Sunday, March 6, 2016

Safety First

So.  Passwords.  Are a pain in the butt.  Despite the fact that I completed training as a computer network administrator; despite knowing full well that one is not supposed to use the same password for multiple websites... up until last week I was using the same password almost everywhere.  Including online banking.

I know, I know...  I should be ashamed of myself!

In my defense, at least it was a strong password.  It wasn't secret or 12345678 or my middle name.  It was 8 digits long, not a dictionary word, and easy to remember.  Like, you could easily remember the words to the song "Baa baa black sheep", and turn it into a password like this: Bbbs3bags.  My password was similar.

Fortunately, this is not a sob story about having my checking account hacked.  I was saved from learning my lesson the hard way by the miracle of password management software.  I ran across an online article comparing various apps, and 3 hours' worth of research later I decided to implement one.

A password manager allows you to use a different strong password for every site without having to remember them all.  The app can generate the passwords for you, or you can create them yourself. They are stored in an encrypted database.  When you log into your web browser, you also log into the app, and it fills in your usernames and passwords for you as needed.  You only need to remember one master password, for the password management app.  Mine is 21 characters in length, so it would be almost impossible to crack it by brute force (i.e. trying every possible combination of characters until you find the right one).

The benefit of this is that if any one of your websites is hacked, and the hackers discover your password, they can't use it on any other website.  For example, if my LL Bean online shopping account were revealed, the hackers couldn't then get access to my Facebook page (not that I would care much about that), or my bank account (about which I would care extremely).

The password management software itself is as safe from being hacked as it's possible to be with current technology.  They use a high level of encryption, which means that the above-mentioned brute force method would not be very effective at revealing users' data.  Also, on the off-chance that hackers managed to crack the encryption on one account, they wouldn't automatically have access to the entire database, because it is "salted", which is a jargony way of saying that every customer has their own slightly customized key to the vault.  Unless a determined hacker in possession of a powerful supercomputer (or the network equivalent thereof) were to go after me personally, I should be pretty safe.

I should mention that not all password management providers keep a database of their clients' passwords.  Many of them give you a database that you store locally, on your hard drive. You are responsible for backing it up yourself.  That type of program requires some effort to sync the database between all the locations where you are using it.  Being lazy, I opted for LastPass, which keeps a database "in the cloud" so that my work computer, my home computer, and my smart phone are synchronized automatically, and I don't have to worry about backups.

It was a bit of a pain in the butt to set up.  The installation process was easy.  Adding all my websites and then changing all the passwords to randomly generated character strings was a headache.  In order to assuage the anxiety I felt upon no longer "knowing" all my passwords, I was able to export the database and print it.  If the LastPass servers ever crash, I won't be SOL.  I'm keeping a copy at home in my fireproof safe.  (As soon as I completed the printing process, I deleted all the unencrypted text files from my hard drive immediately, in case you were worried about that.)

Now that the app is fully up and running, I'm feeling pretty good about the software, and much more secure in my online presence.  This is my PSA to you guys to encourage you to do the same.  LastPass, which was my choice, costs $1 per month, but you can also find free and open-source password managers.  Are any of you using password management software already?  If so, which one, and how do you like it?


Jenski said...

That's intense! I struggle to make time to try to organize and back up my photos...

I use a super fancy notebook to record passwords in. If someone broke into my home and stole it, I'd be in trouble, I suppose. A couple of sites I use for work in particular require regular changing, but otherwise I have a mix of approaches to generating passwords I use.

G. B. Miller said...

I use paper at work to write down my passwords (network password gets changed every 45-60 days and payroll password gets changed every 60) and a list on both of my computers for all the websites I use. The work one is a pain in the buttocks since you can't repeat the last seven passwords you use, so trying to come up with a new one has been a serious adventure to say the least.

I've been hacked only once, back when Yahoo suffered a hacking breach a couple of years ago. Fortunately, it was an e-mail that I rarely use.

Father Nature's Corner

Granny Annie said...

I have a book titled MY BRAIN. All passwords are stored there. It started out very neatly done but I got in a hurry often times and now it take me a lot of time to scan through the fat book if I forget a password. You way sounds safest but as Jenski said "That's intense!"

DarcKnyt said...

Wow, GREAT analysis. And a great reminder that there are some pretty savvy and dark elements running around out there in the wild. Always best to secure yourself as best you can, and $1 a month doesn't sound too bad at all.

But being a cheapskate, I'll check out the free and open source ones first. :)

Thanks for the tip(s), Spark!

PhilipH said...

Excellent and necessary advice Sparkly.

I use a different password for each site but can remember them all simply by using the first and last letters of each website with a central 'same' set of characters.

For example, if I want to log on to, say, Yahoo my password would start with upper case Y and end with Uppercase O. In between I use, for example, an address or a name with at least four numeric characters.

So, it could be Y89HighSt19O. It could be I use the first two characters of the website and the last two characters instead of just the first and last characters, e.g. YA89HighSt19OO.

Many financial sites, banks etc., usually require just three or four characters of your password, not ALL the characters. In the last example you might be asked for the 1st, 4th, 7th and 10th characters,which would be Y9gt - and thus your full password is never shown and the individual requests usually change randomly.

Lynn said...

I don't, but have thought about it. One of my clients did that and said it works great. Thanks for the tip!

Vanessa T said...

No, I'm just using password management hardware, which consists of a 3x5 card and a pen. One of these days I'll get with the program!

I've heard only good things about the one you chose. :)