Jaime's Online Password Security Blog

Unusual Password Limitation

Jaime — Mon, 17 May 2010 18:48:56 +0000

Today I came across a limitation on my complex password.

I have a 14-character password with upper, lower, numeric and spacial characters that I attempted to use in a program this morning. This program is essentially a GUI for another program which takes an XML file as input.

The underlying application attempted to interpret my password, which was enclosed in “double quotes”. See, my password has the special character % followed by a lower case letter (which I am representing by the character _ in this post). So, the program determined that the %_ must be a variable and would not proceed because I didn’t provide a value for the variable!!

So, from this, I have a new lesson: Understand the limitations of the application(s) using your password.

Before going to change my password, I determined how big an impact both keeping and changing the password would be.

There are three systematically different front-ends which operate over the same back-end in slightly different ways.
Only one of these has the deficiency/limitation
Only a subset of the limited application is impacted
I can use the other front-end tools to minimize the impact of the limitation

I therefore concluded that I can keep my current password without severely impacting the job at hand.

This post was written to explain that as great as a password may appear, there is always the potential for it to not work as anticipated in all situations. Take time when creating your passwords and evaluate the need to change them when you come to a road-block!

Mobile blog post!

Jaime — Tue, 11 May 2010 19:09:47 +0000

Today I decided to walk away from my desk with nothing but my sunglasses and my Motorola Cliq XT. So, what can I do remotely?
Well, I can blog because I downloaded the wordpress app for Android and setup “Jaime’s Online Password Security Blog”. I elected to save my WordPress credentials on my phone because I have other security measures in place to prevent unauthorized use. I also am using 3G not a public wifi hotspot, so my vulnerability level is no different on WordPress than it would be on anything else I choose to do on my phone.
Along with security we must also balance risk… I am also willing to have my twitter profiles @ssjaime and @OnlinePwordSec on my phone. I use those accounts often enough to feel comfortable putting them out there on the 3G network.
This blog post was a bit of an experiment too… I wanted to see how it would be received!

Hope you enjoyed and please comment.

Plaintext Passwords

Jaime — Tue, 06 Apr 2010 19:33:02 +0000

What’s worse than forgetting your password?

I say it is resetting your password with a nice strong complex one using one of those Forgot Password” tools on the website and then receiving an email confirmation that contains your password in plaintext!

Here are my recommendations on how to avoid this problem:

Don’t forget your passwords! (but if that’s going to happen, perhaps the other ideas below will suit you better)
Use a password manager, so you always have your passwords available. There are many different programs/apps/websites available to facilitate this. I will delve into the different kinds in an upcoming post
Make note of the site which sent you the confirmation email and challenge their practice! Send them an email, make them aware that you do not approve of their practice.
Determine if this site is something that you need for business or personal reasons. If it’s only something you want, look around and see if there are other options which have higher password security policies.
Don’t make the same mistake twice!

It’s time we take our online security into our own hands. Please let me know the sites with those nasty emails with plaintext passwords! I will create a listing and place it in the Reference section.

Anagram Your Passwords!

Jaime — Thu, 25 Mar 2010 21:54:44 +0000

Remember those puzzles that require you to rearrange letters to make words and phrases? They take a sequence of letters like alarepirctl and you manipulate them to become the word caterpillar. Why not take that game, give yourself a few rules and create your passwords in the same way?

How to do it:

Take an 8-character minimum word or phrase as your seed word
Use a numeric replacement (such as those listed under common replacements) or add a number
Use a special character replacement or add a special character
Capitalize at least one letter
Create a character mapping schema (as in example below)
- 8 – character password
  - 1 –> 3 –> 4 –> 7 –> 6 –>5 –> 2 –> 8 –> 1
- 9-character password
  - 4 –> 2 –> 3 –> 7 –> 9 –> 1 –> 8 –> 6 –> 5 –> 4
- 10-character password
  - 1 –> 3 –> 5 –> 7 –> 9 –> 1 and 10 –> 8 –> 6 –> 4 –> 2 –> 10

Example #1: 8-character word with simple substitution

pavement
pav3m3nt
p@v3m3nt
p@V3m3nt
tmpV3n3@

Example #2: 10-character word with simple substitution

remarkable
remarkab1e
rem@rk@b1e
reM@rk@b1e
1@rkMbre@r

Example #3: 8-character word with additional characters

keyboard
keyboard5
keyboard5^
keyboArd5^
5^kdyAobre

These passwords are relatively easy to remember and the character mapping is something that can be safely stored on your computer!

As always, do not use the passwords generated in this or any other post as your password. Also, do not use the exact mappings listed above!

Expiring Passwords

Jaime — Fri, 19 Mar 2010 16:22:47 +0000

Can you answer with “in the last 3 months” to any of these?

When was the last time you changed your password for …

your primary email account?
your bank account?
Facebook?
eBay?
iTunes?
WordPress?

If the answer is:

6 – Congratulations, you are on top of your passwords!
4 or 5 – You are well on your way to keeping yourself secure online!
3 or fewer – Time to make a serious change to your online habits!

For those of you in the 3 or fewer category, my biggest recommendation to you is start the practice of forcing your passwords into expiration. Keep changing them! It is one of the easiest ways to protect yourself online. Even if you don’t use the strongest passwords, frequently changing your passwords helps to keep your credentials off the “bad guy lists” by making the values on their lists obsolete!

A few more recommendations:

Use password management software (I will be posting links to products and reviews on the Reference page soon)
Spread out your password expiration dates. This way you are only changing one or two passwords at a time, rather than 20 or more.
When trying to remember new passwords, break them down into manageable portions and test yourself frequently until you’ve mastered them!
Vary where you get your password inspiration! Sometimes take it from your surroundings (like the cherry blossom outside your window) or take it from the news, or a phrase on a tv show, an item on a menu or food in your refrigerator. Use a random password generator sometimes too!

Make today the day you expire 2 old and outdated passwords!

Refresh them with new, strong passwords!

Password Tip #4 – Self-imposed limitations

Jaime — Mon, 15 Mar 2010 05:32:09 +0000

I was going to make this a video blog, unfortunately I do not have any sponsors yet and cannot afford to buy the ad-on to allow for video! If you or anyone else you know is interested in sponsoring this blog, please leave me a comment and I’ll start the process!

I had my 13-month old daughter on my lap the other day as I was trying to enter a password and realized that I had to do the whole thing with my left hand! I hold her in my right arm and am not able to reach the keyboard with my right hand otherwise, she presses keys on the keyboard!

Imposing limitations decreases the overall complexity of a password by reducing the available pool of characters used. It is therefore highly recommended to add length to your password! My rule of thumb is to increase password length by one character every 4 elements removed from the available pool.

How to create your password:

Identify your limitation
Determine number of elements removed from available pool
Calculate password minimum length
Utilize one of the password creation schemes previously described, or your own favorite
Manipulate the password to fit with your limitation

Example #1

Not typing capital letters or symbols which lie to the right a specific column (such as 7-u-j-m) on the keyboard
18 elements removed (*()_+IOP{}|KL:”<>?)
Minimum password length is 8 (default) + 4 (18/4 no remainder) = 12 characters
ssP!0Nnkge (from this post)
ssp#!QzNnkge (changed the P to p# and the 0 to Qz)

Example #2

Not typing vowels as capital letters
5 elements removed (AEIOU)
Minimum password length is 8 (default) + 1 (5/4 no remainder) = 9 characters
ChCl#Ate5 (from this post)
ChCl#^ate5 (changed the A to ^a)

Example #3

Not typing the symbols which lie on the top row of the keyboard
16 elements removed (~`!@#$%^&*()_+-=)
Minimum password length is 8 (default) + 4 (16/4) = 12 characters
ChCl#Ate5 (from this post)
CC{l}Ate5 (replaced the # with } and placed an { before the preceding letter, added < and > around the second letter)

As always, do not use ssp#!QzNnkge, ChCl#^ate5 or CC{l}Ate5 or any other example from this blog as your password!

Machine-generated passwords

Jaime — Sun, 07 Mar 2010 20:24:09 +0000

There are many websites and programs that can generate a password of any length and complexity. Here are some of the pros and cons for adopting these passwords for day-to-day use.

Pros

Uniqueness - the site/product is generating the passwords on-the-fly
Strength – common words and replacements do not exist in these types of passwords
Ease of Creation – minimal effort is needed to create these passwords
Usage – when used in conjunction with a top-notch storage/retrieval method, they are as easy to use as a human-generated password
Complexity and length – easy to create longer passwords using a larger character set

Cons

Recall – these passwords are generally more difficult to remember
Typing - due to the larger character set, more of the keystrokes are unnatural and do not flow, which may cause more errors
Usage – when not used in conjunction with a top-notch storage/retrieval method, they are cumbersome to use and maintain

While these aren’t complete lists, and the pros appear to outweigh the cons, you need to think about how often, when and where you enter your passwords to determine whether machine-generated passwords make sense for you.

Personally, I would rather have some element of the password be comfortable, as in the password generation methods I’ve described in prior posts. I believe machine-generated passwords are better suited for system passwords in the business world! Machine-generated passwords are also better suited as temporary and one-time-use passwords when provided to a customer/user by a website or product!

Please let me know your thoughts on why machine-generated passwords are good or bad!

Using a Seed Word to Generate Category Passwords

Jaime — Wed, 03 Mar 2010 17:16:00 +0000

I highly recommend organizing your online accounts into categories. (If you need a refresher, here’s my original post.)

For sites which fall into categories 8 – 11, it is okay for your passwords to be similar to one another. However, they should each have at least 3 unique characters and be no shorter than 8 characters long. It is only for websites in these categories that I would advocate using the method outlined below.

This method uses a number mapping schema. The complexity comes from adding the elements of the mapping schema into your seed word. The mapping schema is something that can be repeated over and over simply by changing your seed word. There are two mapping schemas, one that has 5 elements and one that has 10 elements. Here are samples of each:

5 maps: Two numbers and one special character
- 1 and % and 3
- 2 and & and 4
- 5 and ! and 8
- 6 and # and 0
- 7 and ? and 9
10 maps: One number and two special characters
- 1 and # and %
- 2 and ^ and &
- 3 and ? and !
- 4 and * and +
- 5 and $ and _
- 6 and ~ and )
- 7 and ( and >
- 8 and < and @
- 9 and = and -
- 0 and / and |

How to construct your passwords:

Start with a 5 character word as your seed.
Capitalize the third letter.
For each password within your category perform the following:
1. Insert the first element of your map between the second and third letters of your seed.
2. Insert the second element of your map between the third and fourth letters of your seed.
3. Insert the third element of your map following the fifth letter of your seed.
For your next set of passwords, choose a new seed word and repeat the process.

Now when you use these passwords, you need to recall your seed word and use your mapping, which can more easily be stored on your computer without compromising your passwords.

Example

trunk
trUnk
Generations
- Pass #1: tr1Unk, tr1U%nk, tr1U%nk3
- Pass #2: tr2Unk, tr2U&nk, tr2U
- Pass #3: tr5Unk, tr5U!nk, tr5U!nk8
- Pass #4: tr6Unk, tr6U#nk, tr6U#nk0
- Pass #5: tr7Unk, tr7U?nk, tr7U?nk9
Next set of passwords
1. phone
2. phOne
3. Generations
  - Pass #1: ph1One, ph1O%ne, ph1O%ne3
  - Pass #2: ph2One, ph2O&ne, ph2O
  - Pass #3: ph5One, ph5O!ne, ph5O!ne8
  - Pass #4: ph6One, ph6O#ne, ph6O#ne0
  - Pass #5: ph7One, ph7O?ne, ph7O?ne9

Be sure to make this password generation method, or any other method work for you. Perhaps you would rather create a schema that uses one capital letter, one number and one symbol and simply add those characters to your seed word in specific positions, thats OK. Or, there are only 6 or 7 special characters you feel comfortable using, create a mapping with only those characters!

As always, do not use the passwords generated in this or any other post as your password. Also, do not use the exact mappings listed above!

Password Tip #3 – Type-ability

Jaime — Fri, 26 Feb 2010 16:02:10 +0000

The best passwords are those that you can recall from memory and those that you can type easily. Combining the two is not always easy, but I believe it is worth taking a few extra minutes to make sure that a password is type-able!

While the sample password ssP!0Nnkge from this post, might be easy to recall from memory, is it easy to type?

Do you stumble on the back and forth with the shift key or typing characters from opposite ends of the keyboard? These are some of the drawbacks of strong passwords — the unnatural movement on the keyboard.

Here are some common password keying problems and their solutions, without compromising strength.

Difficulty typing numerals or special characters?
- Place them together and at the same place in all your passwords. This could be at the beginning or as the second and third characters of your password. Be consistent with placement, it will make the process easier.
Frequent typos when typing with either the left or right hand?
- Choose special characters or numerals typed with your dominant hand.
Repetitive reversing of keystrokes.
- Swap them in your password.
Automatic use of the shift key on a certain character, no matter which case you “wanted” it to be.
- Make that letter upper case, for all your passwords.
Special characters make you stumble.
- Remove them from the body of your password, put one at the front and one at the back.

Remember, it is okay to look at the keyboard when typing your password!

Practice typing your password in a text-editor on your local computer until you feel comfortable that your hands are going to be able to key it right, at least most of the time. Once you feel comfortable with your password, close the text-editor and do not save the document!

It is vital to minimize password mis-typing and I hope that some of these tips will help you succeed in creating and using strong passwords.

Converting two common words into a strong password

Jaime — Tue, 23 Feb 2010 15:58:53 +0000

Sometimes making a word or phrase into your password does not seem to add strength to it. Here is another approach, where the idea is to use some of the more common replacement techniques for strengthening passwords and a randomizing effect. So, like my prior post on creating a strong password, I will begin with the rules and then follow it with several examples.

Start with two dictionary or common terms, the total length should be between 9 and 12 characters
Capitalize the second letter in the first word and the third letter in the second word
Replace one letter in the first word with a number (ideas can be found on the common replacements page)
Replace one letter in the other word with a symbol (ideas can be found on the common replacements page)
Weave the two words together, starting with the longer word and alternating the letters

Now when you use the password, you just need to remember the two short words and the changes you made to them!

Example #1

sponge sink
sPonge siNk
sP0nge siNk
sP0nge s!Nk
ssP!0Nnkge

Example #2 (Note: I replaced both e’s in coffee to make it easier to remember)

coffee rain
cOffee raIn
cOff33 raIn
cOff33 r@In
crO@fIfn33

Example #3 (Note, the starting words are names which are capitalized)

Phoebe Nancy
PHoebe NaNcy
PH0ebe NaNcy
PH0ebe N@Ncy
PNH@0Necbye

Example #4 (Note, the second word is the longer word)

drink Robert
dRink RoBert
dR1nk RoBert
dR1nk RoBe^t
RdoRB1en^kt

As always, do not use ssP!0Nnkge, crO@fIfn33, PNH@0Necbye, RdoRB1en^kt or any other example from this blog as your password.