Sans has published the latest edition (PDF) of their user-oriented newsletter Ouch! This edition covers URLs, URL shorteners, and QR codes.

If you’re like most people, you’ve grudgingly started to use complex passwords like “hf7s4hfk23” instead of “1234”. If you’re listening to the security experts, you’ve started using a different password for every site and service. You may even be using a password store like Password Corral.

And, after doing all that, you may actually feel somewhat secure in your online activities. Unfortunately, you’re not. Advances in password cracking techniques, the availability of powerful graphics hardware that can be used to speed up password cracking, and the failure of many web sites and services to use the latest security techniques make your security online weaker than ever.

Ars Technica has an excellent (although scary) post about the current state of online security and passwords.

The upshot is that you should do all of the things that security experts have been telling us for years: use long (11 characters plus), complex passwords with upper and lower case letters, numbers and punctuation; avoid using words in passwords; don’t re-use passwords; don’t use ‘stringdigit’ passwords (a string of letters followed by digits); and use a password store to help remember all those passwords. Do all of those things, but also ask your service providers to use current security technologies.

For example, if you track your finances with the fictional site myspendingxyz.com, you clearly don’t want that site to use anything but the latest security. Look for a statement regarding security on the web site. If you can’t find one, contact the site operators and ask what they use to ensure the security of user accounts. The list below shows a few of the technologies commonly used and indicates whether those technologies are actually helpful.

• Password hashing – absolutely required
• Cleartext passwords – utterly unsecure
• One-way hashing – much safer than reversible hashing
• Reversible hashing – dangerous
• MD5 hashing – ancient, easy-to-crack crypto
• Microsoft NTLM crypto – easy to crack
• SHA1, SHA2 – much harder to crack than MD5 but still not secure enough to use for passwords
• bcrypt, scrypt, PBKDF2, and SHA512crypt – current best crypto for use in hashing passwords
• Password salting – a good way to boost security
• Password complexity requirements – another good way to improve security
• Corporate data protection policies – any company that handles user passwords should have policies in place that preclude such dangerous activities as copying password data to a laptop or removable drive

Some companies may be reluctant to go into details, and may even suspect your motive. However, they should at least be able to state that they do not use any out of date technologies and have effective data protection policies in place.

Update: A followup article from Ars Technica digs deeper into what makes a secure password, and the use of password manager software. They examine several of these programs in detail.

The latest edition of Ouch! (warning: PDF) from SANS is all about passwords, answering questions like: What’s the difference between a strong password and a weak one? What’s a passphrase?