people; there are, however, better techniques.

Why Now More Than Ever?

Recent high-profile hacks have made it clear that the “hope it won’t happen to you” approach to password security is not a winning strategy. We need to learn to balance security, privacy, and common sense. I’m no paragon of virtue here. I have been known to have my password hint be something similar to “password is W0mb@ts” for sites I didn’t care about, security-wise. Since the Adobe hack in October 2013, where not just password data but also password hints were compromised, this dopey cheat needs to be retired. There is also a cascading effect. If you use logins and passwords in multiple places and more than one of these places is compromised, people could triangulate this information to gain more access than you’d think they’d have.

Creating a Secure Password

Most people pick truly terrible passwords. This is one of the reasons that websites have evolved to force people into choosing better passwords. Every time you are grumpy because you are forced to create a password that has to have one uppercase letter and one special character, remember that the most popular password revealed in the Adobe hack was 123456, and the third most popular one was password. I do some work for Open Library. We loan out thousands of books a day using Adobe’s digital rights management (DRM) scheme. All our users have Adobe passwords. If you use Adobe Digital Editions for your lending, your users do too.

Here are general rules of thumb for good password creation:

  • Have a flexible approach that will allow you to create memorable passwords for sites that may have multiple different or conflicting constraints.
  • Do not use dictionary words in any language, “runs” of numbers or letters (12345, 112211, and QWERTY), backward words, or words with @ instead of a (m@pl35yrup).
  • Avoid using anything that’s super linkable to you (pets or kids’ names or birthdates especially).
  • Do not use the name of the product or website you are creating a password for (No. 9 on the Adobe list of most popular passwords was photoshop).
  • Change your passwords regularly. Since many websites will require you to do this, have a method for having alternate passwords that you can both create and remember.

One of my additional guidelines is that I have unique and more secure passwords for anything that has money or private personal information (health, Social Security number, and email) linked to it. I use Adobe products, but the password I used for that site bears no resemblance to passwords to anything I care about.

Socially Engineered Hacking

When Mat Honan, senior writer for WIRED, was hacked in a high-profile manner and had his hard drive remotely wiped, hackers used social engineering—manipulating people to gain access or information—to get Amazon and Apple to reveal small pieces of information that the hackers combined to gain access to his accounts and ultimately his computer. They didn’t even need to know his password; they just needed to know how to remotely reset it using the procedures the big websites used. Honan had a number of accounts that were all linked together. He had not made recent backups and was a high-profile, and therefore attractive, target.

There is a Wikipedia article about me. People can look up my mother’s maiden name and make a pretty good guess at the name of my first school and other personal information about me. Sites that have security questions that rely on “answers only you would know” sometimes only offer simplistic, guessable, or overly vague questions. If you have the option to write a question yourself, take full advantage of this. Otherwise, consider using an “answer” that is not factual but is one that you can remember. An example from an article espousing this idea is:

Question : What’s your husband’s mother’s name?

Answer : banana bread

Of course, this example is only as good as your memory for whatever nonsense answer you picked, and you have to either be very consistent or write things down.

Speaking of writing things down, it’s usually looked upon as the cardinal sin of password security. As someone who has spent a lot of time trying to help people recover passwords that they don’t even recall creating much less remember—turning a 30-minute tech support problem into a 90-minute one—I advocate for the sensible writing down of information. Many of the older people I work with keep a small book where they write down the website address and a password hint for it. Usually, this can at least get them started. Having a list of passwords at your desk at work is a large security risk. Keeping a hint to your password in a book you keep on you is a lower risk and often one worth taking for people who are otherwise bewildered by passwords.

Extra Security—Password Vaults, Two-Step Authentication

For many people, the idea of a password or passphrase vault is useful. In this scenario, you have one super secure password or passphrase that you use and keep a secure list of your passwords within the locked vault. Many software programs that offer this functionality (1password, LastPass, and KeePass) also allow you to autofill webpages on your computer, tablet, or phone with saved passwords. They can also generate passwords for sites that are secure and that meet the site’s requirements. Often, people who use these tools don’t even know their passwords; they are simply automatically input for them. Of course, this process is only as secure as your vault of passwords, so if you forget your passphrase or it gets compromised, it’s a much larger problem than one guessed password would be.

Google, Apple, eBay, and other sites offer two-step authentication as a login option. I use this for my Gmail account. On my home computers and other computers I consider “safe,” I log in as usual. When I log in someplace where I haven’t logged in before, Google prompts me for a code that I can get from an app on my phone. Alternately, if I don’t have my phone, I have a printed list of emergency passwords I can use. Sites or applications that require Google authentication—instant message chatting with a non-Google Talk client for example—require a one-time password that Google generates for you. For things that you’d like to keep really secure and can deal with a bit of extra hassle, this is a good option.

Creating a (More) Secure Environment

If you have an OPAC, your users have passwords. Are you concerned with password security? You can take simple steps to make password hacking attempts significantly more complicated by adding a time delay between sign in attempts. This can be further enhanced by adding a penalty after a number of incorrect login attempts.

This chart from Thomas Baekdal illustrates how even a simple password can become more secure on a system with delays used as part of the login process.
This chart from Thomas Baekdal illustrates how even a simple password can become more secure on a system with delays used as part of the login process.

Similarly, give some thought to what sort of passwords your website requires and what restrictions you place on password creation. Can people reset their own passwords? Are the passwords for your OPAC initially something such as the last four digits of your patrons’ phone numbers? Are they stored in plain text on your server? Do you require your users to reset their passwords regularly? Do you require new passwords to be different from their current or past passwords? What can you do to make the password situation more secure?

With your public access computers, are your browsers set to save stored passwords? Do you wipe the cookies and caches on a regular basis? If a person walks away from a computing session without logging out, will the session reset or can someone sit down right after him and pick up where he left off? Do you prompt users to log out from what they are working on?

We have many different types of patrons, from the very security-minded Wi-Fi users to the novice password creators getting their first email addresses. We should not only be encouraging good password choices for our patrons, but also modeling them with whatever login schemes we require.

RESOURCES

Scan Your Permissions
mypermissions.org

Socially Engineering Passwords
lifehacker.com/5932501

Analysis of the Adobe Hack
j.mp/1iCoomj

Was My Adobe Account Hacked?
lastpass.com/adobe

“Using Snapchat to Compromise Users”
diyevil.com/using-snapchat-to-compromise-users

“The Top 50 Woeful Passwords Exposed by the Adobe Security Breach”
j.mp/1dJktjS

“Lie to Yourself for Better Security”
j.mp/1dykF5j

“How Apple and Amazon Security Flaws Led to My Epic Hacking”
j.mp/1lzcFoj

“Passphrase Vaulting”
j.mp/19XrSdY

“The Usability of Passwords” by Thomas Baekdal
j.mp/1exf1yS

United States Computer Emergency Readiness Team—Securing Your Browser
us-cert.gov/publications/securing-your-web-browser


Jessamyn West is director of operations at MetaFilter.com and is support staff at Open Library. Her blog is librarian.net.
       Back to top