Safety First: Securing your password

Monday 10 March 2014

We have all heard the phrase, "Safety First." With bitcoin becoming increasingly relevant and prices beginning to stabilise long term, there is still one thing which could hinder its adoption as a mainstay currency: security.

Bitcoin has the potential to become a household name like PayPal, Money Gram and even Visa and MasterCard. The glaring difference is that there is no company to back it. For many it is one of the attractive features of bitcoin, but unlike companies such as Visa, MasterCard and PayPal having a vested interest in keeping your funds safe, often offering zero liability fraud protection, bitcoin relies on the user to ensure they follow their own safety guidelines. There is no protection from lost or stolen bitcoins, so the individual must take steps now to make sure they're ready for the cryptocurrency era. In fact, there is no company to call or password reset tool for most bitcoin software or hardware wallets.

People today, although on the surface are interested in security and privacy, are generally not concerned enough to make significant changes in how they operate their online lives. One example are the poor password choices consisting of only numbers and letters, which are easily guessed by hacker software programs. These hacker programs, called "dictionaries" or "brute force tools", quickly recombine common English words and numbers to defeat your password through repetitive guessing. The simpler your password, the more quickly a dictionary tool can guess it, often within just a few minutes. A normal home computer with brute force software can guess a 6 digit alpha-numeric password in seconds.

In a survey from last year, security software developer "Splashdata" found that the most common passwords used in 2012 included "qwerty,""12345678" and "Password1" – phrases that would take milliseconds to guess. However, thanks to the updated password cracker "ocl-Hashcat-plus", even more complex combinations are unlikely to protect targeted data. As of 2011, commercial products are available that claim the ability to test up to 2,800,000,000 passwords per second on a standard desktop computer using a high-end graphics processor. In their study, another sad trend appeared: people would reuse their same password for multiple accounts. While this habit is convenient for the user, it also means that one account breach translates into a multitude of account breaches.

If you, like many are using the same password and email address for your Gmail, PayPal, online bank account, eBay, and your personal blog, you are inviting hackers to help themselves to your private life. Keeping your passwords short and simple, and using only numbers or only letters, make a hacker's job easier. The simpler your passwords, the more likely you will have your bank account cleaned out, or in this case... your bitcoin. So, if you are looking to join the bitcoin world, first you need to improve your online security. With the growth of the Internet and the digital age upon us already, we also need to realize that these hacker password crackers are continuing to get better. In steps "Two Factor Authorizations" and the emerging fields of authenticators, GPS and cell phone alerts, ensure the person signing into your account is in fact the owner of that account. But one immediate step you should take is an overhaul of the way you generate passwords.

This short "To-Do List" will take start you on the path to Online Safety:

  • Stop using the same password on multiple accounts. Yes, it is more trouble on you however having one password for many sites creates a single point of failure, which means that if an intruder gains access to one account, he or she will have access to all of the user’s accounts. Look into companies like LastPass, BugMeNot and KeepSafe. They are password clients that generate long and difficult to guess passwords for you and store them encrypted on your computer and accessing them requires you to only remember one password. However that one password is one you cannot forget since it is the only way to unlock your database.
  • Do not use dictionary words, proper nouns, or foreign words. Do not even use the backwards spelling of words as password crackers use these methods too.
  • No personal information or site info. Example: your Google password should not have the word "google" in it. You may feel your ten character password "55googleTS" is strong but password software can crack this in seconds by using the word google in its hack and making your ten-character password, an easy-to-crack four-character password.
  • Add length, width and depth to your passwords. Probability dictates that the longer a password the more difficult it will be to crack; 15+ characters is a safer bet than the standard six or eight. Width reminds us to use all the tools at our disposal. This means using uppercase and lowercase, numbers and symbols in our passwords. Depth refers to choosing a password with a challenging meaning, something not easily guessable. One way to implement this is to stop thinking of them as passwords and start thinking in terms of phrases. A good password is easy to remember, but hard to guess. The purpose of a mnemonic phrase is to allow the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ‘I'maKat!’ (instead of ‘I’m a cat!’) or the first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.” What may be most effective is for users to choose a phrase that has personal meaning (for easy recollection), to take the initials of each of the words in that phrase, and to convert some of those letters into other characters (substituting the number ‘3’ for the letter ‘e’ is a common example or inserting "&" instead of using and).

If you use upper and lower case letters, numbers and symbols, a 15-character password would take a few billion years to crack.

Obviously, passwords are just one small step that we all need to take as we dive into this digital world. User education, good physical security, plugging network holes, and installing strong firewalls are other important pieces that we will look at. These provide much more global protection and are essential in the corporate environment more so than passwords alone, but in areas where the only method of control users have is a password, the best thing we can do is be aware of security risks and keep up on password controls. By starting here, you are teaching yourself the importance of safety first, which is profoundly important in the world of bitcoin.


comments powered by Disqus