Wednesday, January 21, 2015

Passwords.... Passwords Everywhere

The online world has grown so incredibly much over the past 20 years that its mind boggling.  I remember when all I had to remember was several passwords.   Of course back then there were BBS's still in existence and the internet was an amazing playground just waiting to be explored and getting bigger every day.

Today the number of passwords that you need to remember is astronomical.  Because of that, password security is something that people get extremely lax on.   You hear jokes about people using 'password' as their password, or things like '123456', 'secret', or some other easy to remember word, phrase or date.  In fact, they do an annual survey of the worst passwords of that year.  I hate to say it, but its ignorance of password security that causes people accounts to so easily get hacked.  Now and again I get an email from a friend with a link in it, or directing me to "check this out".  Its usually something out of character for that person. I am extremely skeptical and security minded, so I tend to be wary of things.  I will inform the person and usually they confirm that their account was accessed illegally and that they just changed their password.

One of the biggest complaints I hear is "Sure I can create harder passwords, but how will I remember them?".    I can completely sympathize with that thought, but these days there are applications to assist you with that.  There are password managers that you can use to store your passwords in so you don't have to remember all of them.  You just need to ensure the password to use that application is secure and that you remember it.  And that is what I would like to talk about in this post, because there are far to many easily brute forced passwords out there.  All a person would need is a really detailed set of dictionary files to work off of and they could successfully get into one or more accounts in a system.

There are generally two types of applications:  desktop and browser based.  The application that you choose is up to you, but I recommend trying a couple out and finding one you like and sticking with it.

One of the more popular applications is LastPass.  LastPass runs as an extension to your browser and is available for all 3 major OS's (Linux, Windows and Mac) and all browser (Opera, Chrome, Firefox, Safari and *cough* *cough* IE).  I use LastPass (almost) exclusively and love it!  As you surf to a new site and log in (or create a login), LastPass will offer to create an entry for the site in its database (if it doesn't already have it).  If there is an entry, it compares it to see if it has changed (and offers to update the entry if it has).   LastPass is quite handy and because of it I have the option in my browser to save passwords, turned off.  Of course that is something you shouldn't do anyway.   One really handy option in LastPass (and other softwares as well) is the option to generate secure passwords.  LastPass will generate them and if you click the button to accept it, it will populate it into the form field(s) and then save a generic entry for that site.  So handy!  Oh, and LastPass is FREE!

If you are on a Mac, 1Password is comparable to LastPass.  The only difference is that 1Password costs about $35,  but it is well worth the money.  It has a browser extension just like LastPass, but also has the added nicety of also being its own application on the Mac.  This allows you to store more than just website passwords.  May be you have some company secrets you don't want getting out, or a list of combinations to you safes (mind you I am being totally hypothetical here).  Either way, you have options.

Moving on, another popular application is KeePass.   This application is a standalone application by default, but does have plugins that you can install to give it more functionality, such as browser integration.

One thing that all of these applications have in common though, is that the data itself is encrypted.  That way nobody can just access your stored information without proper access.  For all of these applications you need to supply a password to use them (which you setup after you initially install them.  Some application (like KeePass) have the added benefit of allowing you to specify a key (ssh key for example) for added security.  This key would need to be present and the correct password also entered, providing a form of 2-factor authentication.  This is nice because the key would not have to reside on the machine  You could store the key and database file(s) on a thumb drive (for instance), and keep them with you at all time.

Another option for keeping things a bit more available is if you have a DropBox account, or a similar service, you could store your databases in your dropbox account and access them when you need to.  DropBox's site claims that your data, no matter what you store, is stored with AES256 bit encryption.  Even though the database files that go along with the KeePass application are already encrypted, the extra encryption certainly doesn't hurt.

All-in-all, my recommendation is to try something out and see if you like it.  If not, move on to the next one.  Examine the features and see what is important to you from a security standpoint.  I personally use a combination of LastPass for my internet, 1Password on my work laptop (company provided) and KeePass on my home laptop.

Feel free to Google search password managers and explore what is out there.  It is always better to be safe than sorry.   Password security is no joke.  What's nice is that these applications make the task of having harder, more difficult to crack passwords a bit more palatable.  Especially when they are doing the storing / remembering of logins.  

No comments:

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.