Take Control of Your Passwords

By Joe Kissell

Review By: Victoria L. Herring

This is a review of the new e-book, “Take Control of Your Passwords” byJoe Kissell (available in various versions). It is the usual Take Control book, in that it starts with a table of contents which links to the actual content pages as appropriate; then you can move quickly through a basic description of how the book is organized. All of this is familiar to readers of other Take Control materials. The author, Joe Kissel, is well-versed in Mac computers and programs and has written numerous Take Control books for those of us who need help working with our Macs.

His basic point regarding passwords is that you have to have a password strategy which will protect against any and all attacks: for a few, use separate passwords you can memorize and for others use a password manager in order to not have to memorize every password you use.

Joe starts with a summary discussion in the “Passwords Quick Start” area of the book. Each subdivision links to a part of the book which deals with the full topic. For instance, there is a whole section devoted to explaining what is wrong with passwords and what is wrong with the ways people use them. Joe’s explanation of the problem is frightening, when you really think about it. Given normal human behavior, to want convenience rather than difficulty, and to reuse passwords regardless of where they are being reused, it’s amazing more people aren’t having problems.

Once he explains all of the problems with passwords, the way people use them, and what you have to fear from someone getting them, then he discusses his password strategy. Basically, you need to decide which are the most important passwords (which must be the most secure possible), usually a few places where you need to use a totally secure password that you know by heart. Then you need to use an application to create and remember or enter random passwords. This is called a “password manager” and there are several excellent ones on the market, several which are reviewed in the ebook, including one which he highly touts [and, which I use].

Joe also spends some time trying to help you figure out which passwords need to be cleaned up and made more secure and suggests how to do that in a fashion which will not drive you crazy. He also discusses some of the future ideas through which greater security can be gained, such as biometrics and the like.

One of the best parts of the e-book, however, is the real-world advice for someone, perhaps yourself, a friend or a relative, who just doesn’t want to have a rigorous password strategy. In the real world, many people would rather have convenience than total security. Most people figure that they won’t be the object of a hacker’s desire to steal passwords. Unfortunately, losing your e-mail through the loss of your cell phone, tablet or laptop or someone’s having access to it in some way can result in hacker’s gaining access to any number of your important accounts. So, it does help to have some sort of security methodology created.

As Joe points out, “if you use the same password for other sites and services, the hacker can gain access just as easily to your other accounts and wreck all kinds of havoc, up to and including ‘stealing’ your identity.” Although he notes that is a worst-case scenario, it does happen and given all of the places where you have to use passwords, there is plenty of margin for error. Joe points out that the passwords which are simplest for you you to use, are the simplest to discover and you should avoid those at all costs. For instance, the use of a word from the dictionary or some other easy to remember string is just asking for trouble.

One point that Joe makes which must be repeated is the caution against reusing passwords. As he says, it ”is a terrible, terrible idea. Just. Don’t. Ever. Do. It.” The problem is that if your password for one site or service somehow is guessed or stolen and you used it elsewhere, whoever has the password can try to gain access to those other places. And, you can’t count on every website or other provider protecting your password from being stolen. If anything has taught us, the last several years have shown that even reputable, allegedly secure corporations have been hacked or lost unencrypted laptops with all of your data on them.

In addition to warning us about reusing passwords, in Take Control of Your Passwords, author Joe Kissell also points out that there are numerous passwords being used which really do no one any good, other than hackers. For instance, people actually do use the word “password” to provide security; obviously, it does not. There are a number of links in his e-book to various articles or websites that show some of the worst passwords being used. It’s amazing what some people use for passwords even though what they’re trying to do is protect their most sensitive data. Using a bad password doesn’t do anything for security.

Part of the problem is the development of modern, fast computers. In the old days, a burglar would have to work hard, over time, to break a lock or to penetrate a defense. Nowadays, they can get past most passwords which might be used by people. For instance, as of late last year passwords with nine characters which have the suggested elements [upper and lower case letters, digits, symbols] can be cracked in 5 1/2 hours! This is what is called a brute- force attack and can happen either by gaining actual access to the computer or getting the contents offline to hack.

Joe goes into some detail talking about other kinds of threats which would cause your passwords to be stolen: guessing, theft, hacking and sniffing, and social engineering. This last threat to your security comes through “phishing” e-mails. You think you’re getting an e-mail from PayPal, Amazon, your bank or the FBI. Usually, you don’t expect to get something, but every now and then the timing is right and you expect an e-mail and the link you just received. Once you click on the links inside an e-mail or in some fashion provide your real password, you’ve given up any security that password provides. And if it’s a password that covers more than one site, all those sites can be affected. [My personal rule is never to click on links in email or to first view the raw source to ascertain if it's really my friend's email and suggested item to click upon].

Joe’s e-book also discusses the types of tricks people try to use in order to come up with a unique but easily remembered password. He also criticizes the idea of using the two-part username and password as outmoded and not really providing any security. As usual, he provides citations and links to articles along these lines.

Having scared his readers to death, Joe then talks about password security and how a good password is created. Obviously, a good password is something which is used rather than not. But good passwords suffer also from the very real problem of them being easy to crack. There are 2 problems with making a password, guessability and memorability. You carry all these passwords around in your brain, having trouble remembering what password goes to what, and that’s part of the reason for reusing passwords.

What I found to be the most interesting part of the e-book was the part on“All about Entropy”. The idea of entropy with passwords is that in order for a password to be harder to guess, it has to have a higher entropy or complexity. Therefore, randomness and complexity are required of good passwords, in order to prevent cracking software from breaking the password. Of course, that also creates problems for remembering them.

A password’s entropy is made up of several factors: its length, its character set, and its randomness. Obviously, if you only use four characters then a password won’t take long to crack. [In fact, you can set the password lock on your iPhone to more than 4 characters, which I suggest you do]. But, if you have 7, 12, 16 or more characters to choose from, there are many million possible choices. Making a password longer increases its entropy.

Character sets are another way of providing providing entropy. Rather than limiting passwords to only numbers or only letters, if both cases of letters are used plus numbers and various punctuation characters for a short, 5 character password, you then have over 70 possibilities per character which increases the possibilities to 2 billion. Of course, a computer can crack 2 billion passwords in less thana second, but at least you would prevent most hackers from an easy task or buy yourself time.

The last factor in establishing entropy is randomness. If one uses a random password it will be much more secure. Of course, the randomness comes from the lack of a pattern in the word or words, but password cracking software can recognize all sorts of patterns.

An interesting website to check out your password’s entropy is at a free online tool called “zxcvbn” and which can be found at http://DL.dropbox.com/u/209/zxcvbn/test/index.html.Testing your password there is helpful to get a sense of how much time it would take to crack. But it is particularly helpful because it point out areas of weakness which could be cured. Joe recommends using passwords with a higher entropy such as 75 bits, but most of mine still end up in the high 30s or lower 40s, so I have some work to do.

The next section of the book has to do with why even a great password isn’t enough because of the fact that if you lose it, everything it is linked to can be opened. Here, Joe goes into security questions and reset procedures of various websites. His basic position is that whenever you have to answer a security question you have to give a lie because if you provide your truthful answer, it will be too easy to guess. Website security questions and answers are notoriously easy to find in publicly available sources and any hacker can guess them or reset your password. That was vividly demonstrated in the very sad story of a computer geek who worked at Wired, of all places, who had his whole life virtually [and actually] destroyed because a hacker was able to get one password and take over his online world.

This article is required reading for those who might otherwise think this whole topic is silly:http://www.wired.com/gadgetlab/ 2012/11/ff-mat-honan-password- hacker/all/.

Finally, after all of this discussion of why one needs good passwords and how to have a good password while staying sane, Joe comes up with hisPassword Strategy. This is a 3 point strategy: figure out which passwords you must memorize, create strong but memorable passwords for just those few items, and use a password manager for everything else.

He suggests the types of passwords one should have which are as secure as you can make them and which you can memorize. These are “VIP” passwords; you should make up your own VIP password list of the ones which will be as secure as possible but can be remembered by you without any problem.

Once you’ve identified your VIP items then you need to create strong but memorable passwords, knowing that you need entropy. He suggests making a password either by a random method (making a long pronounceable password using the password manager), or by using at least 32 lowercase words in a manner so that you can remember the collection of words easily enough. These 4, 5 or 6 VIP passwords must be memorized. Once that's done, you want to create all your other passwords using a password manager. There are several password managers that he discusses in great detail as well as why they are or are not good to use. Joe also has other recommendations for trying to figure out which passwords should go to which places as well as steps to prevent your passwords from being stolen or known.

An additional discussion which goes beyond passwords but also discusses the very real dangers of using open hotspots is his section on wireless networksand how to use them safely plus backing up passwords. There is an excellent discussion of what is an “emergency password plan”. Should anything happen to you, your tough-to-crack password will make places secure against all intrusion. For that reason you need to store these top-secret VIP passwords in your safe deposit box or some other safe place accessible by a trusted loved one or your lawyer or other responsible party, should anything happen to you.

I particularly like his Appendix B: “Help your Uncle with his Passwords”. Obviously, the whole reason for the ebook is to encourage people to have a sound password strategy. However, some people [not the reader, of course, but their family or friends] will balk at going through all the hoops to avoid the ‘hassle’. Of course, if someone nefarious gains entrance to some place where a strong password was needed or steals an identity, then this ‘hassle’ will seem mild in comparison to the real hassle of dealing with stolen money or your identity. But, people are human and if there’s a way to help resistant computer users to practice some sort of “safe computing”, Joe’s trying to provide it. He therefore provides some compromise steps to make your passwords sufficiently complex to thwart hackers but relatively easy to remember.

I’ve started on the process of improving my passwords and this excellent ebook has been a great guide in the process. It’s going to take some time, but better now before the horse gets out of the barn!

The ebook can be found at: http://www.takecontrolbooks.com/