Strong, Random and Unique Passwords – Security over convenience

Posted: September 1, 2014 in Security
Tags: , , , , , , , , , , ,

UniquePasswordsBlogChuck Talking Tech / by Chuck Bienenfeld

September 1, 2014

This blog post is long over due. I felt with the almost daily announcements in the media of a company losing our sensitive data, such the highly publicized Heartbleed vulnerability, Target and E-Bay breach and multiple StubHub account violation, it was time to start the conversation about the need for strong, random, unique passwords.

Many of these breaches are the result of people using the same passwords (or one password with minor variations) for all their password required websites. Many times we do this for the convince of not having to remember many different passwords. The problem with this is that once a hacker has a set of email addresses and passwords, as they got from Target or E-Bay, they can then start hitting social media site or other popular sites such as Stubhub which use those IDs and passwords to gain access and leverage that information to unlock more sensitive data such as banking or credit cards. It is believed that the iPhone hijacking is a result of this type of breach. A hacker has many emails and passwords and can us an application like Find My Phone to remotely lock a users iPhone and send the user a ransom note extorting monies to have the phone unlocked. Note, this can only happen on the iPhone if the user does not have a screen lock password and if you are one of those people let me say, ARE YOU CRAZY.

With all this being said, if you are not using a password manager now is the time to start. Making the change can be easy and inexpensive, in some cases even free. In making this change it will begin you on the path to update all your passwords and make sure they are unique, strong and secure. Let me begin the conversation by by explaining what is meant by strong, random, unique secure passwords. These are passwords that are longer then 16 characters (24 or more should be the goal) and made up of upper and lower case letters, numbers and special characters.

An example being: H2BmA0Vllh;AxXFRy#4Z7m0~kb.

Yes, this would be impossible to remember. Even better, if the website hashes and salts this password a hacker using the basic hacker dictionary or the information they can get from your social media sites would be hard pressed to crack this password. And better yet if all your password were as random and complex as this, a hacker getting one password would not be able access any other sites.

I’m sure your first question is how in the world would I remember these strong, random passwords if I was using a unique one for all the site I visit that require a password. Two words, “password manager”. A few of the most popular are LastPass, One Password and the Apple Keychain. Full disclosure, I have been a LastPass user for about a year now and feel that it is a 4/5 star service. Security expert Steve Gibson from GRC and the TWIT podcast “Security Now” has done a comprehensive evaluation of both LastPass and Apple’s Keychain and feels both are excellent for managing user passwords. I also hear many good things from various well respected podcast hosts about 1Password.

How do these tools help. At a high level each tool has a browser plugin and/or an application that links the URL being visited to the stored user ID and password for that site. These tools have configuration options to auto fill in the user ID and password as soon as the page loads or to allow the user to click on a trigger and select the user ID and password from the password manager. With either configuration option, you are able to use unique, strong and random passwords that you don’t have to remember.

In all honesty I did not change all my passwords as soon as I installed LastPass. One of my early apprehension was what if LastPass did not work and I did not know my password to some site such as my bank. So with this in mind I started using the LastPass password generator to change the passwords for some of my less frequently used sites. As I got more comfortable with the auto-complete feature and the iOS application to copy the password to clipboard feature I started to expand the sites that had unique, strong, random passwords. While doing this I was able to overcome my earlier apprehension as I realized that if something went wrong I cold go to a site that was using a LastPass generated password and go through the password reset process and reset the previously auto-generated password to something I could remember and recover my access to that site.

As time went on I loved the idea that I did not know the password to any of my sites. But that the passwords were all at least 26 characters long and made up of a random group of upper and lower case letters, numbers and special characters. I also discovered that there were a few sites that would not allow for more then 11 characters or special characters. When this happens I tend to contact the webmaster and start a conversation around their limitations and see if I can spark an enhancement to their site. Being able to use strong, random, unique passwords is something I feel strongly that everyone should be doing. The bad guys will continue to steal data from those we have in trusted protect it on our behalf. As much as those companies try to protect our data there are many holes in the system and very smart and devious people interested in exploiting those holes. Bottom line it is up to us to protect ourselves using the best technology available.

With all the additional levels of protection provided by using a password manager there are tw additional LassPass features I use with regularity. Secure notes and form fills. I am sure these features are included in other password managers as well. First, the secure notes feature allow you to store additional personal or confidential information such as frequent flyer numbers, you want in a secure, accessible location. This feature also allow the user to upload images of documents that you want to keep secure and have access to anytime.

With the form fill feature it is possible to add as much or little personal information that will be used when the LassPass browser plugin encounters a form on a website. The website form fields such as name, address, email, phone number and even credit card information can be automatically filled in with a simple mouse click websites.

One last feature I found very interesting is the LastPass “Security Check”. When you execute the security check LastPass begins by checking your associated email addresses against know security breaches. As a note this can also be done via the site have I been pwned?. LastPass lets you know any site you have that were valuable to the HeartBleed OpenSSL bug so that you can change your password. In addition LastPass presents you with a breakdown of:

  • Number of site assessed
  • Average password strength
  • Number of valuable passwords
  • Number of weak passwords
  • Number of sites that make use of duplicate passwords

LastPass also includes quite a number of other graphs and tables to help you maintain a high level of security when it comes to your passwords.

My hope is that with this post is that I have been able to spark in interest in the use of strong, random and unique passwords and password managers. That everyone who reads this post begins their own investigation into the tools available and take advantage of the one that best suits their needs. Please provide any comments or additional thoughts around the idea of password managers to help spur additional conversations.

Mentioned technology:
LastPass – free app (Mac and PC) and browser plugin, $1/month for mobile app, online vault.
Apple Keychain – free and built into Safari synchs across Apple devices
1Password -$40 (PC and Mac)
Internet Explorer, Firefox and Chrome remember password features

Advertisements
Comments
  1. […] Strong, Random and Unique Passwords – Security over convenience […]

  2. You should take part in a contest for one of the greatest
    sites on the web. I am going to recommend this website!

  3. Thanks for the good writeup. It in truth was once a amusement account it.
    Glance complicated to more introduced agreeable from you!
    However, how could we be in contact?

  4. A fascinating discussion is definitely worth comment.

    There’s no doubt that that you should write more about this subject,
    it may not be a taboo subject but usually people don’t speak about such subjects.
    To the next! Best wishes!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s