BSU

Security_Smart_Fall2017_Bridgewater

Issue link: http://bsuit.uberflip.com/i/896173

Contents of this Issue

Navigation

Page 0 of 3

SAFEGUARDING YOUR SECURITY AND PRIVACY AT WORK AND AT HOME NEWSLETTER FALL 2017 FALL 2017 SECURITY SMART 1 W HETHER YOU'RE ON email or social media, online bank- ing or gaming, any site that stores your data still depends on strong passwords to keep miscreants out. By now, most people know the ba- sics—don't use "password," and don't re- peat the same password across different accounts. But a lot of standard password advice really needs some additional con- text to be helpful. Here are some ubiqui- tous password myths, clarified. Myth 1: Passwords need to have mixed cases, numbers and special characters. Truth: Yes, but that's not enough to guarantee maximum security. For ex- ample, "letmein" is no good, but "Pass- w0rD" isn't really any better. Creating passwords based on dictionary words is a bad idea, and even substituting some of the letters for numbers or symbols isn't helpful. Password crackers know to include words like "vuln3rabl3" or "trustno1" in their lookup tables. To be fair, using mixed cases, num- bers and special characters does make a password much stronger than lowercase letters alone. Consider that a computer might take two days to crack an eight- character password that is all lowercase, but a large botnet will take only 1.8 seconds. Mixing cases helps slow down the cracking, and throwing in a special symbol or two bumps up the number of combinations. But all the mixed cases, numbers and special characters won't do any good if the string isn't actually random, as in "1q2w3e4r." Password crackers can look at the keyboard to find potential patterns, too. Myth 2: A good password must be extremely long. Truth: Longer is definitely better, but 10 to 12 characters can be adequate. Shorter passwords take far less time to crack. On a strong botnet, an eight-character pass- word that uses mixed cases and numbers will take just 31 minutes to figure out; increasing the password to 10 characters will take that same botnet 83 days. If the concern is that someone will break into a database and steal pass- words, then extremely long and complex passwords are definitely the way to go. But usually the issue is password reuse and phishing, and if attackers have already Inside 4 Common Password Myths intercepted the actual password, it doesn't matter if it's eight characters or 50. They just copy and paste, and they're in. Myth 3: Never write down passwords. Truth: The issue is more about where you keep it once written. Don't jot down "My new 401K password for Fidelity" on a sticky note and put it on your desk, cau- tions Chet Wisniewski, a security expert with antivirus company Sophos, "but writing down a new, long, complex pass- word while you burn it into your memory and keeping it in your wallet or purse for a week until you get that muscle memory of typing it isn't really a problem." He also writes down important passwords and stores them in a safe deposit box so that his family can "unlock our lives" in case of an emergency. Myth 4: Periodically changing pass- words improves security. Truth: This strategy might just make it more likely that you'll select weak passwords you find easier to remember. Frequent password changes make sense if the primary concern is that passwords might be leaked or exposed, and if there is proof that your passwords were ex- posed, a password reset is a good idea. But changing passwords just because an arbitrary number of days have passed? Not really necessary. For more information on staying safe online here at BSU or at home, contact security@bridgew.edu.

Articles in this issue

Links on this page

Archives of this issue

view archives of BSU - Security_Smart_Fall2017_Bridgewater