Stolen passwords? Not to worry. Advice about passwords.

The recent theft of a billion user names and passwords by Russian hackers is nothing to worry about as long as you understand a few simple facts and rules.

KNX News Radio Los Angeles (CBS) would have you believe pundits who sell password generator software and other nonsense. KNX is either misreporting or missing the story. They should instead be interviewing qualified representatives at Bank of America, VISA, ETrade and other financial institutions to ask them if passwords can be stolen. The answer is that passwords cannot be stolen because those institutions do not store them.

Sites such as your bank or stock brokerage do not, I repeat, do not, store your password. So no one can steal your password from your bank. What is stored is an encrypted value that is based on your password. That encrypted value could be stolen but, by itself, is useless for logging in. In other words, there is no file at your bank or other reputable financial institution that contains your password so there is nothing to steal.

How, then, is it possible for you to login using your password? The answer is that logging in works by encrypting your password and comparing the result to the stored encrypted value. If they match you get to login, if not your login attempt fails.

The beauty of this scheme, used in UNIX systems since 1969, is that the process is not reversible. Someone could publish the encrypted value on a bill board and that would still not help a hacker login. Only you know your password. The hacker would still have to effectively guess your password in order to get logged in by your bank site.

Don’t store your password on your computer nor in one of those stupid password “vaults” or password generators. Instead, memorize your password. It’s OK to write it down on a piece of paper you tuck away some place.

You should pick a good password that is easy for you to remember but hard to guess. Make it at least 8 or 10 characters long and be something that is not words in a dictionary. One trick I use is to think of a sentence then use the first letter of each word of the sentence as my password. For example “Only you know your password. Don’t store it in a file” would become: oykypdsiiaf. That password is actually fairly easy to type. The phrases I use make my passwords (I have a few) even easier to type. I use phrases about people and things I like so my phrases are almost like rhymes and easy to remember. Mine have more than 10 characters. I usually include a special character (such as a colon or asterisk) although some web sites stupidly refuse to allow special characters.

For sites that are not important (most sites) use a different password than your main passwords you use for important sites. It’s OK to use the same password for all the unimportant sites. I only have about three or four passwords, about three really secure ones (longish, hard to guess) and just one that is shorter and easy to remember that I use for ALL of the sites I just don’t care about that much if someone were to get in.

I hardly ever change my passwords since they are secure to begin with. But when and if I do, I just modify say the first three words of the phrase so it’s easy for me to remember the new password, it being similar to the old one.

There does remain a couple of things to know about as to how hackers can manage to steal passwords and how you can remain confident that you are secure.

One way hackers can steal passwords is by setting up a man-in-the-middle attack that is able to intercept communication between you and your bank. Thankfully, modern protocols use SSL (the same “S”, for “Secure”, as in the little “HTTPS://” prefix you sometimes see in your browser address bar). As long as you communicate with reputable institutions, all login communication is done using SSL which has been engineered to thwart man-in-the-middle attacks. If you ever see a message from your browser that warns you that the Security Certificate of the site you are logging to has not been authenticated, that means you should not connect to that site.

There is also the thorny issue of keystroke snooping. If a hacker can manage to take control of your computer or of the server into which you are logging in (or think you are logging in) at a level where your keystrokes can be recorded, then Houston we have a problem. Such deep attacks are rare but possible. The best way to feel confident one has not been attacked at that level is to keep your computers and devices updated with the latest security updates for your OS and only do important financial transactions with reputable web sites. Personally, I don’t use Norton or McAfee crap. Those things just waste CPU in my view. Instead, I keep my systems up-to-date, I use good passwords as outlined above, and I store important information on reputable sites.

As for LifeLock, see: Amazon not-so-good reviews about LifeLock

Cheers,
Dennis Allard
Santa Monica
August 6, 2014