It’s pretty common knowledge that many people are not as cautious as they should be, when it comes to password security. Some of the practices I’ve come across are as follows:
By using one password across many sites, if your account password becomes compromised (either through a keylogger, or through a breach in the site you’re connecting to), hackers may ultimately gain access to your other accounts. An example of this would be using the same password on your blog, your facebook account, your bank account, and your gmail account – one breach is all it takes to make your private information accessible to prying eyes.
The reason why people use easily cracked / derived passwords is simple: they’re easier to remember. If you look at the concept of Miller’s Number, it becomes clear that there are limits to cognition. It’s the reason why telephone numbers (at least traditionally) are seven digits long, and it’s the reason why, when designing a taxonomy (yay Knowledge Management) proper navigational designs are limited to seven high level facets (with a deviation of two).
The best solution I’ve found is provided by LastPass, which is a cloud service, which both stores and creates secure passwords. The benefit of this is that you can get beyond the limits of human cognition, opening the ability to use passwords that can be 15 characters long (for example), in upper and lower case, using numbers, letters and special characters. These types of passwords exponentially increase the difficulty in using an algorithm to guess your password (reference: Password Recovery Speeds from Lockdown).
LastPass provides both a web interface to access your passwords securely, and browser plug ins for most major browsers and operating systems (sorry, no Opera support as of yet). All you need to remember is a “master password”, and you can access sites LastPass is storing your login credentials for, without actually knowing the specific site password (I don’t actually know my gmail password, for example).
Now, you might be wary about using a cloud based service to store your passwords. Further, you might be worried about using one password, and creating one vector for gaining access to all your online sites.
You can rest easy:
1) LastPass does not have access to your passwords directly – they are only accessible based on a hash of your master password, which only you know. If you lose your master password, you lose access to your online accounts. Your password itself is *not* transmitted over the web – the only thing that is sent to LastPass is the hash of your password. More information on this can be found in their FAQ
2) The trick here is to choose a relatively complex master password, which you periodically change. Considering your password is never actually transmitted over the web, as long as you maintain your password, use a combination of letters and numbers (upper and lower case, symbols, etc.), and go above and beyond the seven character limit.
All in all I’m really enjoying this service – it’s admittedly abit strange to not actually *know* my account passwords, but this definitely seems like a step in the right direction, to getting around short passwords by accepting limitations in cognition.
If you’d like more information on choosing strong passwords:
My friend over at OutDPS.com has a pretty good write-up on an alternative to LastPass, provided by the opensource KeePass, which does not use cloud storage, for those concerned:
Until next time,
Header image provided by: Simon Lieschke – Secure Password of the week