Basic Security 3: Sort Out Your Passwords

Once your software is all updated, the next thing to do is to sort out your passwords. You probably use the same password on more than one site, and your passwords are probably not strong enough.

There are a lot of websites that have user accounts, and they are not all as secure as they might be. If a website gets compromised, an attacker can get hold of their database of user names and passwords. The passwords should be hashed and salted — I will explain this process in a future post, but it means that neither the attacker nor the website itself can see your actual password. However, the website may not be following proper security guidelines, and might store your actual password. And if you use a common password, the attacker can find it even if it’s been properly hashed and salted.

What Makes a Good Password?

Here is a list of 1,000 commonly used passwords. Search that list for any of your passwords, and immediately change anything that’s on the list. Anything that’s widely used is definitely a very bad password.

Short passwords are vulnerable to an attacker just trying every possible password. Suppose your password is all lowercase letters, but you’ve made it properly random, and it’s something like “alzqoa”. There are just over 309 million possible passwords containing six lowercase letters (or six uppercase letters). That sounds like a big number, but an attacker might be able to try 1,000 possible passwords per second, which means it would take on average around 150,000 seconds or less than two days to crack your password.

Now, if you mix it up and include a mixture of uppercase and lowercase, something like “aLZqOa”, things get better. There are nearly 20 billion such passwords, and it would on average take 114 days to crack at 1,000 attempts per second. That’s still not ideal.

So add digits and punctuation characters as well, maybe “aLZ7[a”. If we add 10 digits and 30 punctuation characters into the mix, we have over 600 billion passwords and about five years average time to crack. Which is probably good enough for now, if your password is genuinely random (I’ll talk about randomness in a future post).

But technology keeps getting faster. If an attacker gets hold of a websites database of hashed passwords, and they used a fast hash function like MD5, they may be able to make 10 billion attempts per second. And in a couple of years, that may be a trillion attempts per second. And that password that would take five years to crack and seemed safe now takes less than a second.

Of course, websites should stop an attacker from trying different passwords for the same user 1,000 times per second, and they should use a slow and computationally expensive hashing algorithm on their passwords, but you have no good way of telling which websites have competent security and which do not. So it’s safest to assume that none of them do.

I therefore recommend that your passwords should contain lowercase letters, uppercase letters, digits and punctuation, and that they should be at least 12 characters long. They should also be reasonably random (“P@ssw0rdP@ssw0rd” satisfies the other requirements, but is a terrible password). And you should use a different password for every website. For passwords that you need to type frequently (especially on a phone keyboard) into software that’s securely designed, a shorter length may be OK, but certainly no fewer than 8 characters.

There’s obviously no way anyone can remember a different long random password for every website. So you need a way to not do that, while still having good passwords. There are two ways to do this.

Password Managers

The first is to use a password manager program. I do this — I use 1Password on my Macs, iPhone and iPad, and have access to all of my passwords all the time. Other good choices include LastPass and KeePass. As well as storing passwords for you, they will generate strong random passwords using criteria that you choose.

(Do not under any circumstances store your passwords in an unencrypted file on your computer, since if an attacker manages to get access to your computer they will then have all of your passwords. I personally would not entrust my passwords to anything that’s not designed as a password store, so I wouldn’t put them in (for example) an encrypted Word document, Excel spreadsheet, or Zip file, but if you must do that then it’s much better than an unencrypted file.)

All three of the programs mentioned above have versions for Windows, OS X, iOS and Android. 1Password costs a few tens of dollars, LastPass is free but charges for premium features, and KeePass is open source software that anyone can download and install freely.

You need to be able to trust a password manager program both to store your passwords safely in a way that doesn’t allow them to be accessed, and not to put in any deliberate backdoors that give the software company access to your passwords. For that reason, I’d recommend sticking with a big and well-established company (or widely used open-source software like KeePass).

You also need to decide whether or not to allow your passwords to sync over the Internet, which is an option for all of the programs I mention above. I do; I sync my passwords between my 1Password installations using DropBox, as I trust both DropBox’s security and 1Password’s encryption, and both of them would have to be breached at once for my passwords to be exposed.

I should mention here that LastPass suffered a security breach in June 2015. Some user data was revealed, but no user password databases were exposed, and their proper use of security best practices reduced much of the impact. They handled the whole thing pretty well, and it wouldn’t put me off using LastPass as a password manager.

When using a password manager, you obviously have to remember the password that you use to access the password manager itself, and it has to be a strong one. I suggest using initial letters of a phrase that has meaning only to you (not a literary quotation), and replacing some letters with digits or punctuation. For example, “KeePass keeps all my passwords safe at all times” could become “KPk@mp5aat”, which is reasonably good.

If you’re using a password manager, your passwords can be even longer, since you’re not remembering or typing them anyway. I have 1Password set to randomly generate 16-character passwords containing three digits and three punctuation characters.

Some websites are badly programmed, as we have already discussed, and they can break password managers in two different ways. First, they may have inadequate rules for their passwords that don’t allow your strong randomly generated password, either because they have a very short maximum password length or because they disallow some (or all) punctuation characters in passwords. There’s no good excuse for either of these, but if you come across them you’ll have to change your password recipe until you get something that you can use.

Second, some websites have the deeply misguided view that it’s more secure if your users can’t paste their passwords into the login screen, and they prevent you from doing this. Their idea is that they don’t want you storing your password on your computer, which is reasonable if it’s not in an encrypted password manager program, but they can’t tell whether or not it is. So they make you use a short and non-random password that you can type easily and remember, which is very bad for their security. If you come across a website like this, I suggest complaining — they might listen to their users if enough of them complain.

Password Schemes

If you don’t want to use a password manager, the alternative is to have a single strong password that you remember, and a way to customise it for each website. At its simplest, but making the last two letters of the password the same as the first two letters of the website name is very much better than nothing.

Use a similar scheme to that suggested above for your master password. “I do not want to use a Password! Manager! program” might become “Idnw2uaP!M!p”, which is a pretty decent password that you should be able to remember (but obviously, don’t use this specific password). Then your Twitter password would be “Idnw2uaP!MAptw“, your Facebook password would be “Idnw2uaP!M!pfa“, and so on. The occasional duplication between websites that happen to start with the same two letters doesn’t matter much.

Of course, if anyone does get hold of one of your passwords and they’re read this blog post, they can then reverse-engineer your scheme and easily deduce your passwords for other websites. But that chances of that happening are very small, partly because they’re good passwords that are less likely to be discoverable and partly because nearly all password attacks will be entirely automated and no one will every actually look at your password. If you’re worried about it, you can disguise what you’re doing by mixing the letters up more. But I can’t describe a way to do it in a public article, since the bad guys can read this as well — you’ll have to invent your own way to do it.

Change All Your Passwords

Having either installed a password manager or come up with a good master password and scheme for varying it, you now need to change the passwords on all of your websites. I suggest doing the most critical ones right now — your email, online file storage, financial websites, social media and so on. For other websites, every time you log into a website with a weak password, change it there and then.

Basic Security 2: Update Other Software

Once your operating system is up-to-date, you should also update any other software that interacts with the Internet or Internet content. This includes:

  • Your web browser(s)
  • Your email client
  • Web browser plugins such as Flash and Acrobat

Your web browser and email client may be part of your operating system, and get updates along with it. If your browser is Chrome, it includes its own version of Flash, and “sandboxes” it to reduce (but not eliminate) the risk that a vulnerability will provide access to your machine.

As with the operating system, I’m not going to provide detailed steps for updating every program out there. Search for “update Firefox”, “update Flash plugin” and so on, and find those instructions.

The biggest risk, and the one that you should prioritise, is the FLash plugin for your web browser, which has historically had a lot of vulnerabilities. This is of course not an issue if you’re on iOS, where Flash is not available.

Basic Security 1: Keep Your Operating System Updated

This is the first in a series of posts on things that everyone should be doing to improve their security. These are the things that are so important that there’s no real room for debate about whether they’re worth doing or not in your situation — just do them.

The single most important thing you can do to improve your security is to keep your operating system (OS) updated. New vulnerabilities are being found all the time that can compromise your data, or let an attacker take complete control of your machine, and software suppliers are usually pretty quick at issuing fixes for these vulnerabilities (except for Android devices). But the fixes will do you no good unless you install them, or even better allow them to be installed automatically. We’ll talk about upgrading standalone web browsers, email clients and other critical software in a future post.

Many people are nervous about applying software updates because it feels like a security risk to do so. It’s true that you should be careful what software you allow to run on your machine, and you should be cautious if a window suddenly pops up saying “Run this to upgrade your software”, but it’s far far safer to keep your software upgraded than it is to not do so. Just make sure that you download the update from the software company’s website or using the operating system’s built-in update facility, and don’t do it while you’re on a public wifi network.

Check your OS version

The first step with your operating system is to make sure that it’s new enough that the supplier is still supporting it with security patches. If not, then you need to upgrade right now to a supported version. If your hardware is too old to run a newer version, then I’m afraid it’s junk, at least if it’s a computer. You need new hardware. If it’s a computer, it will be at least five years old, and probably older, so you’ll have had your money’s worth out of it. If it’s a smart phone or tablet, those are newer devices with shorter lifespans, and you may have to live with a faster upgrade cycle. But their operating systems tend to be more secure, and you may be able to get by for a while on an older version. I’ll attempt to tell you below when that’s not the case.

So, you need to determine what version of the operating system you’re currently running on any device you have that creates or accesses your personal information — that will generally be any computer, smartphone or tablet that you own. If you don’t know what version of your operating system you have, search online for “check Windows version” (or OS X, or iOS, or Android, or whatever your operating system is, and follow the link.

Windows XP (and earlier versions such as Windows 2000, Windows 98 and Windows 95) is no longer supported. “Extended support” for Windows Vista (which includes security fixes) expires on April 11 2017, so if you’re a Vista user, you will need to have upgraded by that date. Windows 7 and higher are all good until at least 2020. Windows 10 has just been released, and is a free upgrade for users of Windows 7, 8 or 8.1, but not Vista or XP. However, note that the free upgrade will only be available for a year from the launch date.

Apple do not publish support expiry dates like Microsoft do, but they are currently supporting OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite) and the forthcoming 10.11 (El Capitan). If you’re still using 10.8, it’s likely that support will end soon, and you should be thinking about upgrading. Almost any Mac that runs 10.8 will also run all newer versions up to and including 10.11. Apple’s OS upgrades are generally free.

iOS 8 is the only iOS version still supported, and it won’t run on the iPhone 4 or older, the first generation iPad, or the 4th generation or older of the iPod Touch. The forthcoming iOS 9 should run on anything that will run iOS 8. iOS is secure enough that you may be able to get away with running an unsupported version for a while, but keep an eye on announcements of critical vulnerabilities if you do so.

Android is much less standardised than iOS, and phone manufacturers are not always good about providing upgrades for phones that are no longer sold. Only Android versions 4.4 (“KitKat”) and 5.0 (“Lollipop”) or newer are still supported. With the announcement of the Stagefright vulnerability, you have a difficult choice to make if you’re on an Android version between 2.2 and 5.1 (especially if it’s before 4.1) and you can’t get a fix from your handset manufacturer.

Check for OS updates

Having worked out what version of your operating system you have, it’s time to check for updates. It’s worth doing so even if it’s no longer supported, or if you plan to upgrade to a newer version, since it will improve your security more quickly and may make the upgrade process go more smoothly.

If you don’t know how to check for updates, search online for “update Windows Vista” or “update Android 4.1” or whatever the name and version of your operating system are. Then follow the instructions that you find. You may find that you’re updating some other software as well, besides the OS, and that’s fine — there are very few situations in which updating your software will reduce your security. I would advise enabling automatic updates to make sure that you stay updated in future — pretty well all modern operating systems have that feature.

Keep An Eye On It

Security is a process, not a check-list that you can complete once and be finished with it. You should periodically check that your OS is remaining up-to-date, and is still supported by the supplier. At the current product lifecycles, you should be looking to update your version of Windows at least every five years, OS X every two years, and iOS or Android every year. That’s it for operating systems. Next time, we’ll look at the other software running on your computer, tablet or phone.