Passwords, so far they are the only real security system used to protect the majority of accounts on the web. There are some advantages in this:-
- They’re easy to implement
- They’re easy to use
- Makes use of the more common input devices
It’s a pretty commonly used design pattern for the problem. There are obvious security holes and they’ve been talked about by much better informed people than me. Speaking as a more advanced PC user, password security isn’t something that worries me to much. After all, what’s the worst that can happen? I’m pretty careful when it comes to spending money online, I buy from reputable sellers and don’t use a credit card. Just a debit card with strict limits on overdrafts, this card is for my day to day purchases so never has more than £50 on it. Although my savings aren’t really much better off, you might have to be “me” to get access to it but I don’t think it would be to difficult to impersonate anyone you wanted. Scary!
Well you never know how they are storing the passwords these days, the number of times I’ve read that a password has been stored in plain text really worries me. It’s pretty bad web development however you always have to think the worst when it comes to security. So my security policy currently consists of:
- Passwords are generated using a script, a master password is used along with some other key words to describe the use
- Never use the master password on a website
- Keep password lengths over 15 characters
- Use both lowercase and uppercase letters as well as numbers and symbols
- Don’t use the same password in the same place
So pretty standard stuff, nothing special there but I think the length is the most important part. If your going to crack a password your going to include all characters, that just makes sense these days but the 15 characters is what makes it take the real time to crack. So basically if you haven’t gotten it yet, my password security policy is all geared towards damage control.
Taking the hit
So we can assume that any password you create can be broken and in fact will be broken. Now unless this is a direct attack on yourself, in which case your buggered, you can assume someone is not going to go to the effort of trying to re-break your accounts over and over. This is why I think it’s important to use a different password in each location, because to butcher the famous line from without a paddle. You only need to out run the other guys, so basically make yourself a pain in the arse because as soon as someone gets your twitter account password they are going to see if it works on your flickr account or your facebook account. If it doesn’t they are just gonna keep your twitter account and move onto the next password they got hold of. Remember this is just the way I think about it, I may not be right but so far it has worked for me. I would be interested to hear how you manage your passwords.
Recovering
Well obviously, you want to try and recover the account as quickly as possible. Have the service you use reset the password, as long as they haven’t been compromised your account will be secure now. Now I would devise a new password, perhaps using an alternative script. Chances are if your attacked again on another site, your script has been compromised in which case so is your master password. I would assume your entire set of passwords is compromised and just start resetting them all. Drastic yes but the most sensible course of action.
I’d really be interested to hear other peoples opinions on password security, please post a comment below and let me know!
Twitter Updates
20 November 2009 at 11:16 am
“and don’t use a credit card. Just a debit card” – This is not necessarily a good thing. Debit cards have less protection from online fraud (not just someone stealing your details, but someone not delivering a product, not as described, etc). Credit cards have full protection, so it is advised to use them online.
– http://www.creditcards.com/credit-card-news/credit-card-privacy-and-protection-1282.php
20 November 2009 at 3:27 pm
just realised the comment was a bit weirdly worded, I will in true me fashion try and explain what I was going on about:
I have found through experience that although you have the security of a not having to pay until you read the bill and are protected over $50, people I know that have had credit cards stolen find that it is in fact a lot harder than it sounds to recover. A friend was once declined from getting another credit card because he had details stolen in the past, this wasn’t said but this was the only blip he had on his credit record. Now personally, As a student with a pretty small credit record I don’t want to risk a potential morgage or credit card because of potential insurance risks to the credit card company. I would rather risk losing the money in my debit card, which at the amount I’m talking are also covered by the bank (when reported within 2 days). It is not advice I would give to anyone else, it’s just my point of view and this was kind of an opinion piece anyway. I’m no expert when it comes to security.
20 November 2009 at 4:31 pm
Read.
20 November 2009 at 9:23 pm
thanks alex, good to know you read it.