Why Your Password Repertoire Isn't Cutting It

Posted by Phil on January 04, 2014

We've all been there at least once or twice: a friend or person we follow on Twitter, Facebook or Snapchat sends us a cryptic or oddly-worded message with a shortened link. The message about the importance of password security is generally well-known by almost anyone using a computer these days: mix up the characters between uppercase and lowercase, use some numbers, even throw in some "special" (i.e. punctuation or functional) characters if you're feeling enthusiastic.

While most of us (and I say "most" with all due optimism) adhere to these rules reasonably consistently, it's still remarkably common to hear about people who are using the same passwords across a whole bunch of services. Social networks are the most likely to see password reuse but we have web mail, online banking, shopping sites... how many times have you used the same password in multiple locations because, hey - you've picked a secure password and you can't be expected to remember a different one for every single site, right? Well the good news is you're right: you can't be expected to remember a different password for every single site and service you register with. The bad news is that the more times you reuse the same password (or small set of passwords), the greater your exposure if one of these services is compromised.

Many sites require your email address as a user name or chances are you have a common user name across all those sites as well. What information would you expose across several sites if one of these services was broken into? Email addresses would be pretty typical, but what about credit card information? Phone numbers? Snapchat recently downplayed a fairly signficant breach on New Year's Day that exposed its users' user names and phone numbers:

We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

That's nice. By the way, those counter-measures didn't work.

On Password Managers

The reason I'm looking at this is that while we're all in the throes of resolving to lose weight, exercise more, be nice to our neighbours and whatever else, a quick and easy resolution for 2014 should be to start using a password manager. There are loads out there to choose from but they generally all do the same thing: allow you to define long, randomly-generated secure passwords that you don't have to remember but can be easily accessed and applied at any time.

A password manager is a light-weight piece of software that you install on your computer or as a browser plug-in (or both). You supply it a master password (for the love of god, make it a good one. "Password1" is not cutting it) as the metaphorical key to the front door and it handles the rest; storing credentials for websites, other installed software and anything else you care to keep locked away and private. A good password manager will allow you to specify the user name, generate a password for you (that you can set the constraints and requirements for), the URL or software to apply this credential to and perhaps allow for notes, auditing and so forth. The trick is that these days we also have a lot of interconnected devices and we need to have our passwords available wherever we are, so the password manager needs to overcome that problem also.

Are password managers generally secure? Well the short answer is, "they're probably a lot more secure than the system you're using right now". If that doesn't help much, then consider that they all generally use high-end encryption algorithms (such as AES or Twofish) that are hard to crack and would take considerable computer processing power. For what it's worth (especially given recent news regarding the NSA and online security generally), the NSA consider the AES algorithm to be of a high enough standard for classified government material. They are very efficient once you become accustomed to using them regularly and in all probability increase your productivity by not having you search around for passwords you may have stored in other locations.

Password Managers

Here are three password managers that I have unscientifically listed through the power of twitter.

  • Keepass: Strong security, multiple user keys, portable. An open source product (i.e. completely free) that provides exceptionally thorough coverage of most users' needs. Allows detailed categorisation of passwords / companies / services and offers a search feature. Free.
  • Lastpass: Out-of-the-box cloud sync, browser integration, multifactor authentication. A highly-regarded, polished product that offers loads of options and good support. $12.99 p.a.
  • 1Password: As above. I particularly like their PR bit about "A priceless utility for only $34.99". $34.99 one-off payment.

What about the trusty old paper-based notebook? Is there anything really wrong with writing all your information down there? Well, for a start - most banks actively discourage you from writing your online banking passwords down, for example ANZ's "Banking Safely Online" page. The key message appears on a different page but should not be understated:

Liability for unauthorised transactions will be determined under the relevant Terms and Conditions for the electronic banking service you are using.

Let's read that again: "If we've told you what you should do to protect yourself and you've been a muppet and done exactly the opposite, we might hold you accountable". In other words, if you write your passwords down [in a notebook or whatever], the bank reserves the right to determine liability under the terms and conditions you are contractually bound to. In fact, ANZ's Conditions Of Use [of mobile / internet banking] explicitly state the bank will not reimburse any losses. So go ahead and write those passwords in a notebook, but you better keep that thing in a safe with guard dogs and a moat of ravenous, man-eating sharks, otherwise if you drop it, forget it or generally leave it lying around...

In Summary

At a minimum, I'd recommend you install either Keepass (Windows users), KeepassX (*nix users) or iCloud KeyChain (Mac users) and in the case of the first two, store your password database on Dropbox or SkyDrive so that you can access it anywhere you want. Give it a decent shot! Don't just give up and fall back to your previous habits after a few weeks; this is something you want to stick at and become second-nature with. It's incredibly easy once you've conquered the (negligible) learning curve. Go through your most commonly-used services like Facebook, Twitter, Online banking, etc and change the passwords to something the Password Manager generates for you. These get saved to your password manager and all you need to do to log in each time is find the relevant entry and click "auto-type".

I'm always keen to talk to people on this subject so drop me a line or tweet me. Alternatively, there's loads of further reading on Troy Hunt's site, with this post particularly relevant: http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html

Hope this helps.