Security: Implementing A Secure And Usable Internet Password Scheme

Security: Implementing A Secure And Usable Internet Password Scheme

Security: Implementing A Secure And Usable Internet Password Scheme

Being an information security consultant I am often asked how to balance the
need for online passwords that are both hard to guess and easy to remember.
There are a number of solutions out there for dealing with the problem, but
the system that I’m about to outline below is an elegant hybrid of
simplicity and security. It works for me, and I think it can work for you as
well.

Padlock

The Problem

The main issue we’re all grappling with is the number and complexity of the
passwords we need to remember. Ideally, we would never share a password
between any two sites. They would all be different and at the same time
highly complex. Unfortunately, this doesn’t mesh well with reality. The
human brain just isn’t up to the task.

Simplification Through Classification

The way we get around this limitation is to classify our online accounts
according to risk. In other words, we’re going to determine how important
each of our accounts are, and then put them into one of three (3) groups.
For the purposes of this article we’ll use the military classifications.

  1. Top Secret

  2. Secret

  3. Confidential

Next we’ll simply group your Internet account types into each of these
categories:

  • Top SecretBanking, brokerages, financially or identity-oriented
    sites. Think about your social security number and other sensitive
    personal data. Any accounts of this nature you want to protect with your
    strongest layer of security.

  • SecretPersonal email, blogging sites, important forums, etc.
    These are your main accounts that you use on a day-to-day basis. They
    aren’t ultra-sensitive, but they a huge part of your life and need to be
    secure.

  • ConfidentialProduct forums, mailing lists, etc. These are your
    low-risk accounts, meaning that if one were to be compromised it would
    be annoying but not a major problem. We’re still going to have
    relatively strong passwords here, but they’re going to be simple in
    comparison to the two higher levels.

Designing Our Password Schemes

Ok, now that you have your accounts grouped properly it’s time to design our
three password systems. We’ll start with the Top Secret:

Level 1 — Top Secret:For this level we’re going to use a combination of upper-case, lower-case,
numbers, and special characters. We’re also going to make the password at
least 12 characters in length. You will be writing these passwords down on a
card in your wallet or purse, so it doesn’t matter if you can’t remember the
password at first. After you use it a few times it’ll become second nature
regardless of how complex it is. Try something like this:

5PF.c9a8>12!

It looks pretty scary, but you’d be surprised how easy it is to remember
once you type it a few times over a number of days. The point is that it’s
not going to be guessed, and it’s not going to be tied to another
account. If you absolutely have to, you can use a sentence algorithm to
build the password, like so:

My Online Bank Password Is Not Simple To Guess At All, Julie.

M0bP1n5tGAAJ.

You will be writing these passwords down on a card in your wallet or purse,
so it doesn’t matter if you can’t remember the password at first. After you
use it a few times it’ll become second nature regardless of how complex it
is.

Regardless of the scheme you use to create your passwords, you want them to
be a) pseudo-random/highly complex, b) over 10 characters in length, and d)
absolutely unique. In short, we don’t want someone with your
brokerage account password to be able to log into your bank with the same
credentials.

Level 2 — Secret:

With the secret level accounts we’re going to introduce an aspect of
simplicity/usability. We’ll do this by creating an algorithm for creating
and varying passwords for various sites while still maintaining the
appearance of randomness within each individual password.

So let’s build your Level-2 (Secret) algorithm; we’ll use a Gmail account as
a template:

[This is just a sample algorithm; you should make your own.]

  1. First two letters + last letter of the account.GML

  2. Add the three letters up and subtract your birthday.G (7) + M (13) + L
    (12) = 32 – 15 (if you’re born on the 15th) = 17GML17

  3. Add the two numbers you made to create a third number.17 = 1 + 7 = 8GML178

  4. Add a word for length. Use character substitution for complexity if you
    want.GML178H0lid4y

  5. Add special characters.!GML178H0lid4y#

  6. Scramble as desired.!H0lid4y#GML178#

You now have a very solid password for your Gmail account. But it gets much
better than that. You’re using the same algorithm for all your level 2
accounts. So do the same for your Hotmail account and you’ll end up with:

!H0lid4y#HOL358#

Level 3 — Confidential:

For our lowest security level (3) we’re going to use an algorithm similar to
the secret level (2), only it’s going to be completely different and much
simpler. Remember, these are your unimportant accounts; you wouldn’t want
them to be compromised, of course, but if they were then it wouldn’t be that
big of a deal.

Let’s make a level 3 algorithm for a site called cars.com:

  1. Last letter then first letter of the site (cars).SC

  2. A word to be used for all your low level accounts. Add a single
    character of number substitution (i to 1)SCPubl1c

  3. Use a special character.SCPubl1c$

  4. Scramble as desired.$Publ1cSC

Again, you now have a decent password that’s not easy to guess and will give
a bit of difficulty if someone gets one and tries to guess others. Of
course, if they get one of these level 3 passwords and try to break your
Secret (2) or Top Secret (1) passwords, they’ll be unsuccessful.

Conclusion

Using this system can increase both security and usability when working with
multiple accounts online. Here are a few additional guidelines about this
technique and passwords in general:

  • Vary your algorithm for level 2 and 3 accounts regularly (I recommend at
    least once a year)

  • Memorize your algorithm and write down your passwords on a card
    in your wallet. Don’t write down the algorithm itself. Just seeing a
    password created with it should jar your memory.

  • For an extra layer of security you can consider leaving out or modifying
    a crucial part of the passwords you write down. This way, even someone
    with the card will not be able to use it. Be warned that if you forget
    what you changed, however, you’ll be very upset.

  • Change your level 1 passwords often as well. With the strength that
    we’re using in this article I’d advocate once every 6-months.

  • Many also use what’s effectively a level 4 account, i.e. a throw-away
    password that is used for accounts even lower in importance than level
    3. Usually this is a static password. Just be sure to be very selective
    about where you use such a password, and make it as complex and long as
    possible while retaining its benefit of simplicity.

  • An
    encrypted database
    >
    is another option for managing passwords. I advocate this method over
    that one due to issues with losing or damaging the portable storage that
    the DB is stored on, in addition to not being comfortable with using
    such a system on a foreign computer (where necessarily you open ALL of
    your passwords to the system being used). It’s really a matter of
    personal preference, however, as both systems have their strengths and
    weaknesses.

I hope this has been useful. For any questions or comments, please feel free
to
contact me
>
directly.:


Source link