In this article I will first talk about some missconceptions as to what is considered a secure password and then about you can leverage different technologies to help you with all your passwords.
In the past few years there has been a sharp increase in websites being hacked and their users passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery, your electricity bills, access your bank account, connect to your work email, etc.
The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.
One way to counter that issue, would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it down. The problem with this solution is how secure is your formula? How easily could it be reverse engineered? It may not be possible to do it with knowing only one password, but what about 2? or 3? or more? would a pattern start to emerge?
Let’s take an example of a simple password formula, by taking the first letters of an easy to remember sentence tailored to a given site, google.com in this example:
I Love My dog And I Liked Google since 1997
The password would be: ILMdAILGs1997
Pretty good… You could also add some punctuations and numbers.
But if you use the same formula somewhere else, this time for yahoo.com, the password would just have one letter different: ILMdAILYs1997
If you want to make your password “expire” you could change the year at the end of every year. Or add an increasing number or letter every 90 days…
However, a pattern would still to be easily identifiable if you an attacker gets hold of more than one of your password…
Of course, this means someone would need to get your credentials from different sources, Google and Yahoo in this example. But the point is that with the increasing number of websites we subscribe to, we are also increasing the chances that our credentials get stolen and patterns to be discovered.
The passwords need to be different each time and they need to be as random as possible.
Not writing your password down, being a post it or in a file (encrypted or not) but remembering it sounds like the most secure solution. Until you look a bit deeper at all your different passwords are constructed. If you have a solution to remember truly random and unique passwords then please contact me and if not, then read on…
The best way to use unique, random and strong passwords is to save them into a password safe. A software that acts as a safe for sensitive information by storing it into an encrypted database. All your passwords are then protected by a master key/password.
Password safes are not new, in fact one of the most popular has been around since 2002.
But what is new is how you can achieve the following requirements, so you do not compromise on usability:
- Passwords need to be accessible from all your devices
- Passwords need to be backed up securely
- Passwords need to be easy to reset
This is where Cloud storage can help you.
You can use Password Safe from Sourceforge to create your list of encrypted and secured strong passwords, store that secure database onto a cloud storage service such as Dropbox. Then synchronise that Dropbbox folder where your password safe database is on your different computers. You can even install a version of Password Safe on your mobile devices and connect it to your Dropbox account.You should also make local backups regurlarly.
Doing this allows you to have access to and modify your passwords at all time, everywhere.
You do rely however on how secure the implementation of Password Safe is on the different medium you install it and if someone installs a key logger on your computer then you could loose access to all your passwords!
By using a password safe and cloud storage technology you ensure your safe is backed up (dropbox), that all your devices have access to it so you can easily configure your emails, web site access, web application, etc. and that changing a password is not a pain anymore as you don’t need to remember it!
The only password you need to remember is the master password to your safe which you should not reuse anywhere else.