Hardening Passwords

A couple of months ago my Network Solutions account was compromised in that my username and password were changed without my knowledge. I have a sneaking suspicion that event may have been a preemptive strike against my move away from Network Solutions web hosting to Media Temple — if you can’t get into your NetSol account you cannot change the DNS pointers — but I have no proof of that suspicion other than a modulating paranoia and the uncomfortable knowledge there’s no such thing as a coincidence.

I was able to work around that lockout and I moved my DNS pointers to the Media Temple servers and all my sites are currently hosted with (mt). Lately I have heard too many stories from friends that their blogs have been defaced and that other previously thought “secure” places elsewhere had been broken and entered.

The most likely way those break-ins happen is a compromised password that was guessed by a human or brute force attacked by a super-human computer. Microsoft has some good advice on how to create a strong password. Here’s my quick method for creating a hardened password in seconds:

1. Take a favorite quirky phrase you can’t seem to get out of your head (“Yes, her dog eats marble rye.”) and take the first letter of each word and preserve any capitalization: “Yhdemr” to create the first part of your hardened password.

2. To create the second half of your hardened password, take the numbers and letters in a street address you will never forget and preserve any capitalization (“6321 Carlton Avenue”) becomes: “6321CA”

3. Create the hardened password by combining the first and second steps and you have a good, new, harder-to-crack password: “Yhdemr6321CA” — that password is a dead example and I don’t use it and now neither should you.

That will get you started! You can also throw in a few special symbols like “/” or “-” or something else if you want to make it even tougher to break. If you have a weak password right now that uses your pet’s name or a word found in the dictionary or a bible verse or your birthday or if it is less than eight characters in length:

CHANGE YOUR PASSWORD NOW AND THEN CHANGE IT AGAIN IN SIX WEEKS AND THEN CHANGE IT AGAIN IN SIX WEEKS AND THEN CHANGE IT AGAIN…!

After my Network Solutions problem I changed and super-hardened all my passwords to make sure I had a better base level of protection everywhere. Remember your online life on the web is especially vulnerable to weak password choices.

An online bank account or a domain registrar or a website or blog login screen are all publicly exposed to attackers 24/7 and, unlike the lock on the front door of your home, a thousand computers can try to crack your code all at once and they don’t even have to stand in line to break you.

19 comments

  • Mostly I still use this completely random password I got for my email in college and for some reason it stuck with me. I probably should however find something new.
    Is it possible to hack into password protected things? My boyfriend’s ex claims she’s hacked into things I’ve kept password protected but then again if she did I would expect her to have more of a fit of things she found. Who knows. She claimed she would sue me several times but nothing ever happened.

  • Hi Robin!
    Yes, please change your passwords and change them often! Everything that requires a password should have a unique password of its own.
    Yes, you can rather easily hack password protected stuff. There are even computer programs you can point to a URL and they will run thousands and thousands of dictionary words and other phrases to see if your password can be broken. That happens a lot and it happens every day!
    The power of cracking a password is not telling anyone about it — secretly having access to a place that is not yours without the owner’s knowledge offers the most fun — that’s why all owners need to keep a keen eye peeled for subtle changes they are certain they did not make because that is the first sign you’ve been cracked.
    A regular hardened password protection and changing scheme goes a long way to pushing away bad intent.

  • I received an email “phishing” for my password information on a popular payment service. I realized there was something wrong because it was sent to one of my email addresses that that service doesn’t have. My spam box has also received “urgent alerts” from a credit card company requesting immediate action by logging into the “phishing” hole. Of course, I knew it was fake because I didn’t have that brand of credit card.
    I always try to use different passwords for different services.
    I always think that it would be too easy for someone to get access to one service, then have the keys to the kingdom.
    There are always stories about computers going missing from offices (a “big-three” credit bureau losted a computer with consumer info not too long ago), people buying information from employees, accidently falling prey to a “phisher,” trojan horses logging keystrokes, etc.

  • Right on, Chris!
    Those password stealing schemes are terrible! Unfortunately, a lot of people fall for them even though they are complete scams.
    The key to a good password scheme is to change your password on an irregular basis — at least every six weeks as I screamed above — :) just to keep the bad folks confused and off their game.
    I remember reading the news reports about computers and personal information disappearing and that is frightening. I wonder how many identity threats never get reported on the evening news.
    I know ID theft is a growing business and the latest scheme for the bad folks is to watch the birth records in the newspaper and get a Social Security number in the name of the newborn before the parents can do it and then use that new Social Security number for fraud. Before that baby can even walk the Social Security number is Blacklisted and a newborn’s identity has already been thefted.

  • I keeps password for two week and then all I change. Safety in to change.

  • That is a good scheme, tajuki, and one that few people follow. If you are always changing your password can never be pinned down and if it is pinned down the illicit access doesn’t last for long.

  • i work on that way. Use combination numbers and switch case letters. Numbers sequence hard to crack. Letters to make words easy. Numbers random.

  • Can you give us an example of an old password you used to use and then tell us why and how you created it?

  • I replace “w3ep0oy7u” looks hard but they all make “v” pattern on keyboard. I move pattern to mix up every time. Some I make “v” some “arrow” some “m” and move all over keyboard no pattern predict. I remember pattern on keyboard not password.

  • I replace “w3ep0oy7u” looks hard but they all make “v” pattern on keyboard. I move pattern to mix up every time. Some I make “v” some “arrow” some “m” and move all over keyboard no pattern predict. I remember pattern on keyboard not password.

  • Excellent, tajuki! Your “pattern on the keyboard” as a password is innovative and outstanding and it makes the task of using a password a game of pattern recognition instead of stringing together lots of letters and numbers that have no coherence of origin to them. You can even turn on CAPS to make your patterns even denser at times. Your routine works well and I thank you for sharing!

  • Yes, it’s a topic from 2005, yet it’s on Google’s front page for password hardening. SO
    Most things do not need strong passwords. As has been pointed out before BananaDog would take over ten million attempts from a dictionary combo attack. Which is pretty unlikely, even for a bank account, much less your forum account on Tom’s Hardware.
    Basically, strong passwords for your bank/paypal and any other money thing is fine, but most things don’t need it.

    • Since most of our social networking lives include some sort of credit card information — from Gmail to the Sony online network to Facebook and so on –so hardening passwords is a much better protection scheme for privacy than using something simple and guessable.

  • Your blog here is well done, congrats!

    I am here because my web based email contact list was recently hijacked in order to send spam to my 200+ friends (maybe ex-friends by now). (I am still unclear on the whether or not my password was a requirement to pull this theft off or if there was a way that the intruder got my contact list from the provider’s server.)

    My thoughts for today are that I understand the need for a strong, non-dictionary password. I guess I’m not fully certain of the efficacy of changing my passwords every so often. I’m a non-business, retired home user. With so many accounts… on-line stores, retail stores, libraries etc, it would be difficult to change these every 6-10 weeks, let alone remember them. I guess I’m thinking that a machine attack could just as easily come up with my password the day after I changed it.

    Maybe I’m trying to say that strong and as secret as possible passwords are most important and that changing passwords every so often is helpful too… but a lot of work.

    Thanks for offering a place for such comments!

    • I think it’s all about making yourself a less likely target. Hardening a password immediately separates you from 99% of the other people on the internet — and so there are other “more fruitful” targets for exploitation than you. As well, many people use a single password for everything. That gives the bad guys one key that unlocks a multiplicity of accounts.

  • Pingback: The Permeable Threat to the Digitized Being of Us | Boles University Blog

Share Your Thoughts:

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s