Another year has come to pass. With everyone making lists around this time of year it’s important not to forget a very important list that many people take for granted. If you read the post title you already know what I’m talking about, passwords. These days more and more of our lives are spent on line and we rely heavily on passwords to confirm our identities. Everything from your twitter account to your bank account requires a password and if you’re not practicing good password security you could be in serious trouble. The three main aspects of a good password policy are as follows:
- Change your passwords often
- Never use the same password in more than one location
- Use complex passwords
Let’s break these down and address them individually.
1. Change your passwords often
What does this mean? It seems simple enough but what does “often” really mean? If you look at the Microsoft Live service they have an optional checkbox that would require you to change you password every 72 days. Some IT departments require you to change your password every 2 months. Some people have been using the same password for 10 years and don’t see any need to change. You may be wondering why this is important in the first place. If you’re following rule 2 you may be wondering why you need to change your password at all. Should someone figure out your password for a particular site it won’t effect anything else so what’s the big deal?
The reasons are two-fold. On the one hand just because a service was compromised doesn’t mean your password was… right away. Most places store your password in a cryptographic hash so that if their database is ever compromised the attacker still won’t have be able to log into your account and make changes. Hash functions are one way by design but they are still vulnerable to a number of attacks. Most commonly these are brute force and so-called “rainbow table” attacks. The attacker can load all the hashes into a program that will try every word in the dictionary, or every word found on wikipedia, or any number of permutations and amalgamations thereof. So the database may have been compromised in May of last year but it took until now before they were able to crack the password and gain access to your site. On the other, the attacker may have access to your account but not do anything to let you know it. Perhaps they gained access to your e-mail account but don’t send out any e-mails or change your settings they just use it to send password resets forms from your bank for example. I tend to think 2 months or even 3 is a little paranoid but 6 is is a pretty good balance. At the least I would suggest changing passwords once a year.
2. Never use the same password in more than one location
This may seems obvious, but it’s amazing how many people pick one password and decide to use it for everything. Or maybe they have a handful that they switch between. The reason this is so important is because the reality is security breaches happen. Just look at the news this past year. A giant company like Sony faced millions of dollars in damages when the playstation network was compromised. If you were using the same password to log in and play your video games that you do to manage your bank just think about the consequences. You may be saying that there’s just too many sites now that you need to remember passwords for. I agree! There’s no way I could remember a unique password for every website and services I use. That’s why I use a password management solution which I’ll discuss in more detail at the end of this article. Even if you don’t use a robust password management solution there are tricks you can use to set unique passwords per site and still have them memorable. Let’s say your default password is “pass”. Highly secure, I know. One way you can create a unique password for facebook for example would be to use “fbook:pass” as your password. You can see I didn’t just use “facebookpass” or something like that. You don’t want to have a predictable method so that if someone gets your facebook password they can then figure out your hotmail password is “hotmailpas.” Exploring that concept our hotmail password might be “hotm-pass”.
3. Use complex passwords
This particular pillar of the password trinity has been under recent debate. Some security experts believe too much emphasis has been placed on “complex”. Complex has generally been defined as “a minimum of 8 characters including numbers an letters.” Some sources will also add a distinction between upper and lower case letters, and/or include special characters (i.e., $*@&). The real test of a passwords security is called its entropy. The debate can best be illustrated in this xkcd comic
So basically using “JKL@!*FJ$” for a password would be technically less secure than “turkeymexicopassword”. Of course I use the word technically with some qualifier. The entropy may be higher, but many brute force scripts have several options when dealing with wordlists. They can mangle the words or combine words so it could still be faster to crack. I personally like to go as crazy as possible. I stick with a minimum of 20 characters including upper and lowercase letters, numbers and special characters. Of course, there’s no way I could remember all that which leads me into the last part of our discussion today:
Password management solutions
There’s several out there: KeePass, LastPass, PassPack and 1Password to name a few. You’ll notice I didn’t mention your browsers built in “remember password” feature. There are myriad security issues associated with using those “features” that I don’t have time to go into. Suffice it to say, don’t ever use them. The obvious advantage of using a password management program is being able to set secure passwords for every site without having to worry about remembering anything. All of the options mentioned store the passwords in a cyrptographic vault that is unlocked with a master password so you still have to remember at least one password. It’s very important to make this as secure and memorable as possible. The last thing you want to do is finally set up all your sites to uses these fantastically complex passwords only to forget your password or resort to writing it on a post-it note stuck to your monitor completely defeating the point. These solutions also have built in password generators that you can set to provide a random password of a specific length based on different options (Upper/lower letters, numbers, etc).
Here at Pro Web Marketing we use PassPack to manage our passwords largely because they make it easy to share the passwords without clients which is one of its main features. At home I personally use KeePass which is supported on all platforms (Windows, Mac, Linux, iOS and Android) plus it’s open source. One of the perks of using KeePass is that it’s been around for awhile now and has just about everything you could want. You can organize your passwords into folders (Website, e-mail, etc.). The password generator has very specific options differentiating special characters further because some sites will let you use special characters just not spaces. It lets you set an expiration date, website URL and offers a section for notes. One of the things I’ve come across is that websites intentionally limit your passwords. My bank, of all places, has a 16 character limit on passwords so I keep that in the notes section to remind me when I update my passwords.
Keepass also has some nice features that work under the hood. You can set a “global hotkey” (default is ctrl+alt+a on windows) which allows you to set a custom hotkey that will automatically enter your login credentials on sites for you. It uses the title bar of the window and compares that against the title of the entry, because that doesn’t always work there’s also browser plugins to help you get the right match. If you still can’t manage to get it working for whatever reason you can pull up the keepass client, find the entry and hit “ctrl+v” just like you normally would to paste and it will automatically fill in the details in whatever window is directly behind it. By default the auto-type feature uses the pattern Username <tab> password, but suppose you need username <enter> password or username <tab><tab>password? Fear not you can set a custom auto-type in the notes section! Let’s say none of the above will work for some reason, as a last resort you can always open the client, highlight the entry you want and use the icons at the top to copy your username or password to the clipboard. The nice thing about that is even if you do use this feature the clipboard will be automatically cleared in 10seconds so you don’t accidentally paste your password in the IM with your friend. One last feature of keepass I’d like to highlight is that when you update a password it automatically creates a backup of the old password for you which can be a real life saver.
There you have it, with a fresh new year ahead of us you should really think about either switching to a password manager or updating the passwords in yours.