I’ve been in enough businesses and watched people enter their passwords to know where the weak point is. Due to most people not knowing how to type properly or just being plain lazy, an all number password seems to be the favorite. I would bet a birthdate or just 12345 are used in most cases. However, just what could your password be used for and how important is it to your daily life?
It’s impossible to use a different password on every website you visit. There are sites that will allow you to login to them with a single strong password and then they will randomly generate passwords for you all over the Internet and allow you to login quickly without really knowing what password was used and when. They’re really good ideas for making sure you don’t have your passwords hacked, but in the case of Lizzy, they sometimes don’t work well. In this post, I’m going to discuss just how important your password is to your business, and some steps you can take to strengthen it up a bit. I’ll also cover briefly a few ways in which people can break your passwords to gain access to your computers and information.
Step One: If you haven’t already, read my blog post about learning to type and take it to heart. It will change your life in less than a month and once tackled, you’ll never know how you did without the skill.
Step Two: Make up a password that is a sentence or phrase. Capitalize a few letters along the way and leave out spaces (mainly because they are too darn hard to keep up with). An example might be “mYn@meIsGlenn”. Generally I wouldn’t suggest having that many capitalized letters because it might get difficult to remember which ones are suppose to be uppercase. But do have at least 1 or 2 capitalized or replace them with a number, like the number “one” for the lowercase “L”.
Don’t use sentences from books, movies or TV shows because they probably already exist in password files that can be used in a dictionary attack, which is nothing more than comparing each password hash you have to a hash generated from the file. They have them in different languages as well if you were thinking you could get around it that way :-). The idea is to make the password easy to remember but impossible for someone else to guess.
Lizzy’s passwords are encrypted with a one way hash and salted. This makes it difficult, if not impossible for someone to reverse engineer the password itself. Which only leaves them the ability to physically guess it.
Just what is a one way hash and why do I care? A one way hash is a method, where upon you entered your password to tell Lizzy what you want to use. But Lizzy knows that storing that password in plain text would allow a hacker to possibly steal the password table and be able to see everyones password. This is exactly what happened at Linked-In a few months back where they stored passwords un-salted. Once they have those passwords, they have free access to the entire system. So to make sure that not even we know your passwords, they are encrypted using an algorithm that can’t be reversed.
But wait just a minute. If we don’t know your passwords, and they aren’t stored inside some database somewhere, then how can you possibly log back in?
In order to see if you typed the correct password, we have to physically encrypt your password again using the same method you used to set it, and compare the end result (called a hash) to what we have stored in our tables. If the encrypted password hashes match, then we have to assume you entered the correct password. Salting is a method of making sure the stored password can’t be guessed using rainbow tables which I’ll describe next.
If you were thinking through the process, then you might be asking, if the only difference between a text password and an encrypted password is the way it looks, then why can’t I take the dictionary we were talking about earlier and encrypt it and store a text file full of already encrypted dictionary words. This is absolutely what is done, and there are hundreds of rainbow tables you can download so that instead of trying to match up words we match up encrypted fields and then determine the password if we find a match, since we build the password hash and know what created it. Salting prevents you from being able to use rainbow tables and forces you to brute force the password.
Brute force is what you want hackers to have to use, since it takes forever to accomplish. The longer your password and the less common it is, the longer it will take them to figure it out.
Now you might say something at this point like, “But I trust my employees”, and my response to you would be, “SO WHAT!”. With Lizzy and any other Internet based system, your entire company data is sitting on the Internet, and while we work hard to keep that data protected, if you or your employees go and create some dumb password like “12345”, we can’t protect you. I don’t believe in forcing you to use passwords you will never remember because it will only causes you to write them down or get upset with us which causes an entirely different set of problems.
Create passwords you can remember, but make them phrases instead of simple words or numbers.
Oh, and one last thing for those that are wondering, “mYn@meIsGlenn” is not my password.