FAQ: Password Management.

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” ~ Clifford Stoll

How do you manage all the passwords for computers?  I’m sure most of you are familiar with the problem; at work most of us need 4-5 different passwords.  In addition to that, there are passwords for your bank account(s), your credit cards,  your utility accounts, cable, online gaming services, subscription web sites to name a few.  I’m guessing the average socially active person and who works has over 20 passwords that they need to be able to remember at any computer.

The selection of passwords is further complicated because login requirements are sometimes mutually exclusive; some sites require special characters in passwords, others don’t support them, some require a password to be 8 characters or less, others 9 or more.

How can we manage our passwords. The requirements are:

  • manage multiple sets of passwords
  • no requirement to memorize all passwords
  • universally assessable to me
  • meets medium-high security requirements
  • shareable so my wife has access as needed

image

Picture from one of Geekdom’s favorite cartoons: xkcd.com

Possible solutions include:

Writing everything down in my password notebook. Conventional wisdom suggests that this is not a safe way to track passwords, but some of these people also designed current borderline-unusable password systems. Certainly my house gets burgled less frequently (currently never) than major websites and services who lose huge plaintext credential sets. (I currently write mine down using a code so that casual observers won’t know the password.)

  • Pros: easy to manage, simple to set up, little or no memorization needed, available to my wife and adult son.
  • Cons: dubious from security standpoint, vulnerable to loss by fire for example, which is when you’ll most likely need it, only accessible from one location.

Some kind of online or phone password manager.  That’s like giving your passwords to someone to hold, someone you don’t know, and who says they’ll encrypt and protect them.

  • Pros: minimal memorization, accessible from almost anywhere
  • Cons: when hacked, others can get my passwords

Here is what a friend of mine at work wrote. If I get his permission, I’ll add his name to this post. And I hope to try this out this weekend. It looks very promising.

image

I use LastPass because it is so easy and secure.  Useful for more than just passwords.

Disclaimer: LastPass is not approved for <work>  internal use; but then nothing is at this point.  However that doesn’t affect me because LastPass won’t work on Linux anyway, and we only use one password for almost everything.  So I just have to remember two passwords- Lastpass, and my <work> password.

This will be a long post.  So here’s the super short version:

Go download LastPass, and use a different randomly generated password for every site.  If you do not, eventually someone will get your passwords, and it may or may not screw you over very badly.

Now here’s the nontechnical version:

LastPass is a password management system.  You set a master password, which you remember and do not share or use for anything else, and then have it autogenerate, autosave, and autofill your passwords no matter where you are.  You’ll never have to change it, and LastPass will take care of remembering all of the rest.

So with that said, here’s the downsides of it:

  1. If someone mugs you (or sneaks in) and takes control of your computer physically, they will have access to most things.  This is true with any other password system though on sites you are logged into(email, facebook, etc)
  2. A keylogger can still get your password.  LastPass does offer a click-to-type system to stop this, and other password systems are vulnerable to this too.

Now, here’s the upsides:

  1. It auto-enters passwords for you on websites like firefox or chrome password managers.
  2. It protects you from incompetent companies and the hackers that exploit them.
  3. It automatically syncs between different computers, backs up online automatically, and is far more secure than any browser password manager.
  4. It protects you from malicious sites that otherwise might get your password(either through trickery or just dishonest sites).
  5. It protects you from malicious employees at otherwise trustworthy companies.
  6. It handles the weird password requirements of some sites – less than 8 characters, more than 10 characters, must have number, must have capitalized character, must have a symbol, etc.
  7. It protects you from simple key loggers that might attempt to get your Facebook, email, or banking passwords.
  8. It stops you from forgetting passwords you rarely use.

And more.

There’s basically 4 different ways to manage passwords:

  1. Use the same password everywhere.  While easy to remember, if you get hacked everything is gone.  Emails are used as security, and once yours is hacked, everything will go.
  2. Write down passwords somewhere and use different ones.  This is more secure than the last step, but if someone finds your password file or paper, you’re gone.  It also takes more time to enter the passwords, at least if they are secure passwords.
  3. Different levels of passwords for ‘secure’ sites and other sites.  This is what I did for the longest time.  However it has recently gone out of control.  I had to maintain 11 different passwords that were used in various places- work, email, banking, old passwords that I didn’t use anymore(but still needed to know occasionally).  Also if your low-level password gets cracked(likely), every other site you’ve used that on is now exposed.  If your email password gets cracked, (almost) everything is gone.  And different sites having different requirements on passwords is ANNOYING.
  4. Use a password manager.  This is the best choice(almost always).  There are a number of password managers out there, the best are LastPass and 1Password, LastPass being my favorite because it syncs to everything.

So now, let me explain the technical theory behind this, and why LastPass is while other methods are not secure.  This isn’t necessary to read unless you are interested in the technology.

Site security

First, how password security works.  Suppose you go to some random site with a forum and want to sign up/post on it, although the concepts are the same on even large sites.

When you type in a password and click send, if you are not using https (the little lock in most browsers), your password is transmitted across the network as it is.  Anyone who intercepts your data has your password.  But while that isn’t that hard, it isn’t that common either.

So then the site receives your password.  Even if they have the https lock, they get your real, raw password.  Now a dishonest or stupid site will take your password and just store it in their database for later confirmation.  If they ever get hacked(and they will if they are this dumb), your password is open for the hackers to use(or the malicious site owner).

Hashing

Most sites do not do that, though.  They do something called hashing your passwords.  What this means is that they take your password, “MyPassword7” and turn it into a hash, in this case “e1d0c43e61eebf0212f058d6cfe2b28e”.  They save this, and then to confirm your password next time, they compare the hash.  Hashes cannot be reversed- Like adding two numbers together, there are many possible ways to get to a hash(2+2=4, 1+3=4, 0+4=4 for example), and thus it cannot be undone.  So if a hacker or malicious employee cracks the site, all they get is “e1d0c43e61eebf0212f058d6cfe2b28e” which isn’t useful.

Hackers are not stupid though.  They may not be able to undo the calculations that went into your password, but they can do something else.  They have found that they can take a potential password, “aaaa”, hash it, and check to see if it matches the hash they are looking for.  And then they take and STORE that hash in a database, and if they ever get that hash again, they have the password.  And better than that, computers can hash millions of passwords per second, and store all of the results.

Password Length

This is why 5 character passwords are useless.  A hacker can try every password from ‘aaaaa’ to ‘zzzzz’ in seconds on just one computer, and store all of the results.  And hackers have thousands of computers that have been working at this for YEARS.  You can confirm that that this password can be reversed by putting the above hash into this site:

Warning- don’t enter your password: http://hashcrack.com/  (Note… NEVER put your real password into that site or any hash site to test it.  They will save the hash!!!)

So how do you counter this?  With a long password that no hacker has ever tried before, and they have tried every word and many combinations of words in the dictionary.  At this point, any password under 10 characters has probably been cracked if the site doesn’t use proper security(I’ll get to that), and any password under 8 characters can be cracked even if they do.  In 10 years, those numbers will likely be 12 and 10, and in 50 years maybe 14 and 12.

More secure sites

Now sites get hacked all the time, and malicious employees try to steal data—even big companies that should have good security like Sony get hacked. Once hacked, hackers will run automated systems on the millions of passwords they get to find any that are weak – and they find many- and auto login to their email accounts.

“Secure” sites like banks generally have an additional way they keep passwords safe- The salt.  Take our original password, “MyPassword7”.  Instead of just hashing that, suppose the bank site added “_banksalt3” to your password, making it “MyPassword7_banksalt3”, and then hash it.  This does not inherently make the password more secure, but what it does do is make the password hash to an entirely different value, “19d8359d10fd1f07de18d4562d109914”.  Hackers can still use the same process to reverse this, but 1. They need to know the salt, which is not hard, and 2. Their entire hash database they have been building for years is worthless.  Part 2 is where the security comes in.  They have to start from scratch, trying “aaaa_banksalt3” through “zzzz_banksalt3” all over again.  This makes a shorter password more secure.

LastPass Security

So now I’ve covered how passwords work and how hackers exploit them.  How does this tie in with LastPass?  Great question, WhoEverIsReadingThis!  LastPass stores your passwords encrypted.  Encryption, unlike hashing, can be reversed, but you have to know the encryption key.  What encryption key does LastPass use?  Why, your master password of course(with a salt)!  Without your master password, no one, including yourself and LastPass themselves, can get your passwords.  Now they have a few ways to work around this, but they are all sound from a security perspective and have the same result- If you forget your master password and other password recovery methods fail, no one, including lastpass, can restore your passwords.

In addition, no employees at LastPass can ever see your passwords.  LastPass moves around the encrypted data that contains your passwords to your computers and phone to keep them in sync, and even offers a web interface, but cannot decrypt your passwords without the master, which they do not store.

So now you want to be secure.  What’s the best reasonable way?

  1. Use LastPass.  For each site/system you want to use, have it auto generate a 14-16 digit random [a-z, A-Z, 0-9] password.  Set it to auto fill passwords for you. It’s not hard to do it manually either.
  2. Use a 13-16 digit password as your master password.  Make sure it is not in any dictionary(or combination of correctly-spelled words), not the name of your favorite band or girlfriend’s last name, etc.
  3. Set the service (or the site) to auto log you out after a reasonable amount of time on sites you care about.
  4. On email, banking, and really important sites, check the “require master” box on those passwords.  LastPass won’t give them up without you confirming the master password.
  5. On any computers you don’t trust like a friend’s or a public library computers, use the “click-keyboard” entry system.  Type a few characters, click one, type a few more, click another, type the rest.  This makes it impossible for a key logger routine to get your master password.

Now for the ridiculously paranoid, do steps 3, 4, and 5 on every single site.  You’ll never get hacked. As a side bonus, you’ll also never get anything done.

Final word of advice for parents with kids (or people with friends), the kids may at some point, need to use some of your passwords for one thing or another.  Do not give them the master password; simply create a new (free!) LastPass account for them with their own password. Then add the things you want to give them access to to their account manually.  Start them off on the secure foot, and make sure they can’t get into your credit cards when they get older to boot!

Advertisements

About Gandalfe

Just an itinerant saxophonist trying to find life between the changes. I have retired from the Corps of Engineers and Microsoft. I am an admin on the Woodwind Forum, run the Microsoft Jumpin' Jive Orchestra, and enjoy time with family and friends.
This entry was posted in Computers and Internet, FAQ, Guides, Security and tagged , , , . Bookmark the permalink.

3 Responses to FAQ: Password Management.

  1. bpimentel says:

    LastPass provide packages for a variety of Linux distributions. I use it with absolutely no problems.

  2. Grace says:

    Hello! I could have sworn I’ve visited this blog before but after looking at many of the posts I realized it’s
    new to me. Nonetheless, I’m definitely pleased I discovered it and I’ll be book-marking it and checking back frequently!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s