FA+
Shop
A Brief Word on Password Security
15 years ago
☢☢☢☢☢☢☢☢☢☢ CAUTION: FALLOUT ZONE ☢☢☢☢☢☢☢☢☢☢
How to stay secure online:
Use a tiered password system.
You don't want to have to remember a unique, high-security password for every website you visit. While doing so is good practice, most people don't want the hassle, so it's important to recognize where you can compromise on your password security, and where you can't.
Lower-Tier websites may include things like livejournal, blogs, FA, various social networking sites. If a website does not contain personally identifiable information or financial information of any kind, then keeping it secure is less of a priority. It's ok to recycle a password on these sites, but keep in mind: passwords should STILL be at least 8 characters, be resistant to a dictionary attack, and include numbers or symbols. This will buy you time should a password database be compromised, and allow you to change your passwords and reclaim any affected accounts.
Mid-Tier websites are anything that contains personally identifiable information or limited financial information. If you have a registered/paid account on any website, or use it to conduct RL business, you should use at least a mid-tier password. Mid-tier passwords should be strong (10+ characters), resistant to dictionary attack, and include numbers or symbols. They should only be recycled on websites where an identical set of information is at risk. For example, if you have two websites that have overlapping data sets at risk (say, both have your full name and email, and one has a phone number, and the other has an address), then the passwords should be different. But if one site is basically just a clone of the other on a different medium, you're not risking much by using the same password.
Top-Tier websites include anything with sensitive data such as exploitable financial information, confidential information, or that may contain information pertaining to the access of other accounts. Your email is one of them, because it could be used to gain access to other accounts that have been registered with it, even if it, itself, does not contain sensitive information. All marketplace accounts like ebay, amazon, paypal, etc... are likewise in this category. All top-tier passwords should be very strong (16+ characters, including both numbers and symbols where possible) and should be unique for every site. These passwords should be changed occasionally, preferably every 3-6 months.
Tips on password management:
If any top-tier sites offer two-factor authentication via security tokens, use them! This is standard for most banks in Europe, though in the US adoption rates are lower. If you're using a security token for your WoW account, it's a clear indication that you need to get back to spending more time in real life.
Keep your backup plans up to date. Ensure email addresses on your various sites are up to date in case a reset is necessary, and hang on to any correspondence or account information you receive, in case you need it later to prove your identity and reclaim an account.
Record your passwords, using an encrypted database on a device requiring physical access such as your desktop PC or a thumb drive, protected with its own top-tier password. Built-in browser password managers that offer a master password and encryption are also safe on desktop computers, but are not recommended on laptops or other mobile PCs. This is also important because if a low or mid tier password gets compromised, you can quickly reference your centralized password list to find out which other accounts are affected and change the password on all of them.
Don't use security questions on mid/top tier sites! if a website requires it, enter another unique password of the appropriate tier, unrelated to the question as the answer to the question, and save that password as a backup. Security questions are a weak link, especially when they're drop-down menu questions that someone other than yourself could potentially know. "What is my mother's maiden name?" is not a secure question! Your mother knows it. Anyone else in your family knows it, and other people can research it. Put ZaRNw0yk7 or something as the answer instead and remember/store what you put.
Any ditchable accounts, temporary accounts, or other accounts that you don't intend to hang on to or remember for a long period of time, such as emails for spam use, forum accounts for forums you never visit, etc... should all have unique passwords, regardless of tier. This is so that if you forget about them, a password breach on one of those sites won't come back to bite you in the ass. For these sites, it is also a good idea to falsify personal information wherever applicable. Your name will be John Smith and you will live at 1234 fake drive, genericville.
Use random passwords for mid/top tier accounts, especially if you're keeping them in your browser. You won't need to remember them, and if you do forget and don't have your usual browser available or your encrypted physical password storage database with you, you can perform a password reset, and use it as an excuse to update/change your password. On mid and low-tier sites, the random password generated by a password reset action may be adequate and entropic enough to keep as your password, rather than changing it again. As a bonus, your browser, and your top-tier protected email, should then have copies of the newly generated password already stored when they send it to you, and you can just look it up later.
Use unique passwords on any websites with a poor history of security, previous leaks, or in general questionable security practices. If the password handling does not seem secure or professional to you, for example, passing a password through a third party at registration, not using https, etc... you should never recycle that password. Good password security is defined as end-to-end encryption to prevent interception, a good one-way hashing algorithm to prevent decoding if the database is leaked, and complete lack of human involvement. If a website is capable of telling you what your password is after you've put it in, it's not secure!
Some good tools for you:
1) Random Password Generator: https://secure.pctools.com/guides/p.....;generate=true
2) Password Strength Checker: http://www.passwordmeter.com/
If you have a top-tier site as I've defined above that is not rated "very strong" by this, you should re-think your password!
Use a tiered password system.
You don't want to have to remember a unique, high-security password for every website you visit. While doing so is good practice, most people don't want the hassle, so it's important to recognize where you can compromise on your password security, and where you can't.
Lower-Tier websites may include things like livejournal, blogs, FA, various social networking sites. If a website does not contain personally identifiable information or financial information of any kind, then keeping it secure is less of a priority. It's ok to recycle a password on these sites, but keep in mind: passwords should STILL be at least 8 characters, be resistant to a dictionary attack, and include numbers or symbols. This will buy you time should a password database be compromised, and allow you to change your passwords and reclaim any affected accounts.
Mid-Tier websites are anything that contains personally identifiable information or limited financial information. If you have a registered/paid account on any website, or use it to conduct RL business, you should use at least a mid-tier password. Mid-tier passwords should be strong (10+ characters), resistant to dictionary attack, and include numbers or symbols. They should only be recycled on websites where an identical set of information is at risk. For example, if you have two websites that have overlapping data sets at risk (say, both have your full name and email, and one has a phone number, and the other has an address), then the passwords should be different. But if one site is basically just a clone of the other on a different medium, you're not risking much by using the same password.
Top-Tier websites include anything with sensitive data such as exploitable financial information, confidential information, or that may contain information pertaining to the access of other accounts. Your email is one of them, because it could be used to gain access to other accounts that have been registered with it, even if it, itself, does not contain sensitive information. All marketplace accounts like ebay, amazon, paypal, etc... are likewise in this category. All top-tier passwords should be very strong (16+ characters, including both numbers and symbols where possible) and should be unique for every site. These passwords should be changed occasionally, preferably every 3-6 months.
Tips on password management:
If any top-tier sites offer two-factor authentication via security tokens, use them! This is standard for most banks in Europe, though in the US adoption rates are lower. If you're using a security token for your WoW account, it's a clear indication that you need to get back to spending more time in real life.
Keep your backup plans up to date. Ensure email addresses on your various sites are up to date in case a reset is necessary, and hang on to any correspondence or account information you receive, in case you need it later to prove your identity and reclaim an account.
Record your passwords, using an encrypted database on a device requiring physical access such as your desktop PC or a thumb drive, protected with its own top-tier password. Built-in browser password managers that offer a master password and encryption are also safe on desktop computers, but are not recommended on laptops or other mobile PCs. This is also important because if a low or mid tier password gets compromised, you can quickly reference your centralized password list to find out which other accounts are affected and change the password on all of them.
Don't use security questions on mid/top tier sites! if a website requires it, enter another unique password of the appropriate tier, unrelated to the question as the answer to the question, and save that password as a backup. Security questions are a weak link, especially when they're drop-down menu questions that someone other than yourself could potentially know. "What is my mother's maiden name?" is not a secure question! Your mother knows it. Anyone else in your family knows it, and other people can research it. Put ZaRNw0yk7 or something as the answer instead and remember/store what you put.
Any ditchable accounts, temporary accounts, or other accounts that you don't intend to hang on to or remember for a long period of time, such as emails for spam use, forum accounts for forums you never visit, etc... should all have unique passwords, regardless of tier. This is so that if you forget about them, a password breach on one of those sites won't come back to bite you in the ass. For these sites, it is also a good idea to falsify personal information wherever applicable. Your name will be John Smith and you will live at 1234 fake drive, genericville.
Use random passwords for mid/top tier accounts, especially if you're keeping them in your browser. You won't need to remember them, and if you do forget and don't have your usual browser available or your encrypted physical password storage database with you, you can perform a password reset, and use it as an excuse to update/change your password. On mid and low-tier sites, the random password generated by a password reset action may be adequate and entropic enough to keep as your password, rather than changing it again. As a bonus, your browser, and your top-tier protected email, should then have copies of the newly generated password already stored when they send it to you, and you can just look it up later.
Use unique passwords on any websites with a poor history of security, previous leaks, or in general questionable security practices. If the password handling does not seem secure or professional to you, for example, passing a password through a third party at registration, not using https, etc... you should never recycle that password. Good password security is defined as end-to-end encryption to prevent interception, a good one-way hashing algorithm to prevent decoding if the database is leaked, and complete lack of human involvement. If a website is capable of telling you what your password is after you've put it in, it's not secure!
Some good tools for you:
1) Random Password Generator: https://secure.pctools.com/guides/p.....;generate=true
2) Password Strength Checker: http://www.passwordmeter.com/
If you have a top-tier site as I've defined above that is not rated "very strong" by this, you should re-think your password!
Example: Take the third and fourth letter of the domain name (which for furaffinity is ra). Then take the last two digits of the serial number of your cell phone (let's say that's 12). Then you can take the first and last letter of the domain name and make them capitals (which is FY) and then take the first two digits of the serial number of your cell phone and capitalize them (lets say it starts with 34, which makes this example #$). Put them all together and you have the password ra12FY#$. If you go to google, the password becomes og12GE#$.
As you can see, your password is always strong, always unique, and easy to remember, since you only have to remember the way to generate the password.
Another good tool is a pattern shift, where you can use words and the like in your passwords, but you shift the keystroke to the left, right, up or down from each letter. for example a simple left shift of 'bunchies' would become 'vybxguwa', and more complex patterns are always possible (and preferred). Again, you would still want to include numbers and/or symbols. Avoid dates of personal or historical significance.
I suggest random passwords with a safe database simply because it eliminates so many potential points of failure, and because it's very easy for someone to carry out, without needing to think too much about it, or struggle to remember. It has the double benefit of being virtually unbreakable, and a streamlined process, by which someone can generate a password, paste it into the form, save it in their browser and/or datavault, and then be done, not needing to deal with it again, recall it, or worry about its security.
The problem with saving your passwords locally is that if your box becomes infected with certain types of malware, that password file will be one of the big targets, often without your knowledge. If one instead uses the formula and types in the password every time, this risk is eliminated and makes it very, very difficult for someone to compromise several accounts, which is necessary in order to break the formula.
Both our approaches are much stronger than the usual get one password and use it everywhere approach. The difference in our approaches is the weaknesses inherent in the approach. Your approach fundamentally relies on the security of the password file for the browser, where mine relies on the secrecy of the formula. In both cases, if the weakness is compromised, every password is compromised. The question, then, is which is less likely to be broken. I tend to champion the formula method because I worry that the browsers are constantly discovering and patching new vulnerabilities. However, the reverse argument can be made.
Actually, so long as the password database is encrypted, storing it locally is far SAFER against malware than just typing it in. Malware cannot decrypt the password database of any self-respecting form-filler, so the main avenue of attack for password-stealing infections is keyloggers. If you're not typing your password into the form each time, the keylogger has nothing to go by. That said, if you're infected with that sort of malware, your password-keeping methods are probably the least of your security issues.
As for the form-filler security, Firefox 3+ by default uses 3DES encryption in CBC mode to store your passwords when using a master password. If you use a strong master password for firefox (top-tier security/unique 16+ characters), it would be extremely difficult for someone to crack your password database (this method of encryption is rated good through 2020). If you don't feel this is secure enough, or doesn't offer enough security against other attack vectors, you can use something like roboform or kaspersky password manager for higher-level encryption, better protection against keyloggers and more robust anti-phishing technology. if you run Mac OSX, you can use camino, or a keychain integration plugin for firefox, which then hooks into the OS password manager, which is again protected from access without the master password.