A smart thing to do with your email and passwords

I use 3 different email accounts.  My hotmail account is for most things.  I use a gmail account for project work, and another account used strictly for financial institutions and ecommerce sites.  When I get an email that says it’s from a financial institution, in my hotmail account, I know it’s a phishing scam. I am going to open up a new account for financial institutions, because, I am careful and cautious.  I am going to test using the new Brave Browser strictly for financial institutions and ecommerce notifications.  In any event, I am not going to use the same browser to surf, for Facebook, for reading BBC America, The New York Times, The Boston Globe, Google News and (ugh The Boston Herald).  You get the picture, right.  Separate things, use LONG and STRONG Passwords and dual factor authentication, and whatever other security steps are offered, whenever possible.  Do not reuse passwords for sensitive accounts. If you have sensitive notes, like passwords do not store them in a file called passwords.  Do create a file called passwords or whatever and put some fake accounts and passwords in it.  That’s called a honey pot, so hopefully if you get hacked, the thieves will at least be slowed done while they check out the accounts in this file.  Use something that encrypts the file.  Create another file in a location that maybe has a lot files and name it something innocuous and use that for you sensitive notes.

Long and Strong Suggestions

Long is better than short, MUCHmuch better, look up entropy in passwords. At least 8 characters (12 is better).  (Don’t get upset if a site like your library only lets you use 4).

See : https://xkcd.com/936/

Use a mix of upper and lower case letters, numbers and special characters.  Do not use anything in the dictionary or that looks like a date. Do not repeat characters.

How you remember this crap is an art.  One example of how I had a set of passwords a while ago was the routes that I drive, ie 93 (to) 3 (to) 6 (to) 28 to go to Martha’s Vineyards along with some personal acronyms.  Personal acronyms (passphrases) can be anything, the initials of the main characters in you favorite TV show, the first letters of your top 5 favorite meals, the first letters of an obscure quote you like, the ingredients in your favorite recipe.  Anything.  It may be personally identifiable with you, but, it will be easier for you to remember, and that’s a good thing.   But if you’re known for being a fisherman, don’t use simple fishing lines (yuck). The idea is use a phrase you can remember easily as the key to typing your passphrase (ie password). 

Here are is another guy’s ideas to follow on character substitution:

http://blog.napc.com/password-performance-that-isn-t-a-compromise

From : https://en.wikipedia.org/wiki/Password_strength#Human-generated_passwords

A better requirement would be to require a password NOT to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). In fact if patterned choices are required, humans are likely to use them in predictable ways, such a capitalizing a letter, adding one or two numbers, and a special character. If the numbers and special character are added in predictable ways, say at the beginning and end of the password, they could even lower password strength compared to an all-letter, randomly selected, password of the same length.

Avoid character repetition, keyboard patterns , dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors’ names or dates).

The closer to random you get is better.  That being said, do not drive yourself crazy with the rules.  If it is greater than 8, has nothing in the dictionary, avoids the first and last letter trap, does not use sequences; but, has a character repeated, THATS A LOT BETTER THAN WHAT YOU PROBABLY USED IN THE PAST.

Here are some more suggestions on how to use some kind of character substitution and rules for your passphrases as personal acronyms to incorporate the rules for uppercase, lowercase, numbers and special characters :

At least 1 from
   : [ ] { } < >.

Example type an o as <> or  [} or {} or  [], c is { or [ pr ( , d is : 

At least 1 from
   ~ ! @ # $ % ^ & * ( ) _ - + =

Type number as some kind of combination + - from top of keyboard
Type @ for 2 or @ for  (2 -1)  etc

At least one number
   5 is 5 is 5

At least one capital letter
   i CAPITALIZE the second "component or acronym" in my pass phrase

Balance out frequently used letters with infrequently used ones
Frequency of Alphabetic Characters in the Dictionary
    s is Z, E is Q, a is x

And Roll Your Own that are easy to remember
    g is gee,  M is $,   p is +

You can use a picture on a website, an obscure reference on your facebook profile or a post, or a written obscured cheat sheet as a reminder for rules and passphrases when you are away from your encrypted list of passwords and rules.

If your passphrases are too short, string a couple together, along with the numbers of the nearest highway, or the highway you hate the most etc.

More examples of quotes to use as passphrases.

You can use signs or directions or whatever:

Only you can prevent fascist liars in 2017. 
Two Steps to Save a Life
Danger Construction Area
Quality Assurance Inspection Station
the african xylophone is called A marimba
I need to paint that room

http://www.lifestalker.com/four-word-quotes/

Long and Strong Analysis:

NIST Special Publication 800-63 of June 2004 suggests the following scheme to roughly estimate the entropy of human-generated passwords:

The entropy of the first character is four bits;
The entropy of the next seven characters are two bits per character;
The ninth through the twentieth character has 1.5 bits of entropy per character;
Characters 21 and above have one bit of entropy per character.
A “bonus” of six bits is added if both upper case letters and non-alphabetic characters are used.
A “bonus” of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary.
Passwords of 20 characters or more do not receive this bonus because it is assumed
they are pass-phrases consisting of multiple dictionary words.

by way of
https://web.archive.org/web/20040712152833/http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf

The NIST research that prompted these guidelines are outdated, however, you can get a general idea of how what you think of random, is not really random, and that long is better.

Here is another password scheme to consider; however, it puts trust in external entities.  If a knowledgeable insider exploits one of these entities, then everyone is screwed.

http://www.bennish.net/blog/2013/12/my-personal-password-policy/

I can’t wait to use a biometric like a finger print, or a key fob like the one paypal uses.

Another thing to keep in mind, the security guys are really, really bright.  There is a lot riding on them getting things right; but, they are a contentious lot and with there caveats come a whole shit load of theoretical possibilities.  The greater risk in the computer environment is called social engineering:

(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Never, ever, let anyone you do not trust access your computers!  Microsoft is not calling people and telling them about errors.  The IRS will first skin you alive, in the courts, before they ever call you.  People fall for this everyday.  Phishing scams is a topic for another day.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s