Feb 06, 2013

Password Security Tips and Best Practices

As our workforce grows increasingly mobile, it's more important than ever to make sure you secure your passwords to keep the data you access on your laptop, your cell phone-wherever-safe and sound. Rapid7 Community Manager Patrick Hellen shares some password security tips to make sure you keep your accounts uncompromised.

Read Video Transcript

Hi, welcome back to Whiteboard Wednesday. I'm Patrick Hellen. I'm the community manager here at Rapid7. This week, we're talking about Password Hygiene. Many of you might have seen that just this week, on last Friday actually, Twitter released a notification that over 250,000 people's passwords had been leaked due to some sort of hack. They're not exactly releasing more information on that yet. But we thought this was a timely time to go out and actually say, "Hey, here's what password hygiene means to us. Here's what it theoretically should mean to you."

First thing, I'm going to give you a stat - and by stat I'm being very, very, very lose with it - roughly around 40% of people who use mobile devices have no passwords on them. So if you have a cellphone and you don't have a lock on it, you don't have a password itself, a PIN or one of those cool pattern locks, time. Right? Time to click it on.

Let's go right down the list. We've got five points. Number one, length and complexity, so for those of you out here who remember the LinkedIn breach, where millions upon millions of passwords were released, the problem with that is that a lot of them ended up being things like, LinkedInPassword1, or LinkedIn1234, which as easy as that might be to remember, is definitely not good from a password security standpoint.

Let's assume that having a harder password just makes it you're more likely to not get hacked. If people want to get in there they're going to get in there. But let's assume for now. So, for lengthy complexity what we're saying is, use something that's not necessarily a dictionary word. If you're got something that's very strange and very random, please do that. Celtic things like Klingon, if you're so inclined, those things are not found in the dictionary. So it's much easier for them to be used in your own password, if you can remember them, and much harder for a password cracker to destroy it, because it doesn't have an actual easy way of referencing it.

As far as the complexity is concerned, using characters like as if Qbert is swearing at you right here, using these types of characters, including interrobang - best character ever - using stuff like that actually allows you to be in a position of more complexity than the average. Because not only does a password cracker or someone actually actively trying to break in, has to go through all the normal dictionary words. They have to then go through all the variations of those dictionary words with things like, the E replaced by a three, etc. I will say that one of the best pieces of advice for a mobile device, which I've heard lately, is that if you use your password on your mobile device including some of these special characters - or perhaps a foreign word with an accent or tilde on it - it's almost impossible for people to guess it.

Number two, do not repeat your passwords. I have definitely been guilty of this in the past, where I have one very, very easy to remember password, where it gets to the point that it's almost muscle memory to type it in. In those cases, if you use it on multiple sites, hey, who's going to actually get to it? Probably not a big deal.

The problem is that if you remember the Wired article that just came out not too long ago, Matt Honan, one of the writers for Wired, actually had someone successfully hack into almost all of his accounts by being able to get to his Gmail. Since all of his passwords were routed through his Gmail, he was able to actually gain access to everything - Twitter, Apple, etc.

So, if you're repeating passwords, it makes it that much easier for someone to, if they do hack a password on, let's say, LinkedIn, they can then get to your Gmail, and then your Twitter. Then various other things, including things like your bank. So make sure you're not repeating these passwords.

Number three, password services, I'm putting an asterisk next to this one, because you don't necessarily have to do this. Usually these are usually paid services. But for a lot of people it's a much easier way to go about it. I know that in my day job, since I have to log into a multitude of different accounts, be it Twitter, be it the community site itself that I run, etc., it would be great to have one of these services where I remember one incredibly - remember, look at that - long and complex password that allows me to actually access multiple simple passwords. These are all already previously hashed. So, somewhere the actual encryption itself allows you to use pretty much whatever you want. Since they actually have to hack last password, one password in order to get to your details, hey, for now you're safe. We'll keep our eyes peeled to see if those guys actually end up going down at some point.

Number four for us is security questions. This one is a little weird. Now, for those of you out here who remember your security questions for your bank, or whatever it might be, you have things like, "Hey, what was the name of your childhood pet?" Right? We're going to use the example of Snickerz, with a Z because that's the best way to actually spell Snickerz, the cat. Or, what was the team mascot of your high school? Something like, let's use the Patriots in this case.

If you answer a security question in a way that someone can actually reference it, or search for it, things like mother's maiden name, things like your paternal grandfather's name, all that information is typically available, because Google is insidious. It has tendrils everywhere. So if you have your mascot of your high school football team as your security question, someone can figure that out.

So, the latest solution or suggestion for that is, hey, if they're asking you who your mascot was, put your first pet's name. If they're asking who your first pet's name was, put your high school mascot. Switch it up. A little harder to remember, you have to actually remember which things you were answering in the wrong way. But if you have a way to remember it, or something funny from a high school experience, or Snickerz with a Z, for instance, that makes it that much easier and it makes it much harder for others.

Number five, really - we're just repeating the same thing - make sure to set these types of things. Make sure to go out there and put passwords in every device that you have. If you're using Wi-Fi, and you have something awesome as your Wi-Fi name, like Doogie Browser MD, for instance, and you don't have a password on it, I'm going to definitely take a look at it, because that's a hilarious name. Whoever would come up with that name is a genius, and I'm going to absolutely take a look. So if you've got something, if you've got data on it, if you've got personal data on it, make sure to lock it down, and make sure to follow these quick steps. Because you don't want to be the one that it's easy to break into, because as we all know, if someone's determined they're going to get in. Right? It's just a matter of time. But if you're harder to get in than the guy next door, they're just going to skip you.

Thanks very much, and we'll see you next week.

Webcast Download

Lessons learned from high profile data breaches

Register Now