Is your Password Safe?

Copied from the Second Life Blog:
http://blog.secondlife.com/2009/01/16/is-your-password-safe/


Blog Text:

It's officially time to do a reality check on all of your passwords.

Did you see the chaos when high-profile Twitter accounts were recently hijacked and used to send out messages in the names of those folks? How embarrassing.

Creating a Great Password
So, how many of us are using passwords from the list of 500 worst passwords?

Now that you know that "password" isn't a good choice, here are a few tips for creating a password worth using.

* No real words = important. As you saw on the list of 500 worst passwords, most of them are real words, which can be cracked by fraudsters with very little effort. Avoid real words that can be found in a dictionary (in any language) or any proper nouns.
* Long passwords = essential. The fewer the characters, the easier it is to compromise. Choose a memorable password that's at least 8 characters long. To make it even stronger, make it a "pass phrase" instead of a password. "brownfox" is borderline. "thequickbrownfox" is better.
* Mixed case = good. This adds another level of difficulty for fraudsters to guess your password. Try changing "thequickbrownfox" to "TheQuickBroWnFox."
* Misspelled = better. While your English teacher wouldn't approve, misspelling your passwords is a great way to add complexity: "ThuhQueekBroWnFoxE."
* Added numerals and symbols = best. You could mix some numbers in there like "ThuhQueekBr0WnF0x3" or-even better-use the first and/or last letter of each word, mixed with numbers. For example, the full phrase: "The quick brown fox jumped over the lazy dogs" becomes "TQbF70TLd$."

Keep it Secret!
Now that you've got a worthy password, be sure to keep it safe.

* Don't use the same password for everything. If someone happens to crack your code, you could suffer serious compromises across all accounts.
* Avoid typing your password on shared computers. Keyloggers and other programs can allow others to harvest typed data from any computer to which they have access. So, consider your environment when logging in to anything from Internet cafes, libraries, or other shared computers.
* Don't save your password anywhere. Most of us know better than to write it on a Post-it and stick it anywhere near the computer, but some of us may save passwords on sites or in files on networked computers-which isn't safe.
* Change it from time to time. The better the password, the longer you can keep it-but that doesn't mean it should stay static forever. Set yourself a reminder to update your passwords on a regular basis. If it's been awhile since you changed your Second Life password, you can do so here.
* Don't share your password. Do not give your password to anyone. This means friends, family, loved ones or Linden employees. Pets too, you never know.

Learn More
Below are a few other sources online to help increase your password protection and general password safety knowledge.

* Secure password management tools: http://en.wikipedia.org/wiki/Password_manager
* Microsoft Password checker:http://www.microsoft.com/protect/yourself/password/checker.mspx
* Very technical, but interesting article on password strength: http://en.wikipedia.org/wiki/Password_strength
* Tips for making tough "shocking nonsense" passwords:http://www.linux.com/articles/28057
* Good overall reference: http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/
* Other tips for strong, memorable passwords:http://www.microsoft.com/protect/yourself/password/create.mspx

(please note: The "blank password" option should NOT be used for Second Life.)

Feel free to post your thoughts, comments, feedback on the blog post here!

A reminder about password security is always good.

But...I just have to ask. Is there anything, er, "special" that prompted this blog entry? Anything we residents should know about?

Nothing "special", we were reflecting on the recent exploit at Twitter and thought it was a good time for a reminder!

More info on the Twitter incident at the official Twitter blog:
http://blog.twitter.com/2009/01/gone-phishing.html
http://blog.twitter.com/2009/01/monday-morning-madness.html

I've always relied on random password generator applications. I wrote one myself in Visual Basic after leaving school out of sheer boredom and I still use it to this day. My basic configuration is: mixed case, letters, numbers, 9 characters long. They're a bear to memorize for up to 2 weeks... But, after that second week things are okay if I use it often enough. I think I hold on to a password for up to 6 months and change it by then if I'm not too lazy. (^_^)y

But don't forget to keep it memorable! You don't want to go through the password reset process more often than you have to.

I get mine tattooed on the inside of my eyelid. That way I won't forget it.

Heh... With my method, I'm often trapped with a forgotten password. (>_<

It's kinda why this account exists. I had a main from May 2007... But I totally forgot the password once I put together a computer that would run SL... So out of frustration I started messing with the sign up page. I'm sure you can imagine the mood I was in when I made this name. (=_=)y

Another idea a total geek friend taught me is to take a phrase that you can remember easily and then make your password the initials of that phrase.

So if you pick a phrase like "Top of the mornin' to ya!" you could make your password "Totmty" - not exactly an easy one to guess, but then if you change the "o" to a zero you make it even better - "T0tmty".

Of course, it would be better for you to pick a longer phrase, so that the password result is longer, but I hope you get the idea. The advantage is that it's VERY easy to remember FOR YOU and difficult for the hackers to pick up on.

fsasyaoffbfutcann,cil... oh noes, try again
fsasyaoffbfotcann,cil,adttptamace! Rats
fsasyaoffbfotcann,cil,adttptaFace! Yes!

Don't use the same username and password for every site you go to. If one of them gets hacked they now have access to all your accounts. This is mostly pointed to people that use 3rd party forums and websites related to SL as those sites are generally not well protected.

Thanks for that tip Kalderi !!!
I know a real funny one now...

SL security would be better, also, if you separated the account and avatar names... so for example instead of logging in as "Argent Stonecutter", I'd log in as "Argent007" or something that isn't actually published... and then picked my "Argent Stonecutter" alt from a pulldown.

* Something else for attackers to have to guess.
* Better account management.
* Fewer name-password combinations for users to remember.

Seems a bit extreme, although at least you know where it is.

I use fairly strong passwords (8 character, no real words and a mix of letters and numbers), and as an extra precaution, have an alt who is the keeper of the Lindens. There is no payment info on file for Allegria, and the alt who is the keeper of the Lindens never gets to log onto the unsecure forums.

I would like to see the ability to use something like Blizzard's authenticator to safeguard our SL accounts.

I know it isn't foolproof, but it might be a step in the right direction.

Agreed, this is how WoW and Eve Online do it. You're encouraged not to have your avatar name the same as your login name.

I have an alt account that could use a better password, now that it actually handles money, but I'm afraid to change it. My roommate changed her password on the SL website a few months ago, went to bed, and woke up a few hours later unable to log in. After fighting with customer service all day, she found out that her account had been compromised, the USD$500 she had on the account cashed out *somewhere*, and the account canceled "by the account owner", which is why she couldn't log in. She hadn't even used the new password yet. So I have to wonder what sort of safeguards LL has, since SSL doesn't seem to be enough.

Don't forget that special character work for passwords to, such characters as

⁄™‹›fifl‡°·‚—±Œ„‰ÂÊÁËËÈÈ∏ÅÍÎÏÌÓÔÒÛÙÇ◊ıˆ˜ and so on and so forth.

This makes for a much stronger password to break

also consider chinese characters

Seeing as there has been no compromises, (we would be told) I shall leave mine as it is.

Usually I grab some random object in the house, take the ISBN number down and do a letter number cypher replacement for some of the numbers. Completely random.

If you REALLY want to talk about secure passwords, how about expanding the password field to allow for more characters IN the password?

I bumped into that limit and had to shorten mine in order to fit. Not a good way to keep it "secure"...

I would never be able to remember my passwords if I tried to follow rules like these.

Yet another gem from Suzanne.

Lovely Girls that they are, I still wouldn't share my password with my Pets

Several SL accounts, multiple bank accounts, landline phone account, daughter's cellphone account, Hipihi, Novoking, uWorld, Vivaty, JustLeapIn, 3DXplorer, ActiveWorlds, Planet Casmo, Mashable, Cnet, Wordpress.com, Blogger.com. Roblox, .... I can't even remember all the places I would need to remember passwords for.

I'm supposed to remember a unique string like "s8Xam8aQzaq91" for each of these accounts, not written down anywhere?

If I tried to use mnemonic devices for each of them like the initials of phrases, I wouldn't be able to remember the phrases, and if I could, I wouldn't remember which one went with each account.

The way my memory works now, when I look a number up in the phone book, I can't remember it long enough to dial it all at one time. I have to look back at the page several times during the process. I have to put my finger on the page where the number is or I'll forget where on the page the number was.

It's not how I'd like my memory to be, and it's not how it used to be, but that's how it is now.

Suezanne, by the way, has an "e" after the "u". I wouldn't think you'd find that hard to remember and type accurately considering it's in the passage you quoted.