& today's question is...password policy

& today’s question is…password policy

IT peeps rarely ever get time off duty, social situations often become Q&A sessions. Recently – and this is a good thing – the most common question has been some variant of “What’s the most important thing can I do to keep myself safe online?” I say this is a good thing because for far too long I’ve seen roll eyes when I’m evangelising my own version of (comparatively OTT) security, followed by “Yes, but…” My previous postings on this subject include my claiming a New World Record. Adopting a sensible, secure & easily used Password Policy will protect your ass.

As a flat, one-off value to adopt, I tell people to sort their password policy by creating a strong base password & modifying it per website. This provides an industry-standard password solution, and it’s not as hard as you might think.

The base is a password consisting of 2 words that mean something to you (favourite car/food/sport/whatever) with at least 1 capital & one letter swapped out for a number. Intersperse with some keyboard entropy (*&^%$ symbols) & finished with the first two or three letters of the name of site you’re logging into. That’s a simple yet powerful way to develop unique passwords per site.

Example – an imaginary Westside bogan could use his favourite car (Holden) & food (Pies) interspersed with money for $Holden$$Pie5$fac on Facebook and $Holden$$Pie5$ins on Instagram. How secure is that password? A single PC would take around 93 trillion years to crack either version. My theoretical bogan is password safe – for the time being. That’s a quality password policy right there, explained quick & simple. I suggest you adopt it.

To give yourself a nasty fright as to how effective your current password policy (or lack of) is, use the following services:

How strong is your password? Check your passwords at Howsecureismypassword.net, the response is an accurate estimation of the time it would take a single PC to crack your password. Don’t get carried away with your success – it’s a trivial to rent almost unlimited processing power for any length of time from Amazon. Ten thousand processors is an easy transaction, so consider dividing your result by at least 10,000.

Has your password been compromised? When you store a password online, it’s encrypted into a hash & stored in the website database. The hashing process takes place every time you log in – it’s not your password that’s checked, it’s the hash. If somebody else – any one of the billions of Internet users – has used the same password as you, then the stored hash is identical. Check your password on the checker at haveibeenpwnd.com.

Has my any my email/password combination ever been compromised? Same website, different service. Enter your email address to see if any site you’ve ever logged in to has been compromised. haveibeenpwnd.com

Those are 3 great free services that should help enhance your security awareness.

For far more qualified advice than my own, head to Troy Hunt’s blog – he created haveibeenpwnd – if you’re a Twitter user, click to follow him

But if you do nothing else, please – for your own sake – take my password advice.

One thought on “& today’s question is…password policy

Requesting an unlock code? Have you donated?