Changing Passwords in a Post Heartbleed Bug World

From a home security standpoint, the main gatekeeper is the house key. It’s small, portable and fairly adept at keeping out most would-be thieves. But the key does have a few things going against it: it can easily be stolen, lost or replicated; a talented lock picker can bypass it; and even the key won’t be enough to keep out a determined crook with a sledgehammer. But still, we use them.

And so, much like the key, on the digital side of the security fence passwords are used to protect our valuable information. A series of numbers, letters and symbols that, we hope, make it all but impossible for would-be thieves to crack. But much like the key, there are still many work-arounds to be had—the most common of which is also the most basic: guessing.  And guessing isn’t difficult, either—the most commonly used passwords from breaches in 2013 were “123456,” “password,” and “12345678,” respectively.

With this dilemma in mind, how do you keep a crook from correctly guessing your password? This question is especially pertinent in the wake of Heartbleed, which is now pushing users to reset their passwords across numerous sites after a patch has been applied. There are a few basic rules you can follow to craft a strong password, and with World Password Day, an annual event for creating awareness around the importance of passwords, nearing on May 7th, now’s the time to put those rules into practice. Below are some easy steps to crafting a strong password:

1) Avoid using words that can be found in the dictionary

The first rule of creating a strong password is to avoid using common words, especially ones that can be found in a dictionary. The same applies to words in foreign languages and words augmented with simple numbers such as ‘Pa55w0rd.’ Use letters, abbreviations, and symbols all you like—but steer clear of actual words.

2) Don’t make it personal

Freely giving out personal information online is a bad idea. Using that personal information as the basis for your passwords should also be avoided. Sure, passwords can be hard to remember, but using a pet’s name, birthday, favorite color or other relatable information for your password gives hackers an easy way to guess your password: You.

3) Mix it up, and make it lengthy

A good password is considered good only if it is sufficiently long and complex. This means that it should incorporate upper and lower case letters, numbers and symbols and should be a minimum of eight characters long.

Alternatively, you could use what’s called a “passphrase.” A passphrase differs from a password by being longer, easily memorable and sometimes consisting of dictionary words. Passphrases generally use a combination of dictionary words, making them easy to memorize, but also hard to guess. A series of random words, like “catfolderspaceshuttle” augmented with numbers and symbols, is best. A word of warning, though: common idioms and phrases like “icameisawiconquered,” make for a weak passphrase and do little to make you secure.

4) Use unique, or layered, passwords

In an ideal world, you would create a unique password for every website you visit. But that’s impractical in reality. A more practical solution is to use a two-tiered password system where you use one password for low-security websites, and a complex password for high-risk websites.

5) Use tools to help

Finally, if there’s one thing you need to know, it’s this: in today’s increasingly online world you need to rely on tools to help keep you safe. Like the key, passwords can help reduce the chance of theft, but to properly secure your online life, you need to augment these codes with something more.

There are two options that can help further enhance your online security—the equivalent of adding a deadbolt to your virtual door. The first is two-factor authentication. Two-factor authentication is a security technique that requires you to have something you know (like a password) and have something that only you would possess (like a mobile phone). Modern executions of two-factor authentication will typically have you submit your cell phone number. The service will then send a code for you to plug in after you enter your password to verify that you are, in fact, you.

The second option is to use a password manager. Password managers have a few advantages going for them: they can easily remember all of your passwords, they can easily generate complex passwords to suit your needs and they can automatically log you in to your favorite services. That last point may seem like more of a vulnerability than a benefit, but in reality it’s an advantage against malicious software that may record your keystrokes or capture screenshots of your login details. For these reasons, we include a password manager in our comprehensive security solution, McAfee LiveSafe™ service.

Making a strong password isn’t hard, but practicing safe browsing can be. Take the time to take stock of your passwords and your password habits. And, of course, stay on top of the latest consumer and mobile security threats by following @McAfeeConsumer on Twitter and Like us on Facebook.

Passwords101

Gary Davis

Leave a Comment

four + eight =