PassPack: Strong Passwords (times three!)

Suppose an evil person wants to get into your PassPack account. With all the security measures we’ve put in place, the easiest route for Mr. Evil to take would be to simply try and guess your User ID, Pass and Packing Key.

Of course, Mr. Evil, being the nasty person he is, will use every trick in the book to guess your Account information. First he’ll use a computer to make his task faster, and he’ll program that computer to test every word in the dictionary, dates and names. If your password isn’t “strong” enough, he’ll be into your account in a matter of minutes. Scary isn’t it?

No need to panic though, here are a few rules to follow in order to keep Mr. Evil out:

DO Use the entire keyboard: upper and lower case letters, numbers and symbols like these… |\!”�$%&/()=?^�'[]*+@#�����. DO Use something LONG – at least 10 keystrokes. More is better. Avoid “real” words: no names, dates, famous people or any word found in the dictionary. Not even if you write them backwards. Avoid sequences or repeated characters: “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard like “qwerty”. Avoid using User IDs or Passwords that you’ve used in other sites.

Do this three times: once for your User Id, once for your Pass and once for your Packing Key. PassPack includes a quality rating bar to help you along.

There IS an easier way…

If you’re wondering, How ON EARTH can anyone remember such a monstrous thing!? Think about it – what uses upper case letters, lower case letters, spaces and punctuation?

A SENTENCE!

Here are some great examples of a Strong Pass (pass-phrases!):

My 3rd grade teacher, Mrs. Naddler, changed my life.

1961: my HUBBY was born!!

$10 is WAY too much for a candy bar.

Creative math: 20+1=300.

Just in case you’re still wondering – YES, you can (and should) use spaces and punctuation. Throw in some numbers and you’re all set. Here is another good article to look at.

Oh… DO NOT use these examples as passwords. [wink]

Technorati Tags: , , , , , ,, , , ,

Advertisements

16 responses to “PassPack: Strong Passwords (times three!)

  1. I really wish they would get rid of the term “password” and call it a “pass phrase” instead. That would be the first step towards getting people in the right frame of mind with regard to access keys.

  2. Hi Keith, I agree … to an extent. We considered using “pass phrase” from the getgo, but people are used to “password” and “pass phrase” seemed to scare them off. For better or for worse, we went with what was most comfortable to the average Joe.

  3. I’d almost consider using “security expression” in the place of “password”.

    It’s the truth, when “password” conjures the thought of a single word used for security.

    I’m all for making people uncomfortable, when it regards their online security. If they were to think about what it meant, and what it protects (especially the poor saps who still use “password” as a security expression, and not realize how easy that is to walk through), then that would be the first step to getting people to make their expressions stronger.

  4. @Xial
    Good points. We’ve recently changed the wording “Password” in our site to just “Pass” … for lack of a friendlier word.

    We don’t want to scare people off with new expressions (that would be just another barrier towards them using something more secure – which is, ultimately, our goal).

    We’ll be building a pass strength testing algorithm into PassPack sign-up in the future release.Done, read here.

    I took a quick look at your site. I see that you support OpenID. You might be interested in this discussion going on here:
    http://tinyurl.com/yrjvgo

  5. markandeyulu

    it is better all known words in any language are barred to be accepted as a password. then pass phrases will come into being in full.

  6. @markandeyulu

    That would be an option, sure. Generally, password generators produce these types of non-word passwords – just that many people find that they are hard to remember.

    Of course, that wouldn’t be a problem if they just used a password manager… maybe something fabulously fun and easy like PassPack. :)

  7. Another easy way to create a strong password is to take a quotation that you can easily remember and use the first letters and punctuation.

    Thus, “Alas, poor Yorick! I knew him, Horatio.” becomes A,pY!IkhH.

    Bill

  8. @digitalzen
    That’s good when pass phrases aren’t supported. But use a pass phrase instead of a password wherever possible. They are much stronger, not only for the length, but also because they use spaces, punctuation and upper and lower case letters.

    But when you have the option of using a pass phrase (like in the PassPack login) then you can go ahead and use “Alas, poor Yorick! I knew him, Horatio.”

    Thanks for chipping in. Cheers,
    Tara

  9. jojomonkey

    thanks for sharing password information, but seriously an online password manager is nuts!

  10. @jojomonkey
    :) Yes, that’s often the first reaction to online password managers. Most people change thiner mind once they understand how it works:

    http://tinyurl.com/2cvd8k

    Not even PassPack can read your passwords, because we don’t have the key to unlock the encrypted pack (that never leaves your browser). So it’s really an online/offline hybrid. Only previously encrytpted data ever gets sent to the server.

    Let me know if you have any questions. I’ll be happy to answer.

    Cheers,
    Tara

  11. quadrabyte

    This is a great idea. Thanks for providing it. Thanks, also, for making the sign-up so friendly. I’m a computer person but most of the people you need to reach are not. You have clearly put some thought into ways to make the whole thing much less scary.
    Terrific that you offer this at no charge. I like supporting efforts like this but I couldn’t find where to sign up for the paid service (or what it provides). Let me know how I can help and I’m there.

  12. @quadrabyte
    Thanks, I’m glad you find sign up friendly… I’m a little torn lately wondering if it’s getting too complicated. So good to hear that you like it.

    Our paid version, isn’t ready yet, but no worries, we’ll let everyone know when it is.

    The first package out will simply add more storage space. Lots of folks are at the limit and we need to be able to get them an upgrade option as soon as possible.

    Here’s more on the storage limits.

    Thanks!
    Tara

  13. I personally knows some Evil systems which has An EVIL software to steal passwords. I am talking about key-loggers, that steals key board activities, so it will nice to see an online keyboard to enter data with mouse clicking. :)

    hope u could understand the severeness of this key-logger thing.

    Thank you in advance.

  14. @sajidalimudassar
    Unfortunately on-screen keyboards do not entirely remove the risk posed by keyloggers. Most of them can not only capture keyboard strokes, but also grab things from the clipboard (if you copy/paste your password) and even track mouseclicks and take screenshots.

    We do offer disposable logins, though. You use it once, and it never works again. So even if it gets recorded by a keylogger – it’s useless.

    Here’s more info on Disposable Logins.

    Cheers!
    Tara

  15. Found you on Lifehacker. I’m a webworker who’s also forced to travel a lot, and I’d been reduced to storing my passwords in a Google spreadsheet.

    Passpack has made me so happy. Thanks.

  16. Hello Ketone,
    Good to have you aboard. Since you travel a lot, make sure you check out the Disposable Logins.

    Cheers – Tara

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s