Today we use hundreds of websites on a daily or weekly basis. Many of these require us to create and login with a password. Over time managing all of your identities is a serious challenge. I have decided to give an initial look at the problems and some solutions that you are likely already using to help in this regard.
Problem with Passwords
We’re Human
People use simple passwords that are common words, names, or are patterns of keys such as ‘qwerty’ or ‘asdfasdf’ because they are easier to remember. Many people also use a small number of passwords to login to hundreds of websites that they visit each day. I would also guess that many people use the save password feature with their browser in order to save from typing their passwords in each time they visit a site that requires it. Anyone can walk up to your computer and login to any website for which you have a saved password. So we use simple passwords, and reuse them, and store them in our browsers. How can we prevent ourselves from this inherently insecure behavior?
How secure is your password? Find out.
More Secure Yet Memorable Passwords with an Algorithm
In order to create better passwords you need to both make it less guessable, and also unique per application or website. Others have discussed a simple idea that can help with both ideas. The first thing to do is create your base password. It is smart to have this base password also be fairly hard to guess by adding in numbers and special characters. After you have your base password you need to come up with a simple method for creating a unique password for the given application or website. For example you might use the first 4 letters of the application or website name. So for ebay.com I might use a base password of ‘Steve#12’ and add the first 4 letters to the beginning of my base password: ‘ebaySteve#12’.
Generating Secure Passwords
(credit: http://dilbert.com/strips/comic/2004-12-05/)
If you want to make sure that your password is as secure as possible you need to make sure that it has an adequate length, has all types of characters from lower case, upper case, numbers, and special characters, and finally it needs to be randomly generated. If you use a management tool or form filling plugin there is likely a password generator in their tool set. This password generation website might also come in handy. The main reason people aren’t as likely to use these types of passwords is that you really can’t remember more than a few of these in your head, and thus they really should be used for financial accounts, your main email accounts, and as the master password to unlock your stored passwords (either within the browser, or using a management tool).
Trust No One (TNO)
Common sense would tell us to never trust a password with anyone else. Yet we freely give out our email password so that this new web service can check to see if any of our friends also using the service. This is where Facebook Connect, Twitter xAuth, Google OAuth, Windows Live, and OpenID/OAuth can help to allow that service you want to use to access your information without giving out your password. Keep this idea of trusting no one in your mind while you think about managing your online presence in a secure and safe manner.
Before we move on, please note that just because you don’t give a website your password doesn’t mean that they don’t have access to all your information. Let’s say you login to TwitPic and Twitter presents an option to Allow or Deny this website from accessing your account. Well this is good because they don’t have your password and therefore TwitPic can’t impersonate you and login to Twitter to change your email address. However, TwitPic now has full access to your account and can do anything that twitter’s API allows them to access. Just because you didn’t give out your password does not mean that you should allow any website you visit to authenticate you through one of these services (Twitter, Facebook Connect, Google Profile, etc). Also you might want to checkout your connections that you have allowed to access your account.
Check Twitter Connected Applications
Extended Security with The Second Factor
In order to help prove that you are actually who you say you are, a second factor of authentication can be used. This second factor should be something you have to carry with you in the form of a dongle, cell phone, or written password grid.
RSA’s website states, “RSA SecurID ® two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator)âproviding a much more reliable level of user authentication than reusable passwords.”
In order to use a second factor you login as normal, and then you will be presented with a question asking for the other factor which is usually a set of digits or simple PIN or word. You either press a button on the dongle or token generator, or read from your cell phone via SMS message, or otherwise find using the system you have chosen for your second factor. The use of something you have is very important in the banking industry, accessing a company VPN, or for other higher priority information and access. Unfortunately there’s no real great 2-factor solution for all websites, as some of them cost money (Verisign, SecureID), and other’s only work at specific websites (PayPal, Ebay)
Verisign’s VIP – Used to be free openID provider after purchasing the dongle, but it looks like it’s now meant more for the enterprise.
RSA’s SecureID – Mostly used in the enterprise for accessing company resources.
PayPal’s Security Key – useful to login to PayPal and Ebay securely.
Perfect Paper Passwords – usually custom implemented for your company’s intranet for example, but LastPass.com is setup to use it, and possibly others.
YubiKey – generic USB device that behaves like a keyboard and spits out random 2nd-factor passwords – in conjunction with a web service) or a static password – which is added to a password you type in – less secure, but creates a very secure single password, and you only have to remember part of that password.
Password Management
One you have devised a strategy to generate unique passwords, you might consider having a way to manage and store them all without having to remember them all in your head. This is where a password manager can help you out by letting you create and memorize one very secure password that unlocks all the other passwords you have saved in your digital password manager. There are a handful of options, and I’m sure a quick search would present a plethora of other options, but I’ll cover three of them here.
(credit: http://dilbert.com/strips/comic/1996-02-10/)
If you use Firefox or Opera you can specify a master password which you will enter every time you open the browser that encrypts all your saved passwords. Do not use a browser’s store password feature for any sensitive accounts unless you unlock that store with a password that you enter every time you launch the browser. This is definitely a good tool for not having to remember all your passwords, it only works for that browser on that computer.
Just remember to be conscious of the fact that now there’s only one password to protect all of your other passwords. It might be a good idea to store your financial accounts or sensitive email accounts separately, or maybe to not store them at all, and when you can use 2-factor authentication.
KeePass
This is where a password management tool can help by remembering the passwords for each site for the user. This allows the user to create a strong unique password for each site that requires it without having to remember all of these impossible to remember passwords. I decided to start using KeePass as my password management tool of choice, and it still is very good option, and highly secure if you use a strong master password. The KeePass tool can be run from a thumbdrive, which does allow for it to be portable, and the database file can be shared across multiple computers using a synchronization utility like Dropbox. For a long time this program has been a key part of my software utility belt – that is until I found LastPass, which I instantly fell in love with and immediately began storing all my passwords with them, after a careful look at their technology. There are other similar solutions – such as 1Password – but I haven’t used them and can’t really speak on their behalf.
LastPass
LastPass is a online password management tool that stores all your passwords on their servers which allows access to them from any computer or device that allows javascript in the browser. That might sounds like a horrible idea, but they have implemented a Zero-Knowledge (TNO) system which prevents them from being able to decrypt your passwords, and having full deniability if the government were to come knocking at their door as even if they wanted to they have no means to give them your encrypted data. I still use KeyPass where it doesn’t make sense to store passwords off-premise – most notably at work.
A Look Under LastPass’ Hood
Steve Gibson recently discussed the details how LastPass security is implemented on his podcast Security Now episode 256 and confirmed my belief that this really is a safe, secure, and brilliant solution. The system works securely by using a 256-bit AES key to encrypt and hash all the passwords locally on the client machine before sending across HTTPS/SSL to the LastPass servers effectively providing a fully Trust-No-One (TNO) solution that can be used from any browser that supports javascript, or through plugins, or mobile applications.
Final Thoughts
Remember that with security there is an inverse relation to convenience. In general, the greater the security the less convenient and the more convenient the less secure. Try and secure at least your main email account (the one that “forgot my password” emails are sent to) and your other sensitive accounts such as your bank, work VPN account, and think about using the algorithmic approach to generating a password for each of the websites you visit. Hopefully I’ve convinced you to at least view your passwords in a more serious light.
I’d love to hear and comments on how you manage your online accounts, or if you have any security issues related to this post.
</steve>
Other References: