Gmail flaw shows value of strong passwords
By Becky Waring The disclosure of a back door allowing bad guys to repeatedly guess Gmail passwords should remind us all to protect our accounts with long and strong character strings.
There’s a straightforward way to protect your online accounts — use sign-in phrases that are easy for you to remember but hard for others to guess.
The latest vulnerability affecting Gmail accounts was recently revealed by security researcher Vicente Aguilera Díaz in a posting on the Full Disclosure security list. (Aguilera previously revealed a Gmail flaw known as session-riding, which Google subsequently fixed, as reported by WS contributing editor Scott Spanbauer on April 23 and May 7.)
According to Aguilera’s new security alert, Google allows anyone with a Gmail account to guess another Gmail user’s password 100 times every two hours, or 1,200 times per day. No “captcha” keeps hacker bots from guessing passwords in this way. Worst of all: If a hacker controls, say, 100 Gmail accounts, 120,000 guesses can be made per day. Because Gmail accounts are free, many hackers control far more than 100 accounts, of course.
To its credit, Gmail requires fairly long passwords of 8 characters or more. However, as Aguilera points out, Gmail allows users to create extremely weak passwords such as aaaaaaaa.
A quick survey of my friends and relatives revealed that not one of them uses strong passwords. Most people have no idea how to create them. Yet everyone I asked expressed guilt at using easy-to-crack passwords: pet names, birthdays, and common dictionary words.
Most people’s passwords could be guessed in far fewer than 10,000 attempts. And, despite using weak passwords, the people I interviewed say they rarely change their sign-in strings. (One-third of the people surveyed use the same password for every Web site they sign in to, and the infamous Conficker worm needed to try only 200 common passwords to break into many systems, according to an analysis by the Sophos security firm.)
Here’s the topper: many respondents to my informal survey admitted to keeping an unencrypted file on their systems that lists every password they use!
| UPDATE 2009-09-10: In his Sept. 10, 2009, Top Story, Scott Dunn provides detailed steps for protecting your passwords from keyloggers and other snoopers. |
You may not think the password to your webmail account is valuable. But anyone with access to your account can use it to send spam and ruin your online reputation. More seriously, you may have entered the same password at an online banking site, such as PayPal, or a site where your credit-card number is stored for easy ordering, such as Amazon.
Use tough passwords but make them easy to recall
You can see whether your current passwords — you do use more than one, right? — are rated “strong” by using Microsoft’s online Password Checker. I bet you’ll be unpleasantly surprised by the results.
Figure 1. Test the strength of your passwords by entering them in Microsoft’s Password Checker.
The three keys to strong passwords are length, randomness, and use of different types of characters. Each additional character multiplies the potential combinations a brute-force attack must try.
Random passwords use upper- and lower-case letters, numbers, and symbols. When at least three of these four categories are used, an eight-character password should suffice in most instances. According to the FrontLine security site, such a password would take a century or more to crack by a hacker using a single PC. The eight-character standard is also the minimum the Microsoft Password Checker deems “strong.” Of course, the more characters in your password, the safer you’ll be.
If you wish to create your own password, use a sentence or phrase you can recall easily and then tweak it for each account.
For example, start with the phrase “all good things come to those who wait.” Then take the second letter of each word — or the only letter in the case of single-character words — to yield lohoohha. Then use upper case for every other consonant and substitute numerals or punctuation for certain vowels: loHooHh@.
(Never use any password-creation system you’ve read in a book or on the Web, including the example in the preceding paragraph. The password crackers read these articles, too.)
You can be as creative as you want with your rules. The goal is to produce a random-seeming combination of letters, numbers, and special characters — one generated by a set of rules you can remember and recreate.
Next, add a few characters denoting the site or the account for which the password is required. For example, you could add the first three letters of the site URL to the beginning, middle, or end of your base password, but five letters later in the alphabet, so “ama” for Amazon.com becomes frf.
By this time, you’ll likely have a password that’s at least 8 to 16 characters long and fairly random-looking — strong by any measure. When you need to change a password, keep the same rules and change just the base phrase.
Dos and don’ts to keep your passwords safe
Now that you know how to create strong passwords, follow these ten tips for using and protecting them.
- DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod’s Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor’s site.
Figure 2. Callpod’s Keeper password-management utility lets you sync passwords between Windows and Mac PCs and iPhones.
- DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
- DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.
No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
- DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
- DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
- DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
- DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
- DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.
- DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian “Gizmo” Richards’ Dec. 11, 2008, Best Software column, “Connect safely over open Wi-Fi networks,” for Wi-Fi security tips.)
- DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.
WS contributing editor Becky Waring has worked as a writer and editor for CNET, ZDNet, Technology Review, Upside Magazine, and many other news sources.
By Dennis O’Reilly 
