How to Use Better and Stronger Passwords for Yourself and Your Patrons
by Jessamyn West
While many of us will never be the victim of identity theft or credit card fraud, these occurrences are becoming more commonplace. While not entirely avoidable (even by people who do not interact or shop online), our exposure can be reduced by taking a few steps to make ourselves safer. I’m still living in a part of the country where people are learning to create their first passwords or are purchasing their first items online. Context-lacking, oogy boogy, “You are never truly safe!” messages do not help people make practical and personal choices about risk assessment versus convenience. You are never truly safe in the bathroom either, but we still manage to take showers and floss. It’s all about balance and trying to find the sweet spot that works for you personally. There is no right answer that will work for all people; there are, however, better techniques.
|It’s all about balance and trying to find the sweet spot that works for you personally.
Why Now More Than Ever?
Recent high-profile hacks have made it clear that the “hope it won’t happen to you” approach to password security is not a winning strategy. We need to learn to balance security, privacy, and common sense. I’m no paragon of virtue here. I have been known to have my password hint be something similar to “password is W0mb@ts” for sites I didn’t care about, security-wise. Since the Adobe hack in October 2013, where not just password data but also password hints were compromised, this dopey cheat needs to be retired. There is also a cascading effect. If you use logins and passwords in multiple places and more than one of these places is compromised, people could triangulate this information to gain more access than you’d think they’d have.
Creating a Secure Password
Most people pick truly terrible passwords. This is one of the reasons that websites have evolved to force people into choosing better passwords. Every time you are grumpy because you are forced to create a password that has to have one uppercase letter and one special character, remember that the most popular password revealed in the Adobe hack was 123456, and the third most popular one was password. I do some work for Open Library. We loan out thousands of books a day using Adobe’s digital rights management (DRM) scheme. All our users have Adobe passwords. If you use Adobe Digital Editions for your lending, your users do too.
Here are general rules of thumb for good password creation:
- Have a flexible approach that will allow you to create memorable passwords for sites that may have multiple different or conflicting constraints.
- Do not use dictionary words in any language, “runs” of numbers or letters (12345, 112211, and QWERTY), backward words, or words with @ instead of a (m@pl35yrup).
- Avoid using anything that’s super linkable to you (pets or kids’ names or birthdates especially).
- Do not use the name of the product or website you are creating a password for (No. 9 on the Adobe list of most popular passwords was photoshop).
- Change your passwords regularly. Since many websites will require you to do this, have a method for having alternate passwords that you can both create and remember.
One of my additional guidelines is that I have unique and more secure passwords for anything that has money or private personal information (health, Social Security number, and email) linked to it. I use Adobe products, but the password I used for that site bears no resemblance to passwords to anything I care about.
Socially Engineered Hacking
When Mat Honan, senior writer for WIRED, was hacked in a high-profile manner and had his hard drive remotely wiped, hackers used social engineering—manipulating people to gain access or information—to get Amazon and Apple to reveal small pieces of information that the hackers combined to gain access to his accounts and ultimately his computer. They didn’t even need to know his password; they just needed to know how to remotely reset it using the procedures the big websites used. Honan had a number of accounts that were all linked together. He had not made recent backups and was a high-profile, and therefore attractive, target.
There is a Wikipedia article about me. People can look up my mother’s maiden name and make a pretty good guess at the name of my first school and other personal information about me. Sites that have security questions that rely on “answers only you would know” sometimes only offer simplistic, guessable, or overly vague questions. If you have the option to write a question yourself, take full advantage of this. Otherwise, consider using an “answer” that is not factual but is one that you can remember. An example from an article espousing this idea is:
Question : What’s your husband’s mother’s name?
Answer : banana bread
Of course, this example is only as good as your memory for whatever nonsense answer you picked, and you have to either be very consistent or write things down.
Speaking of writing things down, it’s usually looked upon as the cardinal sin of password security. As someone who has spent a lot of time trying to help people recover passwords that they don’t even recall creating much less remember—turning a 30-minute tech support problem into a 90-minute one—I advocate for the sensible writing down of information. Many of the older people I work with keep a small book where they write down the website address and a password hint for it. Usually, this can at least get them started. Having a list of passwords at your desk at work is a large security risk. Keeping a hint to your password in a book you keep on you is a lower risk and often one worth taking for people who are otherwise bewildered by passwords.
Extra Security—Password Vaults, Two-Step Authentication
For many people, the idea of a password or passphrase vault is useful. In this scenario, you have one super secure password or passphrase that you use and keep a secure list of your passwords within the locked vault. Many software programs that offer this functionality (1password, LastPass, and KeePass) also allow you to autofill webpages on your computer, tablet, or phone with saved passwords. They can also generate passwords for sites that are secure and that meet the site’s requirements. Often, people who use these tools don’t even know their passwords; they are simply automatically input for them. Of course, this process is only as secure as your vault of passwords, so if you forget your passphrase or it gets compromised, it’s a much larger problem than one guessed password would be.
Google, Apple, eBay, and other sites offer two-step authentication as a login option. I use this for my Gmail account. On my home computers and other computers I consider “safe,” I log in as usual. When I log in someplace where I haven’t logged in before, Google prompts me for a code that I can get from an app on my phone. Alternately, if I don’t have my phone, I have a printed list of emergency passwords I can use. Sites or applications that require Google authentication—instant message chatting with a non-Google Talk client for example—require a one-time password that Google generates for you. For things that you’d like to keep really secure and can deal with a bit of extra hassle, this is a good option.
Creating a (More) Secure Environment
If you have an OPAC, your users have passwords. Are you concerned with password security? You can take simple steps to make password hacking attempts significantly more complicated by adding a time delay between sign in attempts. This can be further enhanced by adding a penalty after a number of incorrect login attempts.