Did you know...
...that a hacker trying to crack your password using a typical desktop PC can test up to 10 million passwords per second? If you are using an 8 character password that contains just letters (all caps or all smalls), your password would be compromised in less than 6 hours. You can keep the same hacker busy for over 8 months by using mixed case letters and numbers. By choosing a 15 character password using just letters, that same hacker would be busy for 50,000 years!

It is too tempting to write down those passwords. It is also tempting to use the same password, or a "one-off" password for multiple accounts. If someone captures one, they have access to multiple accounts. We now have so many and who can remember them all - especially now that they need to be really long and difficult.

One way to create and remember a very strong password: PASSWORD PHRASE

1.Users are encouraged to think of a phrase consisting of at least eight to ten words. Example: "All Good Things Come to Those Who wait"

2.Take the first letter from each of these words, using mixed case here and there, and make a password. Substitute numbers and/or punctuation for letters where appropriate, or add them on. Example: "AgtC2tww@"

3.Voila! Instant good password, and the user generally has no problem remember the it because they chose the phrase.

But how do you remember the password phrases for the 10 or more web-based accounts many people have?

Here is a BETTER way:       RoboForms Program

Is It Better Not To Password Protect Your Login Account?

Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password. The default for Windows XP is to only allow logging into an account if:

1. you enter the correct password - if a password is required

2. you click on the login name at the keyboard - if a password is not required. This excludes any remote logging in; you need to physically be at the keyboard and click on the account name to login. Therefore, having no password but being physically present at the keyboard thwarts hackers trying to remotely log into your account.

If you choose not to have a password for an account, you will not be able to use the RUNAS feature - which can be helpful for a LUA being able to load a program with Administrator credentials to run some of those older applications not truly yet Windows 32 compatible. So keep this in mind when using a LUA account.  

Additionally, portable Laptop and notebook computers should always require a password to log into an account for their vulnerability of being grabbed when out traveling in public.

This default setting - that XP does not allow remote logging into an account without a password - does not extend to GUEST accounts nor to DOMAIN corporate network type accounts. Therefore, if Guest account is enabled, someone could try to guess that Guest account password over the network and if successful, gain access. Same for any account on the corporate domain network. Thus, GUEST accounts are disabled by default installation in XP SP2 for safety.

Corporate network domain accounts must therefore have a password and must have a STRONG password. And since brute force "dictionary" type password cracking tools can eventually figure out any password, if you change the password frequently, it makes the brute force attempt much less successful as it must start all over and it doesn't know it needs to.  

Super Tough Alt-Keys!

Finally, adding an Alt-character from the numeric keypad in your password string makes it about impossible to crack using the commonly used password cracking tools as they don't check those extended characters! Just using one extended character, like ALT-5, adds tremendous security. I created a new test account, logged into it and went into Control Panel, User Accounts, and changed my password to a new one containing several ALT-Characters and it does work. Although, for some reason, ALT-4 kept kicking me out of the password change screen. So a few alt-keys are used by Windows as hotkeys in their screens at times it seems.

Laptops usually do not have the Numeric Keypad so the only way to use passwords with extended characters is to attach a keyboard to the Laptop. But this does make it more inconvenient for anyone who steals your laptop and tries passwords.

Probably, password crack tools check the more obvious first, real words, combination words, commonly used passwords, then add uppercase, then numbers, then symbols. My guess is the more symbols and oddly placed uppercase and the longer the password string you use, the longer the crack tool takes. Most crackers give up after some time and move onto another account - seeking the low hanging fruit. So the tougher the password, the more likely no one ever be able to crack it. Alt-character makes it the toughest.

But for home computers, using Windows XP, not having a password means the most security over the internet because someone must physically be at your keyboard to click on the account name to login. Of course, once you have physically logged in, any malicious program that can load up will already be able to access your system. Then, the use of LUA restricted account permissions is the next best security strategy to limit the threat of unauthorized access!

“Blank Password Restriction

To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen. For example, you cannot use the secondary logon service (RunAs) to start a program as a local user with a blank password.

Assigning a password to a local account removes the restriction that prevents logging on over a network. It also permits that account to access any resources it is authorized to access, even over a network connection.

Caution: If your computer is not in a physically secured location, it is recommended that you assign passwords to all local user accounts. Failure to do so allows anyone with physical access to the computer to log on using an account that does not have a password. This is especially important for portable computers, which should always have strong passwords on all local user accounts.”  

source link

In summary, my recommendations:

1. Home computer: don’t use passwords on any accounts (admin or LUA) unless you have family member who wants to install software or make configuration changes without your approval.

2. Office computer at work: use password

3. Portable computer: use password

4. College Dorm computer: don’t use password and read the following

It is wise to configure your college student’s computer with a BIOS startup password and a screensaver lockout password to keep any meddlesome passersby out. Put a little padlock on the case to prevent someone from opening up the computer to disable the BIOS startup password.

Setting Up A BIOS Password

If you have not set up a password on your BIOS, anyone with physical access to your system can boot up from a floppy disk or CD-ROM and then make changes to your system or access data files that are not encrypted. In order to prevent unauthorized access to your system, use a BIOS password.

All PCs system boards have a chip programmed with software called the BIOS (Basic Input/Output System), which sets the boot process for the computer. Most BIOS programs offer a security option that lets the user set a password. Without entering the password, the computer cannot boot into the operating system.

To enable the password through the BIOS, access the BIOS menu screen at system startup by pressing a specific key or combination of keys - before the operating system (Windows) logo appears. Refer to the documentation for your PC for instructions, but typically, you’ll see something similar to Press F1 For Configuration/Setup. (It is usually an F_ key.) The System Security option is usually listed on the first screen. Scroll down until you find it. Press ENTER, and in the System Security box, use your Down-arrow key to select Power-On Password. You’ll be prompted to enter the new password twice. If you already have a password, you can change it or delete it here, too. After you enter your new password, save your changes and exit the BIOS Menu.

Be aware that anyone can bypass this BIOS password by opening the case of your computer and disabling or resetting the BIOS. On some system boards it is as easy as pulling out the lithium battery for a minute to wipe out the BIOS information to restore the default setup. Some system boards have a jumper or switch that will do the same to reset the BIOS settings and erase the password. If you forget your BIOS password, it is important to know this backup information. If you can physically lock your case from being opened, this adds additional security.

In the BIOS menu you may also set the boot devices on your system. In an ideal world, you want your system to only boot from the hard disk. Unfortunately, many BIOS systems don't allow this, and you can only choose the order. If this is the case, select the Hard Disk to be the first option. That prevents someone from booting up with a diskette or CD to bypass our operating system security. It also keeps you from booting up on a diskette or CD that contains a virus, a problem because your hard drive and operating system are bypassed that load up your antivirus protection shield.

In the event of a system failure, you may need to go back into the BIOS menu settings and change the boot order to allow booting up first from a diskette or CD to run the operating system restore program.  

Recommendation: For your student’s computer in a college dorm, set up a BIOS password, make the hard drive the first in the boot order, put a little padlock on the case cover and lock the computer down to the desk using a cable lock:

Strong Passwords

The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your organization. The Microsoft® Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. If the password is blank or does not meet complexity requirements, the Windows Setup dialog box appears, warning you of the dangers of not using a strong password for the Administrator account. If you leave this password blank, you will not be able to access this account over the network.

Weak passwords provide attackers with easy access to your computers and network, while strong passwords are considerably harder to crack, even with the password-cracking software that is available today. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer has strong passwords for all user accounts.  

A weak password:

• Is no password at all.  [This rule no longer applies to Home computers using Windows XP! Don't use passwords for your login accounts on a multi-user home computer. Remote access is then not allowed when there is no authentication password used. Hackers cannot guess the password since there is none.]

• Contains your user name, real name, or company name. 

• Contains a complete dictionary word. For example, Password is a weak password.

A strong password:

• Is at least seven characters long.

• Does not contain your user name, real name, or company name.

• Does not contain a complete dictionary word.

• Is significantly different from previous passwords. Passwords that increment (Password1, Password2,  etc.) are not strong.

• Contains characters from each of the following four groups:  

An example of a strong password is J*p2leO4>F.

A password can meet most of the criteria of a strong password but still be rather weak. For example, Hello2U! is a relatively weak password even though it meets most of the criteria for a strong password and also meets the complexity requirements of password policy. H!elZl2o is a strong password because the dictionary word is interspersed with symbols, numbers, and other letters. It is important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.

You can create passwords that contain characters from the extended ASCII character set. Using extended ASCII characters increases the number of characters that you can choose when you create a password. As a result, it might take more time for password-cracking software to crack passwords that contain these extended ASCII characters than it does to crack other passwords. Before using extended ASCII characters in your password, test them thoroughly to make sure that passwords containing extended ASCII characters are compatible with the applications that your organization uses. Be especially cautious about using extended ASCII characters in passwords if your organization uses several different operating systems. Windows passwords can be up to 127 characters long. However, if you are on a network that also has computers running Windows 95 or Windows 98, consider using passwords that are not longer than 14 characters. Windows 95 and Windows 98 support passwords of up to 14 characters. If your password is longer, you might not be able to log on to your network from those computers.

Examples of passwords that contain characters from the extended ASCII character set are kUµ!¶0o and Wf©$0k#»g¤5ªrd.

The following snapshot below is of a banking web site and shows very poor judgement in the statement:

           "(Examples of valid Passcodes are: Baseball, Smith100, jonesPHD)"

Those are exactly what NOT to use for your passwords. NEVER use a common dictionary word or your name in your password.

I called them up and asked about this and the help desk person explained they are just showing how you use upper and lower case in your password to make it tough. NO EXCUSE! Don't give a poor example like this!!!

One in three workers jot down passwords: study  Tue Oct 17, 2006 4:43pm ET

source

NEW YORK (Reuters) - One in three people write down computer passwords, undermining their security, and companies should look to more advanced methods, including biometrics, to ensure their systems are safe, a new study shows.

A study released on Tuesday by global research firms Nucleus Research and KnowledgeStorm found companies' attempts to tighten IT security by regularly changing passwords and making them more complex by adding numbers as well as letters had no impact on security.

Staff still had a tendency to jot down passwords either on a piece of paper or in a text file on a PC or mobile device.

"This is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat," David O'Connell, senior analyst at Nucleus Research, told Reuters.

The study, which surveyed 325 U.S. employees, found that a single sign-on system is just as effective as more complex schemes and that user education on the importance of proper password protection did not deter employees from their lax habits.

"Passwords are high maintenance. People forget them, people lose them, they have to be reset. Resending passwords is time intensive and costly. It takes up time at a help desk," said O'Connell. The report suggested companies look instead to biometrics, such as voice recognition devices or thumbprint scanners, or cognitive biometrics, the latest security system that learns characteristics about you while you tell a story in the form of multiple choice answers.

"It's these higher order techniques that companies need to shift to in order to get away from passwords," said O'Connell.

If you shop, pay bills or bank online and have many accounts and passwords to keep try to remember, where is a safe place to keep this gold mine for hackers? Not left lying around on your hard drive! The passwords in Microsoft Excel and Word files can be broken and so are not sufficient enough to be used for securing confidential information. Anyone can upload various types of files requiring passwords, including MS Office files, to this web site and for a $39 fee have them unlocked online: http://www.decryptum.com.  

My Recommendation - Use ROBOFORM utility to securely and conveniently store and enter encrypted passwords into your web forms. It also provides encrypted and password-protected notes for other information you need convenient access to but must protect. RoboForm Pro 6.0 - free and $30 for unlimited Pro         BEST SOLUTION I HAVE USED!!!

This internet privacy product simplifies the process of filling out online forms by storing multiple user identities, including name, address, phone number, and other important information required by the user; it also securely stores confidential data such as passwords, bank accounts, and credit card numbers. Key features include: 

• Auto-fills and auto-saves passwords

• Logs users into an online account with just one click

• Protects passwords and other personal information with strong encryption

• Can generate hard-to-guess passwords (and remembers them for the user

• Organizes logins, bookmarks, credit cards, bank accounts and address books - keep all data securely in one location

• Take it with you - automatically login to sites from any computer without installing or typing (prevents keystroke logging software from acquiring confidential passwords or credit card numbers)

• Online shopping, job searches, sweepstakes - RoboForm fills registration and checkout forms instantly

• Encrypted NOTES feature allows you to store important key information securely

• Print out your entire login account and passwords and store in a safe for backup purposes.

• You can copy the passcard encrypted files (one for each login account site) to another media for safe keeping and even copy to additional home PCs to duplicate your account management.
  

My RoboForm evaluation...

This program stores the link, login and password for the web sites I use that need me to log in: Verizon, Discovercard, my bank, anything.

The data is stored in HASH encrypted data so no one can open it up and learn all my passwords.

After learning how it works, it is easy and quick to enter a new "PASSCARD" for another web site login form and supply my login name and the password.

After I ran the program and it copied the files and set me up it apparently placed itself in my Startup programs and also installed a toolbar in my internet explorer browser. So now, I boot up and RoboForm toolbar automatically appears, ready to use, in my browser. I select it and pick any of my web sites from it's pick list and it will open my site, enter my data in the form and submit it automatically. BINGO!!!!!!!   Not only is this VERY CONVENIENT - but the login/password info is entered by RoboForm via an encrypted transmission, so no keylogger trojan program lurking nearby can capture my keystrokes when I enter my financial web site forms.

Now, I do have to enter my MASTER PASSWORD the first time I use RoboForm in a bootup session. From then on, I just click on the toolbar and select the site and get logged in without entering any passwords. Here is what the browser toolbar navigation looks like:

You can see I have registered two web site forms so far, "PMA205 Web Site" and "Versiontracker."

RoboForm also loads into the Windows System Tray so you can also click on the icon to navigate to open upon your web site this way, too.

Now, about entering that MASTER PASSWORD to use RoboForm the first time in a session. The idea of a keylogger capturing THAT master password as I typed scared me. But then I learned that there is the option to pull open a keypad to then use my mouse to select my keys and I believe they are entered via encryption. I need to verify this, but that means I will never have to use the keyboard to key in any passwords - the individual site form passwords or the RoboForm Master password!

Here is a snapshot of the encrypted keypad feature to enter my MASTER PASSWORD:

I was able to use the shift key shown above to enter symbols which I like my passwords to contain, and uppercase characters, too. It works easily.

Lastly, this program lets me print out my entire login-password site lists for backup in case my program database corrupts or hard disk failure. Here is a sample of my test: (I blocked out my passwords)

Each web site login form gets recorded a little differently it appears. I am not sure why Versiontracker.com site has a password field and a "wantpassword" field, but I entered the password into both fields when I initially set that one up and it works fine. In my tests, it worked on public web site as well as on an intranet web site behind our firewall that uses https encryption.

Now, there is second free version of this program called RoboForm2Go.

This one is made for installing and using from a thumbstick. I copy RoboForm2Go program onto my thumbstick and run it. It now allows me to insert the stick into my USB port on an XP and with an autorun.inf it automatically loads the program into memory, add a taskbar icon and adds a toolbar icon to my IE browser. This install process worked fine on my LUA limited account on XP. It does copy several files to my profile area on my C drive but does not need admin rights to do what it does, even when adding toolbar to my browser. My ZoneAlarm firewall did detect a program change and asked me to permit it.

After inserting my thumbstick, I can open my IE browser, click on the RoboForm Toolbar, select LOGIN and select one of several web sites that I have a login form, such as my credit card. After selecting it, RoboForm2Go asks me to enter my MASTER PASSWORD which they provide a keypad on the screen with which I can use my mouse to click in my password using encrypted transmission pad. RoboForm then AUTOMATICALLY opens that web site, fills in my form with account name and password and submits it. VOILA., I am logged into my secure financial site. I have not needed to enter any keystrokes that a hidden keylogger trojan could capture. I can now browse to any financial site I need to and not have to enter any password during this session. RoboForm stores "PASSCARD" encrypted files for each site on my thumbstick. I can use the stick on other computers and without installing anything, load the program and go to any of my secure login type sites!!!!!

I can back up the files, print out my password login account list for backup. Very nice. Free version works fine.  The $30 purchased version allows multiple profile accounts like family members on multiple login accounts. You can store more than 10 accounts on the purchased version. You can use the portable and the non-portable version, on multiple computers, with multiple user accounts - with the $30 version. A terrific deal!

Other password management solutions I have tried and do not find as helpful as RoboForms, but include here for your awareness:

KeePass – ver 1.04 Jan 2006 - extremely secure account management database freeware that uses very secure AES 256 encryption and master password. You can copy the individual account name or password to the clipboard and paste into your password field of the site or program – and the activity is performed with an encrypted session key. Prevents capture from keyloggers or other intercept techniques. Here is what it looks like:

All databases are encrypted using the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt its password databases. Both ciphers are regarded as very secure by the cryptography community. Banks are using these algorithms. KeePass always encrypts the whole database, i.e. not only your passwords. Your usernames, notes, even the entry times and UUIDs, etc. are encrypted, too.

While KeePass is running, your passwords are encrypted using a 'session key' (randomly generated at startup). This means, that even if you would dump the whole KeePass process memory to disk, you couldn't find the passwords (at least not in plain text). Note that this only applies to the passwords field, not to the usernames, etc. because of speed reasons. When you want to copy a password to the clipboard for example, KeePass first decrypts the password field using the session key, copies it to the clipboard and immediately re-encrypts it using the session key. Here, ARC4 is used as encryption algorithm, the session key has a fixed size of 12 bytes.

KeePass securely erases all security-critical memory when it's not needed any more, i.e. it overwrites those memory areas with random data before zeroing and releasing it (this applies to all security-critical memory, not only the passwords field).

You can export the database to a text file and store that or import into an Excel spreadsheet to view and print out and store in a fire safe for safekeeping – just in case the database gets lost or corrupted!

To avoid typing in the master password, another approach - use a fingerprint scan:  

Sony Micro Vault flash memory stick with fingerprint scanner

$70 at Buy.com 2/06 source

Review: http://www.pcmag.com/article2/0,1895,1604872,00.asp

Below is the 256mb flash stick I bought to contain all my login / passwords. It records the login fields at a web site and has a convenient drop-down toolbar in IE to open a site and transfer in your password via encryption so no keyloggers can capture your keystrokes as you log in.

It has it's drawbacks, though, as you must install software to use it and it doesn't play well with limited access multi-user accounts without Admin rights. So I pretty much use it on one dedicated computer at home to use for any online purchases and financial transactions. I cannot roam on any other PC as easily as first thought.

They have a 512mb model available now:

http://www.sony.net/Products/Media/Microvault/usm-fl.html

Review: The Micro Vault is a USB 2.0 flash drive with a built-in 128-by-128-pixel Authentic fingerprint sensor. The Micro Vault software uses your fingerprint to provide security in five ways: as ID/password auto-login, secure partitioning of the key's flash memory, file and directory encryption, a screen-saver lock ability, and access to Internet Explorer favorites stored on the flash drive.

When you first install the software, you are asked for a password and prompted to "register" your fingers. The Micro Vault uses the password as an alternative access method, should the fingerprint sensor malfunction or be disconnected. The password gives full access to the Micro Vault's features, so be certain to choose a long, complex one.

Probably the most compelling feature of the device is the ability to use it for ID/password auto-logins in Internet Explorer. To store your ID and password for a Web site, you go to the site, type in your information, and click on the Micro Vault icon in IE's toolbar. An option lets you save your ID and password. On subsequent visits to that site, the Micro Vault's fingerprint dialog box will pop up. Once you are verified, the device populates the ID and password fields for you using a secure, encrypted transmission and you are now into the password-protected site. This provides convenience for all your accounts and passwords, and avoids keying in passwords which could be captured by keylogger devices or Trojans.

You can also configure the Micro Vault to provide fingerprint protection to your screen saver as well as secure access to Internet Explorer favorites that you've stored on the Flash drive. If remembering passwords is the bane of your existence, the Sony Micro Vault with fingerprint access will simplify your life.

Tip: To create the accounts and passwords in this or other password managers, you could edit the database on a thumbdrive using an old standalone computer that you never put on a network or the internet. A password protected Excel spreadsheet can be used to track your accounts, but Excel passwords can be cracked without too much difficulty. A password manager is a great convenience with great security but ideally, you must protect the keying of information from any possible keyboard logging Trojans or snooping software.