Monday, August 22, 2011

On Passwords

Multiple people have recently asked for information about how to create, use, and protect passwords.  We all have them, but - oddly - no one teaches us anything useful about them.  Some of us figure these things out, but most people never do.  And if you don't think about it, it is very easy to get into real trouble.

My goal is to help you avoid having your accounts hacked and your identity stolen.  There is a lot of information here, I know, but the topic is important.  Please read on.

First, the obligatory disclaimer:  I am not a security expert, and would never claim to be one, though I have spent enough time in high tech to be able to discuss this issue in some depth.  Hopefully I can make it clearer to you, but the subject is much deeper than even I know.  If you are interested there is a lot more to learn.  It's also important to note that even if you follow all of the best practices you can still have a password stolen or cracked. Sorry, but that's the truth.

Please consider this entire piece my opinion only, and note that your mileage may vary.

Begin At The Beginning:

The first problem with passwords is their very name: "password".  Many people think a "password" has to be a word because that's what it says.  Nope.  And, in fact, a single word - any single word - is just about the least secure thing you can use for a password. To explain why, and eventually get to how to create and protect good passwords, I will cover the following things:
  • How Passwords Work - A short overview of how a simple password system actually works.
  • How Passwords Are Compromised - How the bad guys get them without much work, without even having to guess or decrypt them, and how to protect yourself from at least some of those issues.
  • How Passwords Are Cracked - How a password is actually figured out "the hard way".
  • How To Create Good Passwords - What makes one strong and another weak.  How to create good ones reliably.
  • How To Manage Too Many Passwords - How do you remember 50 different passwords?
  • Other Thoughts on Passwords - Some other things to note in the world of passwords and security.
  • In Summary - A very quick recap.
Here we go...

How Passwords Work:

On any well designed system, passwords are stored in a text file or database table that contains your login name and an encrypted version of your password, among other things.  Here's a made up example table with those two fields separated by a colon.

bob:7y+kj8hs
jeff:IY67kH_1
jeffa:9jHg=ih1
mary:khy8ue4_
susan:iop74rf3

Part of a password system involves some complicated program code to encrypt passwords.  An encryption routine takes a string as input and returns a different string as output, with the intent that the output string cannot easily be associated with the input string.  In the example, we can see that jeff's encrypted password is "IY67kH_1".

I won't bother with the math behind encryption, mostly because it is way beyond me.  Suffice it to say that it is very, very complicated, and there are many ways it can be done.  The goals, though, are easy to understand:
  • No one should be able to look at an encrypted string and find out what the original string was.  Even with a super computer capable of doing math very quickly and knowing the code used for the encryption, the problem - going backwards from the encrypted string to the original password - should take hundreds of years.  Incidentally, this is why you can't just get someone to look up and tell you your password on a well designed system.  It's encrypted in such a way that no one can practically reverse it.
  • The encrypted output needs to be in some standard format.  The simple example above has the output string limited to 8 characters, and allows both alphanumeric and a few special characters.
With that background, here's how a very simple password system works.  First, the system looks in its table for the user name.  If it doesn't find it, it emits an error of some kind (usually saying it's an "invalid user") and lets the user try again.  If it finds the user, it takes the password that was entered, encrypts it, and compares the result with the encrypted password that user has in the table.  If they match, the user is logged in.  If they don't match, an error is emitted saying something like "bad user name or password", and the user gets to try again.

As an example, we'll use my made up login - "jeff" - and the corresponding made up (and very poor) password "obvious".

If I enter "julie" and "bad_password", I get "invalid user" because there is no user named "julie" in the password table.  Note that the system didn't even both doing anything with the password I entered because there was no matching user.

If I enter "jeff" and "bad_password", I get an "invalid user or password" error message.  The system isn't sure if I entered the wrong user name or the wrong password.  (It is true that I entered a valid user name, but I might have entered the wrong one.  Perhaps I meant to enter "jeffa" and didn't type the final 'a' in the user name.)

if I enter "jeff" and "obvious" the user name matches a valid name, and the password, once encrypted to "IY67kH_1" matches the entry in the table, so I am allowed into the system.

Note that you cannot enter the encrypted string as your password.  If I enter "IY67kH_1" as my password when I log in, that string will be encrypted to something else, and the result won't match, so my login attempt will fail.

That's it, a very simplified version of how a password system works.  There are many wrinkles, or course: how to create a new user and their password, how to change a password, and various ways to make passwords more secure, among others, but the core of the system is there.  Your password gets encrypted into a string that can be safely stored in the system, and that string is compared with the encrypted version of the password you enter when you want to log in.  Most importantly, no one can read or see your actual password.

How Passwords Are Compromised:

The first and biggest risk most of us suffer from is making our unencrypted passwords readily available to the bad guys.  Hopefully a lot of this is just review, but the following are some of the common errors people make when dealing with passwords
  • We give our passwords to the wrong people.
  • We let others see us enter our passwords.
  • We write our passwords down.
  • Even worse, we send our passwords to others in email.
  • We use insecure computers where malware has been installed.
  • We respond to phishing attacks.
  • We enter our passwords into insecure systems or use insecure protocols to send our passwords to systems.
  • We use the same password for many systems.
These are all common sense things, but they turn out to be ways that passwords are regularly stolen by people who aren't above doing bad things with them.  Note that none of these cases talk about what your password actually is.  Though there are important issues related to password selection, the first thing you have to do is develop good "password hygiene".

The most important, and yet simplest rule of password management is never, ever, tell your password to someone you don't trust, 100%.  Period.  Can you count on that person to keep it a secret, and not let it out?  Even accidentally?  Probably not.  Even for a friend or a spouse the chances of letting it slip are high, particularly given the above list of issues. The best way to protect yourself is to keep all your passwords private all the time.

This isn't always obvious, though.  An example: someone calls from your phone company, claiming they are doing some system maintenance on your account and asking for the password you use to get into their online system.  Do not give it to them.  They should not need it.  Ever.  If for some reason you are inclined to believe them, hang up, call the company yourself, and ask someone in customer service about it.  If you make the call - to the company's 800 number - and the new person you talk to says the request is legitimate - and they do need the password - it is safer.  It's still stupid, but safer.  After all, you are about to tell your password to another human, who could easily write it down and do bad things with it later.  Any well designed system should never require a user to divulge a password to a human, particularly via some non-secure route, like over the phone.

Note that you cannot just ask the original caller for a phone number to verify things.  They could give you a number for a collaborator who will tell you exactly what they want you to hear.  Get the phone number for yourself - from the company web site, perhaps - and call that.  Only when you initiate the call to a known good phone number and are told that the request is legitimate should you consider complying.  And even then you should ask to speak to a manager and tell them that their systems are poorly designed and they should not be requiring their customers to give their passwords to strangers over the phone.

Assuming you are keeping your passwords to yourself, the next step is to avoid having others see you enter them.

When you go to the ATM you look over your shoulder before entering your PIN, right?  That's the idea, but you have to think about it all the time.  When you enter a password into your smart phone - even just to unlock it - while standing in the terminal at an airport, how many people just saw you enter that number?  And if your phone is stolen 10 minutes later, they have access to everything on it, right?  If you're in the library using a computer and someone watches you login, that account is compromised.  Your boss watches over your shoulder as you login at work... compromised.  And so on.

Those who are paranoid about these things might seem crazy.  That ATM on the street in town is risky because someone standing at a window 3 floors up across the street with a pair of binoculars and a good digital camera can read the account number off your ATM card as you put it into the machine, and see your PIN as you enter it.  Yes, really.

You have to be certain that when you enter your password - for any system - no one sees you do so.  While that sounds simple, most people don't think about it much, and the results are all around us.

Next: do you write your passwords down?  You might have dozens of them, for various sites at work and on the Internet.  Can you remember them all?  Of course not, so you write them down.  And where is that paper with the passwords save?  Under your keyboard?  In the pencil drawer of your desk at work?  Taped to your monitor?  Any passwords that are written down are, by definition, already compromised.  If you have to write them down, at least put them someplace no one can see through your windows or passing by your office door, and where they won't ever be looked for, even by a determined thief with time to kill.  But, in truth, a written password is a compromised password, and you should never write them down if you can avoid it.  There will be more on how to manage large numbers of passwords later on.

By extension, sometimes people or systems put passwords in email.  The problems with that are much, much worse than just telling the recipient the password, or writing it down.  Unless you do something special - which most people never figure out - email isn't encrypted, and it can be routed through many different computers between you and the recipient.  It can be copied, left on disks along the way, and read by various people with access to those computers along the route.  Any password in an email should be assumed to be compromised.  If you encounter an online system that sends your password out in email, first change it immediately, then send the site a note complaining about it.  Better yet, cancel your account with the site and tell them why you did so.

An exception to passwords in email is if you are resetting a forgotten password.  The site may send you a new password in email in this case.  When they do, login IMMEDIATELY and change that password to something new that was never in an email.  There are limited options in a password recovery setting, and emailing out a new password - often one that will expire quickly or that can only be used once - is acceptable, but you must follow through and change it quickly to reduce the risk that someone will get into your account with that new password before you do.

Assuming you're careful about all of those risks, then you must consider the computers you are using.

Computer viruses, key loggers, and other malware are a significant threat, and probably account for the bulk of compromised passwords.  These risks are more severe for any computer running Windows simply because there are so many of them in the world.  Some argue that Windows itself has more security holes for various reasons, and so is inherently unsafe.  My opinion is that was demonstrably true years ago, but it may be changing for the better lately.  Still, if you want access to a lot of passwords you go where they are, right?  That's Windows.  Macs are starting to get attacked as well, though, so don't rest on your laurels if you're a Mac user.  And other operating systems will eventually have the same problem if they don't already, so use caution.

As a rule, don't do anything critical on a public computer, or one whose status you don't know.  Library computers are handy, but do you know they are up to date, virus scanned, and free of malware?  Probably not, so don't do your banking there. Always exit and restart the web browser completely before using it on a public computer, and check to see that the operating system and anti-virus software are up to date as well.  If you can't tell it is up to date, I wouldn't enter any passwords - or do anything personally identifiable - while using that computer.

On your own computers you should always keep the operating system up to date and install patches as they come out, since they fix vulnerabilities that can make your machine open to viruses, key loggers, and other malware.

A key logger is a program that runs in the background and stores all of your key strokes, sending them off to someone else when something interesting happens.  If it sees a request from your web browser to a bank, stores the next 500 key strokes you enter along with the URL it saw, and sends it all to the bad guys, your bank account could be empty in the morning.

To avoid this, always run a good anti-virus program.  These can help reduce the risk that you are compromised, though they cannot completely eliminate it.  New viruses - ones not yet recognized by anti-virus software - are always popping up, so while they are a good defense, they are not perfect.  Still, they are a requirement.

Keeping your software up to date is critical.  Anyone still running IE6 or Windows XP is in serious jeopardy of having their identity stolen.  Old versions of any browser or operating system have similar issues, though.  If you are running Windows, consider running any browser other than Internet Explorer.  For a long time IE was the most used browser out there, and therefore the biggest target.  Security problems were often found in IE as a result of that market dominant role.  There are security problems in FireFox, Chrome and Opera as well, but they are different, generally less commonly encountered, and less likely to be taken advantage of.  Install one of those other browsers, keep it up to date, and use it for anything critical - like online banking - at least.  In my opinion, IE has improved, but not enough that I would trust it yet.

Another layer of protection comes from practicing "safe software".  That's an old term for being careful about how you handle data and move it between computers.  If you get an attachment in an email, don't open or run it, even if it comes from someone you know.  The sender might have an infected computer that sent you that email without his knowledge, and it could easily contain a virus.  If it is important that you view or run it, save it to disk, scan it with your up to date anti-virus software, and only proceed if it is clean.  (Some anti-virus software scans email attachments as they arrive, which is great, but caution is always best.)  If you are given a disk or thumb drive, scan all files on it for viruses too, before running or opening any one of them, for the same reason.  In fact, if you move a thumb drive or disk from a computer you don't trust to one you do, scan it for viruses before running or opening anything.  There are viruses that travel via thumb drives, for example, and can hide on the drive without affecting the files on it.

This may seem like overkill, but the number of infected computers is huge, and the number of security holes in any operating system or program is high.  You have to be as careful as possible to avoid infecting your computer with something that will give your passwords - and your identity - to someone else.  As a bonus it helps avoid viruses that do damage to your computer and files, so it is good practice in any case.

And while we're talking about these things, be extra careful about email.  Never "click through" an email to get to a website and login, even if you think it looks OK.  This is particularly critical for banking related sites.  The specific attack is called "phishing", and it is deceptively simple.

The bad guy sends you (and 10 million other people) an email that looks like it comes from your bank.  The return address is your bank, all the usual graphics are there, and so on.  You click on a link in the email and wind up at a web page that looks just like your bank's login page, so you enter your name and password.  What happens next doesn't matter, though, because you've just given your login details to the bad guys.  The email was a fake, and the web site didn't really belong to your bank.  You can bet they will be getting into your account quickly, though, and taking all the money they can get from you.  Or they might wait six months and hack you then, when you've totally forgotten about this incident.

To avoid this, do not click on links in an email, or at least don't login from pages your get to by clicking on links in email.  Bring up a browser window and enter the URL for your bank manually, then login and do whatever the email said you need to.  If you have any concerns about the validity of the email call the company in question on the phone - using a known number you got from someplace other than the email you're not sure of - and ask about it.

Sadly, there are other ways passwords are compromised, and some are harder for the average user to notice.

Some programs don't encrypt passwords when they go over the Internet.  Such systems are nearly as bad as putting your password in an email.  And if you use such a system on a wifi network you're totally hosed.  Reading packets on a wired network is pretty simple, and snooping other users on an open wifi network isn't hard either.  In short, know where your passwords are going, and be sure you are using HTTPS or other secure protocols to send them over the network.  Your browser will show you a lock icon if it is sure the site you are connecting to is using HTTPS.  If it isn't secure, be careful about entering your login and password.

Sadly, some sites use HTTP - an insecure protocol - for the login page, but use HTTPS to send the user name and password.  Thus, the page you appear to enter the login data into isn't shown to be secure by your browser, but the connection made to send the data to the server actually is secure.  I generally find these sites have a second login page that is fully delivered in HTTPS, and thus easier to recognize as secure.  Look for a link labelled "login" or something similar on the non-secure main page and see what you find when you click on that.  Complain to sites that don't obviously use HTTPS for their login page, so they will fix things to be more obviously secure.

Finally, in the realm of things that weaken your security, don't use the same password for multiple accounts.  If you do, and it gets compromised, you have a major problem.  If the login and password you used for your yahoo email account can get the bad guys into your bank, or the account you have to manage your airline rewards program, well, you brought the trouble upon yourself.  Using different passwords is critical.  Yes, it is a problem to manage and remember all those passwords, but it is a critical step to keep your data - and identity - secure.

Security of any type begins by keeping your important login information safe.  How paranoid you want to be is up to you, but the risks described here have gotten people in trouble - in real life - for years.  How many spam emails have you gotten from someone you know?  The password for some email account they have was compromised - probably in a way described above - and was used to send that spam.  It happens all the time, and sending spam is probably the least bad of the things that might happen as a result.

Even if you're careful about who you share your passwords with, the computers you work on, and so on, an account can still get stolen.  At this point we're talking about passwords themselves and how they get cracked, which is a whole different kettle of fish.

How Passwords Get Cracked:

A cracked password is one that someone figures out in some technical way, possibly by reversing the encryption, or (more likely) by guessing likely passwords until they find one that works.

In general it isn't the NSA (or some similar foreign government agency with a zillion dollars and lots of time) who wants into your account.  Instead it's some kid in the Ukraine who wants to empty your bank account, or some "friend" who wants to ruin your day.  These people have no budget to speak of, and won't bother to wait 250 years for a computer program to reverse your password.  So they go after the simple stuff and hope to get lucky.  It turns out there are lots of simple things they can do to get into your accounts, and your choices can make things easier or harder for them.

Some of these methods won't look easy to you, but they are actually pretty simple.  In many cases you can get programs to do these things for free - or very little money - in the darker corners of the Internet, and the good guys use very similar tools to check the security if networks, computers, and passwords all the time.  Also note that some are used in combination, but for simplicity I describe them individually.

The first approach is to try obvious passwords.  Many studies report that lots of people use really simple passwords, which means the hacker can try a few dozen passwords and often find a way in.  Some examples of bad passwords include: "abcdef", "password", "qwerty", "12345678", and so on.  It turns out that any simple thing for you to type or remember is just as simple for someone else to guess.  In any given system a large percentage of accounts are vulnerable to this sort of attack.  If 20% of gmail users have really obvious passwords, the only real problem is figuring out which of those gmail accounts the bad guys want to break into, right?

Another thing they can try is a dictionary attack.  It is easy to get a list of words - a dictionary - and try them all.  The bad guys try logging in with your user name and each word in the dictionary as the password until it works.  The chances of success are high because so many people use real words as their passwords.   Near the top of this article I said that any single, real word is a weak password.  Now you know why.   It can take a while to break in if they are logging in from a remote computer, but they don't do it by hand.  Instead they use a computer program to do it.  This kind of attack is disturbingly simple and effective.

There are tricks to make a dictionary style attack work faster.  If the bad guy can get the list of user names and encrypted passwords, for example, then he can look for weak passwords much more quickly.  An insider can get that data for him, a security bug might expose the data, or a poorly secured computer system might make the password table available to an earlier attack.  Once they have the table, they simply encrypt an entire dictionary once and compare the results with all the encrypted passwords in the table.  Any matches they find become hacked accounts because they know both the login name and the original password. I am simplifying a lot, but this does happen.

If someone wants to get into your account specifically, and not just any account on a system, they can try things related to you in particular.  If they know your birthday or anniversary, the names of your spouse, children, and pets, the kind of car you drive, and things like that, those turn out to be likely passwords.  Trying a bunch of them may get them into your account because so many people use things related to themselves as passwords.  Also, many of those things are regularly used as answers to security questions, which are asked when you forget your password and want to reset it.  More on that later, but if the bad guy can get the system he's hacking to reset your password to something new, he's gotten in (or kept you out), so keeping personally identifying information private is always a good idea.

If someone is really serious they might try calling you and claiming to be from the company whose site they are interested in, and ask you for your password directly, as part of some security check.  If you fall for it, you might give them the password yourself.  Or they might claim to be doing a survey and ask for the number of people who live with you, their genders and first names.  Now they have additional passwords to try.  They might call your friends and associates at work and ask questions about you, again leading to possible passwords.  They could also call your system administrator at work, pretend to be you, and ask that the password be reset, at which time they can get into your computer because they are told (or even pick) the new password.  This is called a social attack, and while it isn't common to do this to get into someone's Facebook account, it is often used to get into more important systems.  Corporate or government espionage can happen this way, as can people trying to get data from the police or other organizations with information that isn't publicly available.  Celebrities suffer these sorts of attacks as well.

To avoid most of these issues, the best defense is a good, strong, password, one that you've told no one else, that isn't associated with you in any way, and which is hard for a computer to figure out.  Any particular system may impose limits on your password choices, but the basic ways in which you can create strong passwords are pretty simple.

How To Create Good Passwords:

The best passwords are hard for computer programs to guess or figure out, but easy for humans to remember.  That leads to some obvious choices in password selection.  The longer the string, the harder it will be for a computer to reverse the encryption process, for example, so longer passwords are better.  Non-words are always better than using a single word, but multiple words is good, particularly if they are unrelated.  Using special characters, numbers, and mixing case makes the password that much harder to guess - or reverse - too.

The system you are working with may impose limits, though, many of which are particularly stupid.  Maximum length limits are a problem; older systems often limit passwords to 8 characters, for example.  Some systems won't allow spaces or non-alphanumeric characters in passwords, or perhaps just a few special characters are possible.  These sorts of systems are making your life less secure, so consider just how much you need to use them at all and avoid them if you can.  Where you have to use them, though, you have to work within their rules.

If the system has no length or character limits of any significance, you can create long passwords by using multiple real words strung together:  "zebra goldfish piano golf".  While that is just four real words, all in lower case, that phrase of 25 characters is not in any dictionary, so it isn't subject to a dictionary attack, and it isn't associated with me in any way, so it cannot be guessed from my personal information.  In addition, even though it uses only lower case letters, it's long enough that reversing the encryption on it will be very hard.  This technique - stringing together a few normal words that you can easily remember - is a powerful one, and it is recommended if the system you are using supports it.  Note that you should not use words related to the system in question, either; "password for yahoo mail" is a poor choice for your yahoo mail account.   Also note that the spaces are optional: "PeanutSystemFlagCthulhu" is a perfectly good password.

If the system you're using requires shorter passwords, the best technique I have encountered is to use the first letters of a phrase, often with some substitutions or case changes.  For example, if I remember the phrase: "This is my password.  It should be longer."  I can use the first letters to create my password: "TimpIsbl".  If I want to I can substitute something like a number 1 for an i, and perhaps a $ for an s, creating: "T1mpI$bl".  These kinds of passwords work well on systems with limitations on length and/or characters allowed.  They are not easily guessed, provided the phrase is well chosen and unrelated to you in any way, and can contain as much character diversity as whatever system you're using allows.  Pick a phrase that you will remember easily, make a couple of substitutions in it, and you're done.

Whatever you do, don't use a single, real word as a password, and don't use anything easily associated with yourself, your family, your history, or the system or company the password is related to.

Here are some other things to avoid while creating passwords:

Managing multiple passwords is a challenge, so some people use passwords that are related in some way to help remember things.  This can work, but can also introduce risks, so be careful.  If all of my multi-word passwords are of the same form:

        password 4 email
        password 4 bank
        password 4 shopping

they are much less secure.  If one gets compromised, the bad guys might start guessing at the other passwords I use with some success.  Thus, patterns in your passwords should be avoided.

Some systems require you to change your password regularly.  In my opinion this is a really poor choice on the part of the system administrators, but it does happen.  Many people using these systems can't remember their passwords since they change so often, so they do one of a few things to help remember them.  Often they write them down somewhere, resulting in a list of passwords that they just add to as they change, and making their password available to anyone finding the list.  Alternately they may use change some part of the password each time but leave the rest the same.  This can result in much less secure passwords, commonly involving dates:

        MayPassword
        JunePassword
        JulyPassword

and so on for a system requiring monthly changes.  These sorts of passwords are less secure than a good password that is unrelated in any way to the user (even if that password changes much less often) and they regularly get written down too.

Telling your system administrators that password rotation is a bad idea will probably get you nowhere, though, so be a good citizen and pick a new, good, password each time, preferably using one of the methods given above, and read on to learn a bit more about how to manage large numbers of passwords.

How To Manage Too Many Passwords:

I don't know about you, but I am lucky to be able to remember the number of my own cell phone, so a huge list of passwords is a real problem.  And in this day and age that huge list is all too real. Keeping them straight is a significant challenge, one that I am not certain we have resolved just yet.

Still, there are at least a couple of approaches for this sort of thing.

The first is to avoid passwords entirely whenever possible.  If an online shopping site gives you the choice, don't create an account with them.  Yes, it means you'll have to enter your data every time you come back, but you also won't have to remember another password.  An added benefit is that they may not keep any permanently stored data about you, which means there is less chance of having your data compromised if their servers get hacked.

The alternative is to create a throw-away login every time you use a site, and never come back to it.  You can use a random string as your password and not remember it at all.  If they need an email address, remember that many email systems let you add a dash and additional characters to your email address, so you can give them something unique, and later filter out all email from that site if they start sending you spam.  For example, if your email address is foobar@gmail.com, you can tell a website that your email address is foobar-xyz@gmail.com.  Then, after your business with the site is finished, you can add a filter in gmail to get rid of anything sent to foobar-xyz@gmail.com.

If you really want to sever the connection between you and the site, though, create a whole new email address with any of the free email systems, use it for one or a few transactions or sites, and then delete it.

And while you're thinking about this, you don't have to give most sites on the Internet real data about you.  They want your birthday?  Tell them you were born on January 1, 1902 and are thus well over 100 years old.  How will they know it isn't true?  Remember that any personal data you let out is something that can be used against you, to hack any less than perfect passwords, or as part of a concerted identity theft effort.  If there isn't a good reason for the site to have that data, don't give them anything real.

But even using those tactics we still have too many logins and passwords to remember.  The list is long: banks, shopping sites we use a lot, places we pay bills to, information sources, and so on, not to mention the inevitable systems at work.  In these cases you cannot create a new account each time, and thus an alternative is needed, and that alternative is called password management software.

Password management software gives you a way to store all your passwords in a safe, encrypted format.  You get at them using a master password, and then once that system is running you can copy your user names and passwords and paste them into the login pages of websites you use.  When you exit your password management system it locks up your list of passwords in an encrypted format that, in theory, only you can get at.

The security of all password management software requires that your computers are up to date and virus free.  Anything that can run at will on your computer and/or log your keystrokes means you have no security, so always, ALWAYS, patch your computers and keep your virus scanner up to date.

There are at least 2 kinds of password management software:
  • It may be installed on your computer
  • It may be a service you use over the Internet
Software installed on your computer means that no one other than those with access to your machine has any chance of getting your passwords, so it is potentially safer.  On the other hand, you can't get to your passwords from multiple computers, so if you use more than one it may be less useful.  Do an Internet search for "password manager" to find programs available that do this sort of job.  Compare them for features and read reviews before making a choice.

An online password manager does the same job as one you install on your local computer, but it is a service provided by a company, and it requires an Internet connection to use.  That may seem like a drawback, but remember that if you need passwords you're probably online already, so it generally doesn't matter.  Online services of this type let you access your passwords from more than one computer - you just need to remember your master password to get in - but your data is stored on their servers, not your local machine.  I suggest looking for services where all encryption is done on your local computer before any data is sent to the servers.  That makes the data more secure, but it usually means that the service provider cannot recover your data if you forget your master password.  A search for "online password manager" will find these services.  Again, compare carefully before making a choice.

Both locally installed and online password managers let you save user names, passwords, URLs, and often other data associated with each login you're storing.  They have user interfaces that let you copy a password without displaying it, making it impossible for someone looking over your shoulder to see what your passwords are.  Many have tools to generate new, strong, random passwords for you, so that you can create unique passwords for each site you use.  Some have the ability to automatically log you in to sites as well.  Once you store the URL and the needed login data, you can get the tool to bring up a new browser window automatically logged in to the site of your choice, usually with just one mouse click.

Password management tools are important if you have to manage many different accounts, but they all suffer from the same weakness: the master password.  If that password gets compromised, all the passwords you have stored in the service or software are at risk.  For that reason it is critical that you treat that master password with care, and that it is as strong as you can possibly make it.  Never, under any circumstances, share it with anyone, and don't write it down.

I'm not going to recommend a password manager program.  Doing so is beyond the scope of this document, and individual requirements vary substantially, but there are quite a few choices available.

Other Thoughts On Passwords:

Many online systems make use of so called "security questions" as part of a password reset system.  Basically they let you select one or more questions and tell them what answer to expect when they know who you are, and then later - if you forget your password - they ask you one or more of those questions and will do the reset if you provide the expected answer(s).  The problem with these systems is that they are inherently weak as most users deal with them.  Maybe you're given a choice of the following questions:
  • What is your mother's maiden name?
  • What was the name of your first pet?
  • Where were you born?
  • The last 4 digits of your social security number
And you give them answers like:
  • Marx
  • Groucho
  • Tuskaloosa
  • 1234
The problem, of course, is that none of that data is secure in the modern world, and yet each one of those answers is, effectively, a password, and should be treated like one.  Of course that data is easy to remember, but by this point in your life how many people know where you were born, or the answers to any of those other questions?  If you're like most of us the answer is a lot of people know these sorts of things, and many of the rest of those answers can be searched for on the Internet for little or no money.

For some reason it seems like almost every company I deal with uses the last 4 digits of my SSN to confirm my identity, and with genealogical web sites abounding, mother's maiden names are common knowledge.  In fact, the answers to most of the usual security questions are a very simple social attack away from being compromised, if they aren't already commonly known or easily searchable.

What to do?  Treat those questions just like they ask for a password, not as a request for specific data.  The computer will never know that your mother's maiden name isn't really "Cg6y_t@$fg", but the bad guys won't know that was what you answered that question with either.  Of course, now you have yet another password to remember, and this one is going to get even less use than the regular password you use to get into the site, but if you're using a password management system which lets you take notes, you can log the security questions and your chosen - nonsense - answers there, for lookup when you need them for some reason.

This may seem like a lot of effort, but it is easy to disrupt people's lives - and sometimes steal their money or identity - using password recovery systems.  Don't treat them lightly.

Another place where we get lazy - and risk compromise - is by letting our web browsers store passwords for us.  This is very convenient, of course, and at times it is just fine.  If your browser remembers your password for the local newspaper, perhaps, and it gets compromised, someone can read articles and maybe post comments as if they were you.  Not necessarily a big deal.  Things get worse, though, if your browser remembers your amazon.com password.  Now a thief can login and order things using the credit card numbers you have saved there, possibly costing you real money and time.  And if your banking passwords are stored in your browser, well, you might just as well leave your keys in the car and the engine running all the time.

Browser based password storage is fine for sites with essentially no risk as a result of a stolen computer.  But if there is anything important on a web site, don't ever let any browser store the password for you.  You have to remember it yourself, or use your password management system to keep track of it.  Anything else is asking for trouble.

And, of course, never use browser stored passwords on a shared or public computer.

ATM PINs are among the worst possible passwords in existence.  If they're limited to 4 digits there are only 10,000 possible PINs, which is way too tiny a set.  Sadly, though, ATM networks often don't deal with longer PINs.  I encountered this once, years ago, while travelling overseas.  My ATM card worked just fine in the US with my longer PIN, but was useless in ATMs where I was.  I only figured this out once I was over there, of course, and I had to go into banks to get cash.  Hopefully the banks will get a handle on this, but always be extremely careful with your ATM card.  Once lost it is a high speed route to an empty bank account.

In Summary:
  • Create good, strong passwords using the initial letters of a phrase or several unrelated words strung together.  In either case additional security comes with some character substitutions into upper case, numbers and special characters.  Be sure your selected phrase or words aren't related to you or the system in question too.
  • Never share your passwords with anyone, deliberately or otherwise.
  • Never use the same password for multiple sites.
  • Consider using password management software if you have too many passwords to remember.
Welcome to the modern world.  Ain't it fun?

Update 9/26/11: my friend David Clunie posted a blog post about this video, that discusses some of what I talk about above.  Thanks David!

2 comments:

  1. I read the whole thing! Gotta go change a few pass words! Craig uses a random pass word generator but I can't remember the strings unless I write them down.

    youve given me something to think about.

    ReplyDelete
  2. Thank you, Merikay. That post is so long I am afraid few will get through it, but I hope the couple of folks that actually requested it will. :)

    Cheers!

    ReplyDelete

All comments made on this blog are moderated by the blog's author, and he's a bit busy, so it may take a bit of time for him to approve your comment. Please be patient. He will get to it. Thank you!