Friday, 1 March 2013

How best to manage passwords

Originally published: 2010-03-17 on my old blog.  Superseded by http://blog.richbeales.net/2012/02/lastpass-or-keepass.html

How do you keep track of them and remain secure online?


This is an issue that everyone with internet access will have come across, although some may have sat down and thought about it more than others.  I'm betting that you have at least half a dozen passwords to remember.

Single password?

Many people will use a single password for all the sites and accounts that they access.  This makes it easy to remember, but is insecure because if just one of the sites is broken into, your username and password details will potentially be available not just for that site, but for everything that you access online.  Using a separate password for each site is the ideal solution, but few people will be able to remember more than 6 or 7 passwords.  Company requirements for changing passwords every 90 days complicate this even further.

Password strength and length


More and more websites are enforcing stricter rules on how long your password must be and whether it needs to contain any numbers or special characters.  Nearly all sites will mandate passwords that are 6 characters long.  The longer a password is, the more difficult it is to guess or crack.  One of the most common brute-force attacks is called a dictionary attack, literally trying each word in the dictionary in turn hoping to find a match.  Even substituting numbers or symbols for letters will easily be cracked, such as p455w0rd.  Of course the longer and more complex you make your passwords, the more difficult to remember they become.  Another trap that many people will fall into is using personal information as your password, such as a pet's name or favourite singer.  This information can be extracted from you using social engineering, and in many cases, with the likes of facebook around, you've probably already divulged this information online anyway!

'Static' or generated passwords?

If you choose to "manage" and store your passwords properly, there are two options, the first one is having a password protected (or encrypted) list or database of passwords, that way you only have to remember one password (to access the database), which then gives you access to all your passwords.  There are several examples of such software freely available on the Internet, two of the best are Keepass and Password Safe.  The other advantage to these pieces of software is they allow you to store a notes field (such as the memorable information some sites require if you ever forget your password).
The second option is to have a piece of software which generates your password for you, such as PasswordMaker.  This software allows you to use a relatively simple and easy-to-remember master password, it will then use this master password, together with the domain name of the site, and half a dozen other pieces of information (such as which characters are used in the password), as these are kept secret and all the pieces of information are combined (hashed) together, it becomes near impossible to get back to your master password and break into your other accounts.

A big disadvantage of this is the all-your-eggs-in-one-basket problem - if you lose the "master" password, you've lost everything.  To get around this, several of the tools mentioned allow you to export your passwords to a text file, which you can then print out.

Multiple computers 

Now all of these solutions are great if you only ever use a single computer for accessing your accounts, but most people will have two or more, for example, your work computer, your home computer and maybe a laptop too.  You then have the hassle of maintaining seperate databases, or trying to keep one database 'in sync' with one another.

How to get to your password safe in the first place?

Now many of you may have spotted a problem with all of this...  how do you log onto your computer if you don't remember the password (because it's in your password safe and you're not logged in yet!)?

This is a question I don't really have a satisfactory answer to.  One of the solutions would be to write your passwords down on paper, but we've all at one-time-or-another been told this is a bad idea.

Writing your passwords down

Why is it perceived to be such a bad idea to write down your passwords?  Actually, having your passwords written down isn't such a terrible idea, if they are locked away in your house.  A common or garden burglar is likely not interested in your passwords, even if he knew where to find them, and the number of people with access to your house is vastly less than the number of people who can get to an internet-connected computer.  As long as they are kept safe, this method is an ideal back-up to the electronic solutions.

Solutions


Some companies and websites are starting to introduce measures to increase the security of their customers, such as two-factor authentication, single sign on, and one-time passwords.  One-time passwords are self explanatory, two-factor authentication increases security by (typically) using something you have (such as a keyfob which generates passwords) as well as something you know (your password).  Single sign-on is perhaps the best idea, but it requires every company or website to sign up to the same idea/technology.  One of the most promising is  Open ID.  

To conclude, there's no right answer to this problem, but there are several pitfalls and wrong answers.  Staying safe online requires a little bit of effort, but with passwords giving access to such important information as your online banking, it's worth the effort.  If you've got a solution you use, please share it by adding a comment.