Monday, 24 November 2014

Manage Thy Passwords

Let me ask you a personal question: what do your passwords look like?
Online passwords stand between your most sensitive stuff and any would be thief out there, not to mention this world’s dubious governments (pretty much all of them). A good, unique, password is pretty one’s first (and often last) line of defence.
Have a look at what a typical password of mine looks like:

What do you think?
You might be thinking the above is rather hard to remember. You might also be thinking that if I am following my own advice regarding unique passwords, then this password would be just one of many; how the ****  does I do it, then? How do I manage to remember many such complex passwords?

The simple answer is that I don't. I use a password management tool that does all the hard work for me for me. It both creates passwords and stores them for me so I don’t have to remember much. The only password I do need to remember is my master password, the one password that unlocks my password manager for me to use.
I cannot boast using many password management tools or being able to compare them. What I can say, though, is that I have been using 1Password and I am a very happy user of 1Password. Not only does it have the ability to manage my passwords as per the above, it also lets me access them on any Internet connected computer (not that I recommend doing that on any computer), it stores other sensitive information for me (e.g., credit cards), and with the Chrome/Firefox add-ons installed it will even fill my user names and passwords for me. What can be a rather tedious process of logging in, even when one’s password is “password”, becomes a one click operation with 1Password.
The other week 1Password even went the extra mile for me. I discovered that a cloud service I had used and have presumed to have updated my password for did not really change the password. Since 1Password already had my “new” password, I thought that was the end of my use of that particular cloud service; I thought I could never login with my old password again. Then, however, I discovered that 1Password keeps a log of changes: I was able to go back in time and recover the old password.
Obviously, security is of prime concern with that information managed by 1Password. The application encrypts all of its saved data, which makes it safe for cloud storage (or as safe as anything stored on the cloud can be). The only caveat I can add is to do with Android usage: due to Android’s rather lax application sandboxing (a complex term for describing whether one application is able to access another application’s data), I would advise caution; do read this article to learn whether and how these issues apply to you.

Overall, the whole password concept is one of risk management. When weighing up whether to start using a password manager, one needs to weigh up the added benefits of being able to easily use unique and very complex passwords vs. the risk of storing the whole of one’s passwords in a single basket. I can only attest to my success with 1Password; it genuinely made my use of the Internet much more comfortable.

Added on 26/11/2014:
If you are considering the use of password managers and are contemplating which, have a go reading the papers referenced here. They bring forth further considerations to do with the security of these tools. As far as I can tell, 1Password excels in the parameters mentioned there.
I would also like to note that, at least on the Mac version, 1Password brings with it alerts regarding compromised passwords. It warns you when passwords need replacing because their related website has been compromised (and I can attest to 1Password doing a very good job keeping up to date on compromised websites). And it also warns you when you're about to let your password go through over an unencrypted connection (including cases where the page seems encrypted but the part that asks for your password isn't).

1Password image: AgileBits


Thankful Moshe said...

Interesting. I will check it out.
One question: Isn't that master password the weakest link? i.e. if it's cracked than all those fancy passwords are exposed?

Moshe Reuveni said...

I don't know if the master password is always the weakest link, but it certainly is a weakness. The same standards apply, obviously (long, special characters, no dictionary words, nothing that can be retrieved on a Google search, make it hard to guess by expressing lies, etc). The key is that you only need to remember one password.
If you ask me, I would point my finger at cloud storage as the biggest weakness. Surely the NSA has the resources to crack the vault, either directly or indirectly.
Note I have added notes to the post, including references to papers dealing with some potential weaknesses of password managers.