Over the years we have often heard from our clients about their concerns regarding their financial information being on the internet.  People have expressed doubts about the security of their investment portals and worried about people getting access to their financial information.  Some clients have decided to live without the convenience of online access in order to help keep the information private.  I can appreciate their concern, and have no doubt that information that faces the world through any kind of outside portal, such as web site access, can be compromised. 

I think there are a few points worth noting, however.  If you were to be so concerned that your information would be vulnerable to discovery, and elected not to have an online access portal, you may not have gained anything.  The only real requirement for vulnerability may be the existence of the access itself.  If anybody outside an organization can access any files of an organization from the internet, there exists some possibility that any data that organization holds could be at risk.  Just because I personally do not enable internet access to my account is not necessarily an added security measure.  Breaches at Target and Home Depot and at many other companies have shown that once the invaders are inside the walls, there are lots of opportunities for mischief.  With this in mind, there are very few companies in existence today that can be said to be “completely hardened” to intrusion.  The world is very networked, whether we like it or not.  A truly professional bad guy, who is capable of penetrating a bank security system, is not going to be stopped by anything we individually do as consumers. 

There are still plenty of “run-of-the-mill” bad guys out there that can do things on a smaller scale, and many of the techniques that this group of attackers use can be defended against more readily.  If we consider that there is a scale of security, there are some relatively minor steps that can improve our odds of a good outcome very significantly.  The most basic is having good password security.  I am not a security expert, and I am not trying to advocate any particular security protocol, but I want to pause to point something out that might be useful to people that don’t think about it much.  I have observed, in conversation with many of our clients that most people, despite being concerned about their security, still do not take the basic steps to make their passwords hard to crack.  I am astonished to find out that people use things like “Myname1234” as a password.  There are programs that will scan email traffic for email addresses, and then go to well-known sites and try what is called a “brute-force” attack, where they simply programmatically try password combinations.  They will try the email address as a user name, and iterate billions of attempts at passwords to gain access. Therefore, it is a good idea to use websites that have a lockout provision after a certain number of failed attempts.  What makes this problem even worse is that once a site is compromised, sometimes the hacker will get access to the system and sniff out the user name and password files, which may not be encrypted, and then they have potentially millions of user names and passwords to try all over the place. 

The obvious way to protect yourself from an amateur hacking attempt is to have a strong password, and use different username and password combinations on different sites, so that if one of your username and password combinations is used, it does not expose any other site to compromise.    Very few people do this.  The most common reason?  It is a pain.  I will be writing a blog about a relatively painless software solutions to this, using strong password managers, but for people that don’t want to go that far just yet, I thought I would write a little something about ways to handle this problem using just the most basic low-tech approaches.

The first problem is memorability.  Hard passwords (those that are long, contain both upper and lower case letters, numbers and symbols) are also hard to remember.  If you regularly visit fifty different websites, that is fifty hard to remember combinations.  The “old-school” way to deal with this is to have a password protected file on your computer that has a single hard password that you need to remember in order to open it, and all of the user name and password combinations on it.  This is clearly not perfect, because there are ways to sniff that out as well.  For example, software known as a keystroke logger can get embedded on your computer and record the websites you go to and the keystrokes you enter, and deliver that information to the bad guys.  It will also record the password you used to open the file that stores your passwords, so they can be picked up this way as well.  To help prevent this, keep your anti-virus up to date, consider an anti-malware program, and use your computer firewall to prevent intrusions.  Be careful about using public wifi, make sure that your firewall is pretty restrictive.  See the guys at your local computer shop about making it as strong as you can.  Digging into this is beyond the scope here, but there are plenty of things you can do.   The second key to preventing malicious programs like a keystroke logger from getting on your computer is to be careful about clicking on links in emails.  Email addresses are out there and easy to get hold of.  A bad guy sends out an email that looks like it came from a safe source, like Ebay.  These are known as Phishing emails. The little link that looks like the link to take you to Ebay instead loads a program on your computer to do nefarious things, or takes you to a place you didn’t want to go.  It is better to navigate directly to a site on your browser if you are not sure if the email is legitimate.  It can be hard to tell legit emails from phony ones, but sometimes they look just a little bit off, or ask about something that they shouldn’t have to ask for.

The second problem with the computer file approach to storing passwords is that your entire computer may be stolen, and the bad guys will have all of the time in the world to open the file.  You would also then have an access problem yourself.  Alternatively, the computer may be damaged, and although you would not be put at risk by this, it would certainly be a pain.  If you have a computer-file approach, store a safe back-up copy somewhere secure. 

Information security with a little black book

Another low-tech alternative is to have password hints in a little black book.  Losing your password hints would be inconvenient if you lost the book, or if you spilled your Venti Frappucino on it, rendering it unreadable.  So, if you choose this approach, be very careful about your book.  I recommend one web—site per page so you can keep changing the passwords over time.  A book organized with alphabetic tabs might be useful.  Once in a while photocopy it, or do something similar to keep a backup.  Keep the backup someplace safe, even though theft of your hints probably wouldn’t be a huge crisis, without the rules that you follow to make them work.  Of course, you could just write the passwords in the little book, but then anybody who got the book would have your passwords.   So, you can strengthen this, and the password protected file approach, by making your passwords follow a rule, and then only leaving the hint.  You can take it one step further by making a kind of “two-factor” process that uses a “master” password and then the password hint from the file or book.  In a moment we will look at different rules and approaches, but for a moment let’s just look at an example.

Imagine you wanted to store a password for Bob’s Antique Car Lovers forum.  Your password hint might be “dream car.” You would record your username (or even better a user name hint, if the usernames are flexible on the site) and the password hint.  To actually log into the site, you enter your username—we will hypothetically be Jeff Killian, and his username will be Jeffrey.Killian@email.com as an example.  Then you consider your password hint and you know your dream car is a 1966 Chevrolet Malibu Chevelle, commonly known as a ’66 Chevelle.  So you enter your “Master Password” which we will say is hypothetically your nickname and lucky number, or something like that.  We will give Jeff the master password “JDog3” which he put before every password he enters, and then the site password, “’66Chevelle” giving us this: “JDog3’66Chevelle” and he is good to go.  That is a fairly hard password, certainly an improvement on “Jeff1234”although not by any means perfect.   It still contains recognizable words in theory, but it is better than where we started. 

Figure 3-© Steirus | Dreamstime.com - 1966 Chevrolet Chevelle SS 396 Convertible Photo

Another way of hardening passwords would be to use an acrostic.  Acrostics are like acronyms.  You write a sentence, and then use the first letter of each word to make up the password.  Ideally, you would want to include numbers, so pick a sentence with numbers or dates, and render them as straight numbers.  If you make the rule consistent, like you always use 2 digit years (with the apostrophe), you can make this pretty easy to do.  Again, using Jeff’s access to the car forum, he could note that he bought his first car in 1977 and the hint is a question—“When did you buy your first car?”  The answer would be “I bought my first car in 1977.”  The Acrostic password from this is “Ibmfci’77” and the “I” at the beginning is capitalized, the rest are not, just like in the sentence itself.  Each first letter in a properly rendered sentence is translated exactly into the acrostic.  The password as entered would be the Master + the Acrostic : “JDog3Ibmfci’77”.   Longer passwords are inherently stronger, so if the site you use has the ability to keep really long passwords, you could dispense with the acrostic and just use a sentence, replacing spaces with underscores “_” and you would have this combination: “JDog3I_bought_my_first_car_in_1977.”  Again, the only thing you recorded is the hint.  If you are going to use a system of recording these you might use a shorthand notation with the password hint indicating either short form password answer (acrostic) as an “A” or long form password (sentence) as an “S”.  That would make the entry look something like this:

Because websites have various password rules and constraints, there are other things you could do to make the password system more variable.  For example, you could separate your Master password from your site password with a “+” sign on sites that have the ability to use symbols, and when you don’t have the ability to use symbols you wouldn’t.  In the rest of the password, symbols would be suppressed as well.  You would add a symbol notation to your entry to make the former case known.  Maybe just a plus sign, or a tilde “~” next to the (S). 

What about sites that do not allow symbols?  What kind of password would Jeff use?  Well…they are lame, but nevertheless, they exist, so perhaps the best you can do is the longest mix of letters and numbers available.  Using Jeff’s password hint, with a sentence form, the password would just be “JDog3Iboughtmyfirstcarin1977.”  If the web site requires it to be shorter, you switch to the acrostic, and using the acrostic form, it would be “JDog3Ibmfci77” and that is probably about as hard as you can get given the circumstances. 

These two methods of password generation have a few advantages if you are not going in the direction of higher-tech solutions like random password generators, biometrics, security tokens and the like.  They at least give you a shot at remembering the password because it can be related to the site, and prompted by a memory prompt.  If the site is a genealogy site, you might choose the date of your parent’s wedding, if it is your online banking address, you could use a bank branches physical address as a response to the hint question.  For example, if you always work with Sandy at Citizens bank, you would use “What is Sandy’s address?” as the prompt.  You would then (maybe) know that the branch was at 3654 Mercer Street, so the Acrostic version of the full password might be “JDog3+3654MS” and away you go.  If you use this type of clue, it is important that your rule is consistent, such as all addresses are just the street portion, spelled out.    Of course, if you didn’t know that address off the top of your head, this would be a less convenient, but you see the point.

The entry for this wherever you keep your hints might look like this:

(I am using A for Acrostic and the tilde(~) indicating that characters are acceptable, thus there is a “+” between master password and site acrostic, and any other symbol would have been included, if there were any appropriate ones).

Alternatively you can just ask questions about yourself you clearly know the answers to, like High school graduation, or street address growing up.  Again, shoot for things you know, and a mix of words and numbers.  Couple that with the prefix master password, and it is not too hard.    Relate it to the site you are using, if you can, and it will be more memorable to you.   The idea with these passwords is that if you can remember basic facts about yourself, and design the password prompts in such a way that a proper sentence answers them, and so that there is really only one way to phrase the answer, you will be ok.  It takes a bit of practice, and a set of general rules that you always follow, but once you decide what they are and practice them, it gets easier.

I will be doing a few more posts on this subject, but until then, think about the security basics.  Evaluate your own security, how often do you change you passwords?  How many websites have the same combinations of user name and password?  How strong are your passwords?  Do you use public WIFI a lot?  Does your home network have good security? Do you use a good firewall?  Make improvements where you can, and stay tuned for the next three posts in the “low tech password creation” sequence—creating passwords with replacement rules, creating passwords with image mnemonics, and busting out the old-school book code.  In the meantime, surf safely!