• Tech:Good security practice

TSR Wiki > Life > Computing and Technology


Good Security Practice Guide
< Back to the Tech Wiki homepage

Image:Techwikishort.png

This guide covers the best ways to keep your online accounts secure, including:

  • Choosing secure passwords
  • Choosing sensible secret questions and answers
  • Keeping your email secure
  • Storing login details securely


Contents

Choosing a secure password

The Basics

Strong passwords are an essential part of an account's security (skip straight to the summary if you aren't interested in the details). Common, short or easy to guess passwords are a gift to anyone that's trying to gain access to your account. Common passwords, like "password" are often tried manually, at first. This then moves on to specific targeted passwords, such as a name of a relative, important dates etc. This information is easily harvested in social engineering attacks, where an attacker will trawl through things like Facebook to gather names and dates to try.

Other things to think about

Another vector of attack is then dictionary cracking (though it's worth noting that you can't really dictionary crack online accounts, but it's an important concept to understand, when selecting a password). Dictionary cracking works by having a big list of possible passwords and trying them, one by one. It's worth noting that these dictionaries aren't just limited to proper English words; some of the largest and most comprehensive dictionaries available contain tens of millions of different combinations, including other languages, 1337-ified words (e.g. "t35t" instead of "test"), words with numbers after them (e.g. password1) as well as seemingly random key sequences that are convenient to remember (e.g. "zxcvbnm" being the bottom line of the keyboard).

If this doesn't work, the only option left to an attacker is to brute-force the password (again, you can't brute force an online account), and this involves trying every conceivable combination of letters and numbers; an easy task for a modern computer if your password is short, but if you consider this example:

If we have a password that only contains any of the 26 lower-case English letters, the number of combinations is equal to 26^n, where "n" is the number of letters in the password. If your password is say, 4 letters long, that means that there is a mere 456,976 combinations - a computationally trivial amount of combinations. If however, you had an 8 letter password, there would be 208,827,064,576 combinations; which would take significantly longer to compute.

The process becomes even more mind-bogglingly difficult if you start introducing both upper-case as well as lower-case letters into the mix, not to mention numbers and punctuation. In fact, if you selected an 8 character password that potentially used all of these characters (all 97 of them on this keyboard, anyway!) you'd have 7,837,433,594,376,961 combinations - that's 7.8 Quadrillion! This would take such an inordinately long amount of time to compute, that the hardware the attacker uses would probably have failed long before getting anywhere near the correct password.

Hashing

For storage purposes, passwords are commonly converted to what is known as a "hash" as a form of encryption. This is especially important in the rare event that a website or user account database gets hacked and the details are stolen. Put simply, hashing is a mathematical procedure designed to create a representation of data in a smaller form. One common method is known as MD5, and an example follows:

Imagine you have the password password123. When this password is hashed using the MD5 algorithm, you get the following output: 482c811da5d5b4bc6d497ffa98491e38. If you were to try again with PassWord123, you get 28d2464b121f120a41f4cd5c496cae2c.

As you can see, the hashes are changed completely just by changing the case of two characters.

What generally happens is that you type your password in, and it gets converted to a hash value as shown above. The hash value then gets compared with the hash value stored in the database; if the two match, you have supplied the correct password and can log in.

Memorable yet complex passwords

It is highly recommended that you don't use the same password for everything. However. some people find different unique passwords difficult to remember so there is a little tip which can help, and that is to actually include the name of the site or service you're using as part of the password.

Ideally, you'd have a long-ish, mixed case alphanumeric password perhaps including symbols e.g. x3WAZ19¬¬20lPpfh£GIUh€**1(){@##//+. Creating a new one for each site would be difficult to remember for a lot of people, so a valid approach may be to come up with two shorter passwords and concatenate them with the name of the site you're using. For example, you might have:

ABCDEF##TSR##XYZ123 (which has the MD5 hash 9aaeada9b9bfb92bfb04ffd5e75ecb39)

ABCDEF##ebay##XYZ123 (which has the MD5 hash 200c4190f2a7eb7549dc499d448b5926)

ABCDEF##hotmail##XYZ123 (which has the MD5 hash c4617803a8949f619555ac832d3e4699)

and so on.

This has two advantages:

1) Easier to remember for you, despite each being unique

2) One site getting hacked means that, in general, you only need to worry about one password as all the hashes for these are wildly different.

Note that these examples are very simple for demonstration purposes, and you should adhere to earlier advice about mixed case, use of numbers and symbols etc.

Summary

The point of this is that, armed with this knowledge, you should now begin to see how easy it is to make a really strong password by not falling for one of these pitfalls. Here are some general tips:

  • Don't be tempted to use a simple password
  • Avoid using real words
  • Avoid using the same password for many different accounts
  • Make your passwords 8 characters or longer
  • Try to make them as random as possible
  • Add punctuation and numbers in where possible


You can try out a new password and see how secure it is by visiting this little site: passwordmeter.com

Secret Questions and Answers

We all forget our passwords, sometimes, and answering a secret question is frequently used to allow you to regain access to your account. The trouble is, though, is that secret questions are often a big gaping security hole, especially if you aren't very crafty with them.


Secret questions are very susceptible to social engineering attacks. Most people will have, at some point in their life, filled in one of these innocuous looking quizzes that get sent around on Facebook etc. and you'd be surprised how many of the questions on these quizzes are actually, in some form or other, standard secret questions!


If the attacker can guess your secret question they can potentially gain access to your account with minimal effort.


The easiest way to avoid this problem is to simply choose a secret answer that has nothing to do with the question. For example:

If the Secret Question is: "What is your favourite colour?" a possible answer could be "Trafalgar Square" - basically, anything other than a colour.

The only problem with this method is that you if you forget your secret answer, you haven't really got a hint as to what it could be... but there are ways around this in the forthcoming section; Storing your login details securely.

Keeping your email account secure

You probably wouldn't think it, but your email account is probably the most important online account that you have. If you lose control of your email account, you could potentially lose control of every single online account that you own because the attacker will be able to see what you've signed up for, and possibly find out your login details from confirmation emails. Even if the emails don't confirm the password, they'll still be able to use the "forgot your password" link, which will reset the password and send an email to the compromised email account. It is therefore absolutely critical that you never lose control of your email account!

Your email account login details should always be unique - never re-use your email account password with any other online account.

Storing your login details securely

One way to make sure that you can remember good, strong passwords, is to write them down; but this defeats the whole point if they're written down on a scrap of paper. It'd be like writing your PIN down and sticking it in your wallet behind your card.


There are many ways that you can solve this problem, though.


Master password: With most programs which store your passwords, you will be prompted for a master password. It is suggested you make this very strong (see good password hints and tips above) as anyone who can guess this gets access to everything.


Fskerit is an encrypted notes taker. You can take them anywhere and you'll be able to access them on any windows pc (or even linux if wine is installed). The advantage of a notes taker over standard password storage applications is that you can store any text you want to keep private in it, not just website passwords, such as bank account details, credit card PINs, lists of websites selling engagement rings etc., even a secret diary!


Another good option is to use Truecrypt to make an encrypted archive that you can store all of your login details, PINs etc. in. You can also store other files in there too, like pictures that you want to keep private, chat logs, or a top secret research project.

Similar to Truecrypt is FreeOTFE which has the same basic features as Truecrypt, but also features a file explorer mode when you do not have admin privileges (schools, universities, internet cafes), where you would simply not be able to access your files with Truecrypt.

General tips

  • Only use trusted computers (i.e. your own) to access important, high risk online accounts, such as your email, online banking, Facebook etc.
  • Never entrust anyone with your passwords
  • Always make sure your computer is free from Viruses and Spyware

Useful Links

Try Learn together, TSR's study area

35,655
revision notes

39,247
mindmaps

39,631
crosswords

15,195
quizzes

create
a study planner

thousands
of discussions


Today on TSR
Poll
Would you rather have...?
Study resources

The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE