With Heartbleed, the term that’s been coined for the OpenSSL vulnerability, it’s time for people to look at how they create, maintain, and remember the ever-growing number of passwords they use to sign into their online services. It’s always funny to read the yearly list of most commonly used passwords. If you’re one of the many who use “123456” or “password” as your password, then you should keep reading.
Because of the nature of the Heartbleed vulnerability, web site administrators actually don’t know what information was compromised. But because the encryption keys can be stolen, it means any data that was secured using SSL or TLS (the main tunneling encryption for secure web sites) may be accessed by hackers. Just to be safe, you should change your password for all the sites that require authentication – especially those that store your financial or medical information.
When you’re updating your password, here are some tips on making sure you’re making it hard to crack. Hackers around the world will always try the most common passwords, so don’t fall into the trap of using common words, names of pets or loved ones, or anything else that could be somehow acquired easily and used against you.
While some web sites enforce some kind of password complexity, many do not. Regardless, you should always create a password that consists of uppercase and lowercase letters, numbers, and throwing in a few symbols like $, %, !, that you can find above the numbers of your keyboard, will help deter hackers. Also, make your passwords at least 8 characters or longer – each additional character you use increases the search space for hackers significantly. If you just count the letters of the alphabet (upper and lowercase), 10 digits, and 32 easy-to-create symbols (those commonly on keyboards), then you have 52 + 10 + 32 = 94 possible combinations per password character. A 6-character password would have almost 690 billion combinations*. By adding two more characters for an 8-character password, you’d increase it to almost 6 quadrillion possibilities. So, while computing power is increasing every year according to Moore’s Law, just adding a few more characters to your password will keep you safer. Note that many IT administrators and security officers advocate 12 or more character passwords. Really, the longer the better.
While you’re trying to come up with long passwords, make sure you’re not using dictionary words, or words that have any relationship to your own information (your address, birth date, names of children or pets, etc.) Sprinkling symbols throughout, substituting a “3” for “e,” and other tricks to increase the overall complexity of your password will help.
Also, do you need a different password for each site you visit? If you reuse the same password on multiple sites, one site that gets compromised can put your other sites at risk too. But with lots of usernames and passwords, it could be hard to remember which password goes with which site. A password manager might help – especially if it is accessible through something you always have close to you, such as your mobile device. It also doesn’t hurt to change your password regularly.
It’s not just users who should try to ensure passwords are handled well. A good web site will also lock out an account if it detects too many unsuccessful login attempts. Or, it may require a user to enter the letters of a captcha image. It may even require two factor authentication, which might be an RSA key fob or an SMS message to your phone.
In any case, Heartbleed is a good reason to update your passwords on your various online sites. Better to be safe than sorry!
*For you mathematicians out there, you know that this is not quite correct because of certain password requirements, such as the need for at least one character to be a symbol (non-alphanumeric). The total number of combinations is actually a bit lower (again, depends on the number of symbols and other impositions), and it could be an interesting exercise to determine the total password combinations of a site based on its requirements.