Now that I’ve scared your pants off, you’re probably wondering how in the world you’re going to manage all of those passwords for all of your various surfing needs. In this post, I’m going discuss several options for managing strong passwords. I’ll also discuss the approach I’m planning to take, now that I know better.
Most of us tend to reuse the same password all over the place. But, if you’ve read my previous posts – especially the one that talked about how a cracker can use your personal email address password to gain access to other web accounts – you now realize that this is not a very secure strategy.
But, security may not always be your highest priority. Convenience might rank higher in some cases. If that describes you, then just allow me to point out a few things you may not have considered:
Corporate domain account passwords should be unique.
To reuse this password elsewhere would put corporate data at risk, potentially including any customer or employee PII that you can access. Disclosure of this information could have seriously negative ramifications for the company – and your job.
Personal email account passwords should be unique.
Sharing these passwords puts your entire Internet-hosted life at risk.
Financial account passwords should be unique.
No sense taking the risk that someone smart enough to break into Bank of America can also access your 401(k), credit union accounts, and home equity line.
Any account where you post content should be unique.
Do you review products on Amazon.com? Do you use Facebook or Twitter? Do you comment on videos at Hulu? If so, those posts are all a part of your online persona. If a prospective employer or significant other were to Google you and read those posts, would they want to hire or date you? Would you want to give some random cracker the ability to post in your name? I didn’t think so.
Not much. And, that’s my point. You need to use unique passwords just about everywhere.
A significantly stronger approach is to make up a unique pass-phrase for each site. But, how can you remember them all? It’s actually easier than you might think. Instead of trying to remember all of the passwords for all your sites, come up with a formula for creating unique passwords, and remember the formula. Here are a few to get you thinking:
I love Facebook
Adding the web site name to a short password significantly strengthens the password, and makes it unique to the site. This pass-phrase, which contains 15 characters, including upper case letters, lower case letters and spaces, is extremely strong against brute force attacks. Though, it seems like it would be a whole lot less strong against a dictionary attack or a random guess.
Facts About Crime
This pass-phrase was created using the first three letters of the website name: FACebook. It contains 17 characters, including upper and lower case letters and spaces, which makes it even stronger against brute force attacks than the previous password. This pass-phrase also seems stronger against a dictionary attack.
4 the <3 of Facebook
Using “text” shortcuts, like “4” instead of “for” and “<3” instead of “heart” or “love”, significantly increases the strength of a pass-phrase against brute force attacks because it introduces numbers and symbols. Though, as with the first pass-phrase, this one seems a bit easy to guess.
Can you see the pattern here? This is Facebook spelled out using this pattern: Upper, Lower, Number, Symbol, separated with periods. Replace the “c” with a 3, since it’s the third letter. Replace the “k” with an underscore – the eleventh symbol on the keyboard. Granted this would be incredibly slow to type. But, it’s probably also the most secure against dictionary attacks. (The third password is actually stronger against brute force attacks due to it’s length.)
There is one caveat here, though. Finding a single formula that works across all the different web sites out there is probably not possible. So, you may need multiple different formulas. And, then you’re back to where you started.
Password Vaults (or Password Managers)
Don’t think you can remember all those passwords? Why bother when a password vault can remember your passwords for you? Password vaults are nothing more than encrypted databases for your passwords. In order to access the passwords in the vault, you need to enter a master password – to unlock the vault. Some even offer mobile or web-based solutions, so you can always access your passwords, where ever you are.
The key things to consider with password vaults are:
How strong is the encryption used to protect the vault?
You’ll want to make sure that the passwords are encrypted using an industry standard encryption algorithm.
How strong is your master password for the vault?
Remember to create a strong pass-phrase for opening your vault. It’s got the keys to your online kingdom in it, after all.
Can I access the vault when I’m away from my computer?
Some vault programs let you take your vault with you when you hit the road – either on your cell phone or via the web.
Personally, I use a password vault called 1Password, both at home and at work. I store my vault in my Dropbox, so it is automatically synced to all of my computers. Plus, because I can access my Dropbox from the web, and because 1Password builds a web interface into the vault itself, I can access my passwords from just about any web connected device. There’s even an iPhone app (which I don’t use yet).
I’m less familiar with other vault software. But, a quick Google search for “password manager” turned up several, including LastPass, which I’ve heard good things about.
One final note on password managers: Many of them come with strong password generators. Before using them, make sure that their algorithms are “cryptographically random”. Otherwise, they’re susceptible to dictionary attacks targeted at that specific generator.
Once I discovered how weak my personal passwords were, I went on a quest to inform myself. These posts are my way of remember everything I learned. I hope you find them useful, as well.