Thursday, January 21, 2010

Change the combination on your luggage

After Dark Helmut extorts the code needed to suck out the atmosphere and learns it is 1-2-3-4-5 he declares that That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage! A few minutes later Mel Brooks is in the scene:

Well, folks, there are a lot of people who need to change the combination on their luggage. Or less metaphorically, there are a lot of people who need to change their password management practices.

A good password is hard to remember

Because of spectacularly bad security practices by Rockyou.com, 32 million passwords have been made public. There's a detailed report (PDF) by iMPERVA and a summary article at net-security.org.

What we know is that the number of distinct good passwords that people can remember can be counted on our fingers (maybe just the fingers of one hand). Good passwords are hard to remember. This means that people will either

  1. Use bad, easy to remember passwords
  2. Use the same password (or predictable variants of the same password) from site to site
  3. Some combination of the two

This makes passwords very easy to compromise. If one site gets compromised (like RockYou), and your banking password is predictable from your RockYou password, then it isn't hard to gain access to your bank account.

Password management software is the solution

This problem is not new. Security experts have known for a long time that human psychology is the limit on good passwords. Fortunately there is a solution. Password management software. I only have a few minutes to write this post, so I won't go into detail. But for Mac OS X, I strongly recommend 1Password. For everyone else I recommend KeePass. And if you are the kind of person who sticks with the same web browser, than you could get by with the password management system that is built into all modern browsers. Those aren't as good or as flexible as 1Password or KeePass, but the are better than nothing.

With those tools, you only need to remember your master password, and let the software provide strong, distinct passwords for each site you visit. You never need to know what those individual passwords are.

Update: After finally getting a chance this afternoon to look at the morning news paper, I see that there is a front page article in the New York Times about this. Unfortunately that article (at least the print version) does not mention password management systems.

Regarding the software I've recommended, I have no vested interest in either KeePass or 1Password or any particular password management system. I am a happy and enthusiastic customer of 1Password and an active participant on their support forums. Like every user of the Internet, I do benefit from others behaving more securely.

No comments:

Post a Comment