simple secure passwords

8/2/2019 Simple Secure Passwords

1/26


2/26

The Mozilla PocketPassword PrimerWhat You Should Know About

Keeping Your Identity SafeOn the Internet

2010 Mozilla

The contents of this publication are available underthe Creative Commons Attribution-Share Alike 3.0

Unported license.


3/26


4/26

Passwords

It's hard to get through a day on the internetwithout encountering dozens of requests for yourusername and password. With more and more ofour work and leisure time spent online, mostpeople find that remembering a unique passwordfor each account they have is an impossible task.

It's made harder when sites have strange rulesabout how you must form your passwords. Somesites prohibit special characters like &, %, #, and @in passwords. Other sites require them. Some siteshave maximum length limits on passwords that areshorter than the minimum length required by other

sites. What is the modern, internet-savvy usersupposed to do?

Certainly not what most of us do now...

Are there little yellow notes stuck to theside of your monitor with usernames and

passwords scribbled on them?

Do you have at least one computer or onlineaccount where the password is "password"?


5/26

Do you use your pet's name as a password,

and tell yourself you're making it moresecure by adding "123" to the end?

Do you have accounts on 387 websites andlog into all of them with one of threefavorite, easy-to-remember passwords?

Did you last change the password for your

bank account shortly after the turn of thecentury? Before?

If you've secretly answered "yes, but..." to any ofthese, don't worry. We won't tell anyone, and inthis guide we'll show you how to create and

manage strong, secure passwords without breakinga sweat. We'll also show you how to memorizeonly one password and still have a uniquepassword for every site you visit.

You'll sleep better at night knowing you're saferfrom identity theft, and with the tricks you'll learn

here you can help your friends and relatives besafer online as well.


6/26

Passwords Are Compromises

Any password is a compromise between a secure(long, random and unique) string of characters andan easy to remember word or phrase. As we needmore and more passwords to get through the day,we all tend to push the compromise in the directionof easy to remember more than we should. A bit

later, we'll show you a technique creatingpasswords that will keep your's memorable withoutmaking them easy to guess. We'll also show youways to let your computer manage all yourpasswords so you don't have to remember them.

Threats to Your Passwords

The threats to your passwords fall into three majorcategories:

Social Engineering: The more an identity thiefknows about you, the less secure passwordsassociated with your everyday life become. Don't

assume that the names of your children, pets orfriends make secure passwords. They aren't.Similarly, if you keep passwords written down in a"secret place", anyone watching your day-to-dayactivity will quickly learn where they're hidden.


7/26

Brute Force Attacks: If your passwords are

insecure, an identity thief needs little more thanyour username to mount an attack against youraccounts. Cracking software that uses lists ofdictionary words in combination with commonpassword configuration information quickly opensaccounts with passwords such as "Jennifer3" and

"Bobcat123". A security audit of a universitycomputer system found that 20% of the accountscould be accessed using only a list of the 20 mostpopular female names followed by a single numericdigit.

Breaching Insecure Systems: If the

administrators of a website use poor securitypractices, such as storing passwords unencrypted,identity thieves that manage to breach systemsecurity can steal the entire list of passwords andusernames. Tht's a huge security problem for you ifyou've used the same password on other sites,

particularly ones with access to your bank accountor other sensitive information.


8/26

The lessons are clear:

Use as secure a password as possible

Change your passwords periodically

Try not to reuse passwords between sites

If that last rule is impossible to follow, then be

sure that sites holding sensitive information don'tuse shared passwords.

What Not To Use In Your Password

There are some things you should not use whenyou're creating a password. All of the following are

chosen as passwords so frequently that passwordcracking software has been developed to takeadvantage of their inherent weaknesses:

Your name, or the name of your spouse,parent, child, or pet

The name of a friend (real or imaginary),your boss or a coworker

The name of popular fantasy characters orwords like "wizard", "guru", "gandalf", etc.


9/26

The name of the operating system you're

using, or the hostname of your computerYour phone number, license plate number orany part of your social security number

Birth dates or other easily obtainedinformation about you, your family or yourfriends

A proper noun (the name of a particularperson, place or thing)

A dictionary word, either English or foreign

Passwords of all the same letter

Simple patterns on the keyboard, like"qwerty"

Any of the above followed or prepended bya single digit or a sequence of ordered digits(like 123)

Any of the above spelled backwards


10/26

An I n t e r n e t u se r n a me d N e r o ,An I n t e r n et u se r n a me d N e r o ,

S e t h i s o n - l i n e b a n k p as s wo r d t o " H er o ",S e t h i s o n - l i ne b a nk p a s sw o rd t o " H er o ",

Af t e r l u n c h he c a me b a c k ,Af t e r l u n c h he c a me b a c k ,

T o a p a sswo r d a t t ac k ,T o a p a sswo r d a t t ac k ,

An d a b a n k a c c o un t b a l a nc e o f z e r o .An d a b a n k a c c o un t b a l a nc e o f z e r o .

...and one more thing to remember. You shouldnever use a password that has been used as anexample in an article about how to create goodpasswords. That includes this guide. Once apassword has been published, it's no longer useful.

If this seems like we've eliminated any passwordthat has a prayer of being memorable, don't worry!

We'll show you how to avoid all of those pitfalls.


11/26

Choosing a secure password

Good passwords have a fairly simple set ofproperties:

They have both upper and lower case letters

They have digits and/or punctuationcharacters as well as letters

They are easy to remember, so they do nothave to be written down

They are at least seven or eight characterslong, but the longer the better.

They can be typed quickly, so someone else

cannot easily look over your shoulder

So the puzzle before us is to create a passwordwith all of the good properties without having anyof the bad properties.


12/26

Passwords from a Passphrase

You can create a memorable, secure passwordstarting with a simple phrase. We call these"passphrases". For example, let's use a quote fromOgden Nash:

"Happiness is having a scratch for every itch."

If we use the first letter of each word, andsubstitute 4 for "for", we get:

Hihas4eiHihas4ei

This is a reasonably strong password but we canimprove it a bit by adding some special characters:

#Hihas4ei:#Hihas4ei:

Associating Web Sites

We can use our new password on several differentwebsites by adding a suffix with a mnemonic link

to a particular site. Let's use the first letter and thenext two consonants in the site name.


13/26

Just to add a bit more randomness we'll alternate

upper-case and lower case, and if the firstcharacter in the site name is a vowel we'll start withupper-case. To mix things up a bit more we'll usethe same rule to decide whether to add the sitemnemonic to the left side or the right side.

#Hihas4ei:AmZ#Hihas4ei:AmZ for Amazon

bGz#Hihas4ei:bGz#Hihas4ei: for Bugzilla

#Hihas4ei:YtB#Hihas4ei:YtB for YouTube

dRm#Hihas4ei:dRm#Hihas4ei: for Drumbeat

While this technique lets us reuse the phrase-generated part of the password on a number ofdifferent websites, it would still be a bad idea touse it on a site like a bank account which containshigh-value information. Sites like that deserve theirown password selection phrase, perhaps somethinglike the old English proverb:

"A penny saved is a penny earned."

So for our bank, this would give us a passwordsimilar to:

bNk#Apsiape:bNk#Apsiape:


14/26

This password lacks numeric characters because

our phrase contains neither numbers nor the words"to" or "for". We could strengthen it a bit by addinga rule to put in a digit or two if none are providedby the phrase:

bNk#8Apsiape2:bNk#8Apsiape2:

But even without doing that our rule based systemgives us strong, easy to remember passwords thatare unique to each website.

The Power of Rules

Notice that by using a simple set of rules, we're

able to construct a longer than average passwordtht's still easy to remember. Here are the rules weused:

Choose a memorable phrase and use thefirst letter of each word.

Add special characters (we chose # and : ).Use the first character of the website nameand the next two consonants in the name asa site identifier.


15/26

If the website name starts with a vowel,

capitalize the first and third characters andadd it to the right side of our password.

If the website name starts with a consonant,capitalize the second letter and add it to theleft side of our password.

If there are no numbers in the password add

a digit or two. (we chose to add them at thebeginning and end of our phrase).

Memorizing Your Passphrase

You will find that passphrases are more memorablethan simple passwords. However, if you have

trouble remembering the passphrase you can resortto an old-fashoned memorization trick fromelementary school. Take a piece of paper and writedown your passphrase 10 times in a row. Realpaper and pen work better than typing, but anyform of repetition will help. Just be sure to dispose

of the paper securely.


16/26

Changing Your Passwords

If you work for an organization that requires youto change your password periodically, you shouldconsider changing all of your passwords at thattime as well. You don't have to visit all your sites,just choose a new secret phrase and as you visiteach site make the change.

If nobody requires periodic changes, you shouldconsider changing your password at least twice ayear. A convenient way to remember to change isto pick a new secret phrase when you set yourclocks when the time changes in the spring andautumn.


17/26


18/26

Password Recovery Questions

Many websites use a "secret question and answer"to allow you to reset or recover your password.These are often implemented in less than a securemanner. The security problem exists when the siterequires you to select from a limited set ofquestions. Choosing a question such as "In what

city were you born?" presents an obvious securityhole. Knowing where you were born gives anyoneaccess to your password. If the site doesn't let youwrite your own question, and many don't, you'rebetter off tricking the system into being secure.Here's how:

Select a passphrase create a password youwill use for password recovery.

No matter which "secret question" youselect, use your new password as the"secret answer".


19/26

The answer doesn't make sense in the context of

the question, but the password recovery systemdoesn't know this. It only checks that the answeryou give when you ask to recover or reset yourpassword matches the answer you supplied whenou set up the account. This trick will ensure thateven a website that chooses insecure "secretquestions" won't compromise the security of youraccount.

Passwords in Email

Emailing passwords is always a bad idea. Mostemail systems transmit the body of the message inplain text, and so an identity theif could look inside

messages addressed to you. This means that if awebsite "recovered" your password and emailed itto you, you should consider that passwordcompromised and change it immediately.


20/26

Managing Your Passwords

Even with tricks like using phrases to generatepasswords, remembering passwords for dozens ofsites can be a bit taxing. There are software toolsthat will manage your passwords for you. There areonline services and stand alone programs that willsave your passwords, and you can ask most

modern web browsers to remember passwords.But you should choose your password managementsoftware carefully and only use a program orservice that you're sure you can trust with yourmost sensitive information.

The Firefox browser from Mozilla, the most trusted

name on the Internet, has secure, world-classpassword management. When you enter ausername and password into a website, Firefoxasks if you want to remember that password. Ifyou answer yes, Firefox stores the password inyour user profile. You can (and should) turn on

Firefox's Master Password feature to ensure thatyour saved passwords are securely encrypted.


21/26

Combining Firefox's Master Password with Firefox

Sync lets you manage all your passwords on all themachines you use securely and effortlessly. Best ofall, if you use the password manager, the FirefoxMaster Password is the only password you'll everhave to remember yourself.

The Firefox Master Password

To keep the passwords you save in Firefox'spassword manager secure, you should turn on theMaster Password. If you haven't already set aMaster Password, it's easy to do.

Before you start, carefully choose a phrase to

create your Master Password. Since the MasterPassword is used to secure all of your otherpasswords, a long phrase would be advisable.


22/26

In Firefox for Windows:

From the Tools menu select Options.

Click on the Security icon and check the"Use a master password" checkbox.

The Master Password dialog box willappear.

Enter your Master Password into the "Enternew password:" and "Re-enter Password:"text boxes and hit the OK button.

in Firefox for MacOS:

From the Firefox menu select Preferences.

Click on the Security icon and check the"Use a master password" checkbox.

The Master Password dialog box willappear.

Enter your Master Password into the "Enter

new password:" and "Re-enter Password:"text boxes and hit the OK button.


23/26

Many people prefer to have Firefox ask for the

Master Password only once at the beginning ofeach session. There is a Firefox Add-on calledStartupMaster that enables this behavior. To addStartupMaster to Firefox, pick Add-ons from theTools menu, click on Get Add-ons, and then typeStartupMaster into the search box.

All Your Passwords On All YourComputers

Firefox Sync can ensure that all your passwords aresaved on all the computers you use. Tell Firefox toremember a password on your desktop computer athome, Firefox Sync will make that password

available to Firefox on your notebook computer,and any other computer (or mobile device) onwhich you use Firefox.

Firefox Sync not only synchronizes yourpasswords, but also your bookmarks, browsing

history, preferences, and tabs across all of yourbrowsers.


24/26

One thing that Firefox does not sync across all of

your computers is your Master Password, so besure to set that up on each machine when youconfigure Firefox Sync.

Firefox Sync is built into Firefox 4, and is availableas an add-on for Firefox 3.5 and later. To addFirefox Sync to Firefox, pick Add-ons from the

Tools menu, click on Get Add-ons, and then typeFirefox Sync into the search box.

When you set up Firefox Sync, it will ask for apassword and pass phrase. You can safely use yourMaster Password and the phrase you used to

create it here.

When you have Firefox Sync installed on all yourmachines it will ensure that passwords youremember on one machine are available on all of themachines on which you run Firefox. That includesSmartphones and mobile devices running Firefox

Mobile and Firefox Sync, so you can carry all yourpasswords with you all the time.


25/26

Become a Password Security Ninja

Faithfully using the tips and techniques in thisguide will put you in the top 10% of all internetusers when it comes to password securityawareness.

Use your newfound power wisely and help spread

the word by showing your friends and family howthey can be safer online by using more securepasswords.


26/26

ColophonThe ebook versions of this publication wereprepared using the Sigil open source editor forebooks. Learn more about Sigil athttp://code.google.com/p/sigil.

Characters from Le Geektionnerd are remixed from

the Wikimedia Commons under the CreativeCommons Attribution-Share Alike 3.0 Unportedlicense.

Tim Buckley's CTRL+ALT+DEL cartoon is remixedfrom the Wikimedia Commons under the CreativeCommons Attribution-Share Alike 3.0 Unported

license.

The contents of this publication are available under

the Creative Commons Attribution-Share Alike 3.0Unported license.

simple secure passwords

Documents