On Sunday, it came to light that Gawker had experienced a long-term break-in that leaked the username and passwords for commenters on Gawker and its related sites like Kotaku, Gizmodo, and Lifehacker. Now we know that a lot of people use “123456” and “password” as their password.
Why should you care? You may not care about a Gawker account, but if you use the same username and password for that as for, say, your Amazon account, you could be in for a world of trouble. That’s why you should use a password manager.
Ideally you should use a different password on every site. Each of those passwords should contain 12 or more randomly-generated characters and include uppercase characters, lowercase characters, numbers, and special symbols. Now: try remembering all of those. Fun, huh?
That’s where a password manager comes in. You pick one strong password to encrypt all of your other passwords and let the manager generate random passwords and remember them for you. Ideally the password manager integrates with your browser so it can automatically fill in your username and passwords once you’ve opened your encrypted password database.
If you want a solid free option, try the unfortunately-named KeePass. It saves your password to a local database that you can put on a thumbdrive, and it has a Firefox plugin that automatically fills in login forms for you. If you’d prefer something more user-friendly, try LastPass. It’s web-based, which is a little worry-making, but given how they’ve set things up that I’m comfortable using them for web passwords to services other than my email or bank sites. Pick a password manager, install it, and select a primary password for your manager. It needs to be a strong one, one that’s hard to remember, so consider writing it down and putting it in your wallet. As security expert Bruce Schneier has long been pointing out, we know how to secure bits of paper.
Ironically enough, Lifehacker has a good beginning and intermediate guide to using LastPass. They’ve also got a tutorial on using KeePass, if that’s what you’ve chosen instead.
Once you’ve installed your password manager, you should upgrade your “123456” passwords to something much stronger. LastPass and KeePass will both generate random passwords for you to use. It’s time-consuming and annoying, but it’s worth it. Use a password with a length of 14 to 16 — hey, the password manager is remembering it for you, so you might as well use something long and hard to crack — and use every symbol possible.
Update: The LastPass blog has a tutorial on replacing old, sad passwords with shiny new ones.
For either KeePass or LastPass, are these “single machine” implementations?
For instance, I could totally see using something like this for my home machine. But, like right now, I’m posting from my work box.
Can I use the same password manager from both locations (and without compromising security)?
You can, with caveats. LastPass stores your database on their servers, so you can use it across multiple computers. Your passwords are only decrypted locally on whatever machine you’re on, and their db that contains your db is encrypted as well, but I’m still leery of putting any credit card info in there. LastPass will also let you use two-factor authorization, such as their Grid authentication method or, if you pay $12 a year, YubiKey or Sesame.
For KeePass, you can either put your password database on a USB thumb drive and carry that around (since it’s stored locally), or you can synchronize it across multiple computers using DropBox.
I’m using a randomly-chosen master password that’s 15 characters long. I figure that plus the encryption methods that LastPass and KeePass use will be fine for now.
I already know that my employer would never allow anything like that. But for personal use, it may be a valid option.
I don’t use it for any work passwords at all.
You know, I hate end of the year stuff. Year in review (really, Ke$ha did that?… wait, why am I watching this again?….), resolution to lose weight, etc.
And now you’ve gone and talked about end of life preparations and password renewals and stuff I actually need to DO every year. And you’re useful and helpful.
I have very mixed feelings about this now. (but already using LastPass)
A lot of times I talk a better game than I play. I’m working hard this year to actually do the end-of-year life maintenance that I’ve been talking about, including this password manager stuff.
Password managers are problematic for me. I like the idea of them, and if there were a standard, and all browsers adhered to it, it might be feasible. They work fine for home/work computer/laptops, but smart phones are more difficult, particularly the iPhone. It doesn’t allow anything like browser extensions, so even if it had a password manager app, I’d have to close Safari, fire it up, decrypt the password I want, copy to the clipboard, go back to Safari, and paste it (making sure to copy something else afterwards so as not to leave the password on the clipboard). Even if I were willing to put up with all of that, if I want to use my buddy’s phone to check my email, I can’t, because my password is a randomly generating string of characters I’ve likely never even seen before. And if I want to use any other computer, the password manager must have web access (in which case I wouldn’t trust it for anything finance-related, and let’s hope their servers never go down), or I gotta remember to carry my thumb drive with me. I just don’t find it safe not to know what my passwords are.
I’m very pro password generation schemes. All you need to remember is two things: one very strong password (which is hard at first, but it doesn’t take long), and an algorithm for salting it with something related to the website/service you’re logging in to (but not too obvious, so that if your password gets lost, someone doesn’t see “fuA@#SE34%^2paypal”). Once the system is set up, the algorithm is committed to memory, your password generator (and manager) is your brain.
I was using your password generation scheme, but having the same strong password or pieces of password across sites bothered me. One of the reasons I went with LastPass was that its iPhone app includes a built-in browser for sites where I need to log in and care enough about it.
It’s definitely a trade-off. I’ve come down on the side of not knowing what my passwords are because my brain is becoming a major limitation in my ability to create and manage large numbers of very strong passwords.
In a pinch, though, you can usually get a password reset via email. For stuff like banking, you have other avenues for authentication.
I’m working on getting my throwaway password limited in use, with an idea to phase it out altogether. Then I can post it on the Internet and explain its origins. [I’ve used it for *15* years and have know evidence that it’s been cracked, which just tells me that I’m not a target.]
It is a trade-off for sure, but if your scheme is good enough, there aren’t shared blocks, and even if there are, the non-shared blocks are complicated enough that it won’t matter.
The ultimate password generation algorithm is one that can’t be deciphered simply by having two or more known passwords. Which, unfortunately, requires you to recode the salt by using something you can a) do in your head or b) at the very least, compute using a JS bookmarklet. Consider:
base: “pa$$word”
salt: “granades”
SHA-1 of salt: BF281916E61020ABFA903246A467068746B04B37
base mashed up with pos 1, 3, 5, 7, 9, 11, 13, 15 of SHA: pBa2$1$1wEo1r2dA
By only hashing half of it, you’re left with a password that still uses the full upper/lower/number/symbol char set, and is twice as long as the simple 8-char base. Plus, I can generate that manually on any machine, and I have to trust no one but the website it’s used for.
Even if a hacker had two of such passwords and compared them, and took out the common letters, they are left with B211E12A, which, attempting a reverse lookup using any hashing scheme, won’t come back with anything meaningful, so there’s basically no way to figure out how I came up with it.
I do realize that using a hashing function means it’s only slightly less trouble than a password manager, but I’m still trying to come up with an algorithm that good that can still be done in one’s head.
At that point I think you’re better off using something like PasswordCard or generating a two- or three-character code for each letter and using a passphrase per site. The latter is what I’ve done for my banking passwords, and it works well but is a pain in the ass to do each and every time. For me a password manager is easy enough to use that I will use it.
For the Linux users that use the GNOME desktop, there is a very good password manager built-in that you probably didn’t you were already using. It handles your wireless authentication keys, SSH keys, passwords, and more. There is a Firefox add-on to integrate it as well (although I haven’t yet tried it).
That PasswordCard thing looks like more trouble than it’s worth. I’d have to remember a separate color/symbol for every website? Ugh.
I’m concerned about Jim’s comment relating to smart phone integration…
I’ve gotten where I extensively use my Droid X’s built-in e-mail interface rather than any actual webmail site. However, to get the Droid X to sync up with Yahoo, Gmail, UAH, and whatever else, I had to manually enter each site’s password.
If I want KeePass to randomly generate a 15-character, strong password for these sites, is there some way to see what that password is, at least once, so that I can enter it into my phone?
Alternately, can I manually generate passwords for certain sites where I *have* to know the actual password (at least for a short time before I allow myself to forget it and just use the manager)?
Jim: Huh, that seems no more onerous to me than having to remember a passphrase that gets hashed and used as a salt for every website.
Tombstone: I believe KeePass will both let you see what the password you’ve stored is (though not by default!) and will let you store hand-generated passwords.
See, this is something that I think *should* be fulfilled (on the Mac) by the Keychain Manager and Safari’s Auto-fill. And for many places that I would use a throwaway, it works fine and remembers my password for me. However, the places where I *want* it to really step up, like my bank password, it stubbornly refuses to keep track of it because the bank asked it to.
Plus, it would be *great* if my keychain would sync to my iPhone and auto-fill pieces in there, but no…
The fact that Keychain pays attention to “autocomplete=off” settings makes it far less useful than it should be. There are workarounds for desktop-based Safari, if you want to go that route.
Yes, you should definitely start using password manager. I use for example Sticky Password. I know Lastpass too, but they store your passwords online, which I do not like.
Well, you were right. It was time-consuming and annoying, but I now have just about everything switched over to a KeePass-generated password.
Because of KeePass 2.x’s requirement for a .Net install, I just ended up using the 1.x version (which has no such need). Unfortunately, that means that your nifty Firefox plugin that fills in user/pass fields for me won’t work.
Considering how often it was getting where I’d forget the user/pass to something I rarely used (like my work timesheet login), it’s honestly an even trade off, even without the plugin.
“Huh, that seems no more onerous to me than having to remember a passphrase that gets hashed and used as a salt for every website.”
Then you misunderstood. You don’t have to remember a passphrase for every website. The passphrase is the domain name. You only have to remember two things: your strong password, and the method of hashing/salting your password. PasswordCard requires remembering a different symbol/color combination for every website, which is no more convenient than a password that differs by two random characters on every site.
So, um, one of the >100 places where I’d used the password that Gawker had? An admin-level account on this WP install. It’s, um, changed.
Since you talk about LastPass and such services…thought you would want to know about the site vulnerability on the site that exposed user data. To be fair, LastPass was SUPREMELY prompt about fixing and very transparent about the issue, which is always a plus in security. (do you even allow links in your comments?) http://www.eweek.com/c/a/Security/LastPass-Password-Service-Patches-CrossSite-Scripting-Flaw-177050/
Thanks, Duchess. I definitely have concerns about having passwords with LastPass, but I’ve decided the convenience is worth entrusting them with website passwords that I’m less concerned about, like forum passwords. Im also pleased to see the company respond quickly to vulnerabilities. My financial passwords aren’t in LastPass, though.