One Ring to Rule Them All: Password Security

Secure password of the week

It’s pretty common knowledge that many people are not as cautious as they should be, when it comes to password security. Some of the practices I’ve come across are as follows:

  • Re-using the same password across many sites
  • Using easy to remember common words under seven characters


  • By using one password across many sites, if your account password becomes compromised (either through a keylogger, or through a breach in the site you’re connecting to), hackers may ultimately gain access to your other accounts. An example of this would be using the same password on your blog, your facebook account, your bank account, and your gmail account – one breach is all it takes to make your private information accessible to prying eyes.

    By using short, easy to remember passwords (common words, or short alphanumeric strings for instance), your password is far more easily crackable by dictionary / brute force attacks.

    The reason why people use easily cracked / derived passwords is simple: they’re easier to remember. If you look at the concept of Miller’s Number, it becomes clear that there are limits to cognition. It’s the reason why telephone numbers (at least traditionally) are seven digits long, and it’s the reason why, when designing a taxonomy (yay Knowledge Management) proper navigational designs are limited to seven high level facets (with a deviation of two).

    The best solution I’ve found is provided by LastPass, which is a cloud service, which both stores and creates secure passwords. The benefit of this is that you can get beyond the limits of human cognition, opening the ability to use passwords that can be 15 characters long (for example), in upper and lower case, using numbers, letters and special characters. These types of passwords exponentially increase the difficulty in using an algorithm to guess your password (reference: Password Recovery Speeds from Lockdown).

    LastPass provides both a web interface to access your passwords securely, and browser plug ins for most major browsers and operating systems (sorry, no Opera support as of yet). All you need to remember is a “master password”, and you can access sites LastPass is storing your login credentials for, without actually knowing the specific site password (I don’t actually know my gmail password, for example).

    Now, you might be wary about using a cloud based service to store your passwords. Further, you might be worried about using one password, and creating one vector for gaining access to all your online sites.

    You can rest easy:

    1) LastPass does not have access to your passwords directly – they are only accessible based on a hash of your master password, which only you know. If you lose your master password, you lose access to your online accounts. Your password itself is *not* transmitted over the web – the only thing that is sent to LastPass is the hash of your password. More information on this can be found in their FAQ

    2) The trick here is to choose a relatively complex master password, which you periodically change. Considering your password is never actually transmitted over the web, as long as you maintain your password, use a combination of letters and numbers (upper and lower case, symbols, etc.), and go above and beyond the seven character limit.

    All in all I’m really enjoying this service – it’s admittedly abit strange to not actually *know* my account passwords, but this definitely seems like a step in the right direction, to getting around short passwords by accepting limitations in cognition.

    If you’d like more information on choosing strong passwords:

    Microsoft Security – Strong Passwords

    Wikipedia: Password Strength

    GRC Ultra High Security Password Generator

    My friend over at OutDPS.com has a pretty good write-up on an alternative to LastPass, provided by the opensource KeePass, which does not use cloud storage, for those concerned:

    OutDPS: Account Security!

    KeePass

    Until next time,

    Syd

    Header image provided by: Simon Lieschke – Secure Password of the week

    Advertisements

    Author: sylint

    I'm a business analyst, working in Information Management and Information Technology. Technically, I'm a librarian, though I prefer to think of myself as professionally varied.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s