Password Managers

Password Managers

I want to give a shout out to using a password manager. Ye olde days of using junk passwords like “qeadzcwrsfxv1331” and “dadof3g8kids” just isn’t going to cut it in today’s online world, especially now that hackers use computers that can brute force guesses at 8 billion guesses per second. (Those two passwords mentioned were cracked in a matter of minutes)

Strong Passwords

A few years ago, I would have thought that dadof3g8kids would have been just fine. However, with today’s cracking programs like Hashcat, the assault is on. Crackers today have lots of weapons, like dictionary lists, rainbow tables, and more importantly, millions of cracked passwords to make better guesses. People who use their own simple systems like a decent base password and then add something to the front, like adding amzn in front of Jimmy1995!@ for their Amazon password are tempting fate. Worse, if Amazon sends out a notice that a password change is required, what will the new one be? “1-amznJimmy1995!@“? Good luck trying to remember that.

On the front end, most web sites will only allow a few login attempts before a user is locked out. These programs that make billions of guesses per second are not working on the front end. They are attacking the password file that was stolen from a web site (like Linkedn, HomeDepot, Target, RockYou) and then bombard it with guesses. Ars Technica got a hold of a password file that had 16,000 passwords in it, and even though it was hashed with MD5, three experts were able to grab most of the passwords in less than a day. One was able to get 90% of them in less than 24 hours.

My unsolicited advice is to spend a few hours and get setup with a password manager, to take your passwords from “letmein3” to: “2PcaP[Hhxhy8f#wTYQkWRe43Gt8”. With a password manager, you only have to remember your one, master password to open the system, and then it stores, saves, and automatically fills in your long, computer generated, RANDOM passwords into your browser when needed. I don’t know my WP, Gmail, Amazon, Apple, Chase, or Wells Fargo passwords (well, I could look them up in the program) I just know my master password.

Defense

Using a password manager will help defend against three big threats today. 1) Password Reuse across multiple sites, 2) Generating strong passwords, and 3) Keeping passwords safe and organized.

Password reuse is probably the biggest problem people get into with passwords. They use a so-so password when they sign up for an account at CuteKittenVideos.com and then use the same password at Gmail or Amazon. The web admins at the kitten site don’t take security too seriously and only hash (obscure) the passwords with something like MD5 or SHA1, which are outdated algorithms to keep passwords hidden from plain text. When that password file gets stolen, all the cracked passwords get added to the list of known passwords and hackers go to town on other sites using the same credentials. Do yourself a huge favor and never use the same password across any site. You are asking for trouble if you do. A password manager will help with this.

Strong Passwords are hard to remember and even harder for humans to think of. We are creatures that are anything but random and do things like add capitalization to the first letter in a password and add numbers and symbols to the end of our passwords. Or, we add numbers to replace letters and use common words placed together in logical order (so we can remember it). We end up with junk passwords like “n3xtb1gth1ng” or “1368555av” that get cracked in a matter of minutes when data from a site is stolen. A password manager will prevent this, too. Generating a strong password is a breeze when using a manager.

Safe and organized, complicated passwords need to be handled with care. They need to be easily accessible, and synced across our devices. The more seamlessly they are integrated into our daily flow, the more likely they will be used. Strong passwords are useless if they aren’t put to use because they are in a complicated system that doesn’t work. Password managers will solve this.

Recommendation

I like and use 1Password but I know a lot of people like LastPass as well. Those would be my two recommendations as a place to start. Both work cross platform and cross device. Both also have options to access your data if you are away from your phone/computer and need to log into your bank, for example.

Master Password

The achilles heel of a manager would be the master password you select to secure it. If you read nothing else, read THIS on how to make a secure password. I use Diceware because it’s simple, random, easy to remember, and combines the ideas that link talks about. You roll a die five times and get a number, like 21114 which corresponds to a word on the Diceware list as: climb. Do that several times and you’ll have four or five truly random words that can be separated by spaces that make a very secure password that is easy to remember. “climb hull fjord wailful harpoon”. Understanding this stuff is more about math than intuition and increased security comes from adding entropy to your password, not more characters. Adding a fifth word to a four word Diceware password adds much more entropy to a password than a few characters like %$#.

Today’s encryption for protecting passwords in password managers is stunningly good, like AES 128 and AES 256. With a strong master password with AES 256 encryption and all of today’s computing power combined, it would take around 6,000 times the age of the Universe to brute force into your manager. Software wise, you are safe. At this point, if a three letter government agency wants your data, a hammer to your family’s heads is faster and easier, but the point is the encryption, for now, is good. For hackers, it’s much easier to simply ask you for your password than try to brute force attack their way into your system. Don’t fall for phishing scams or leave your password manager unlocked while away from your computer. Certainly don’t click on links from your e-mail account; go to the source website and log in from there.

MFA

I want to put a word out on securing your e-mail, especially with MFA (Multi Factor Authentication). You can read here about Matt Honan’s epic hack where he lost years worth of family pictures and lots of his digital life, all because he didn’t use MFA (he was and is a password manager user). If you secure any password at all with a manager, please do yourself a huge favor and protect your e-mail password. I would argue that it’s almost better to protect your (Gmail) account more than your bank account. Why? Because so many of your online accounts, banks or otherwise, use your e-mail in terrible password recovery methods. If you lose access to your e-mail via hacking, the attacker can reset almost anything else in your digital life, and then you are completely hosed. A strong password is a great step, but combined with MFA it’s even better.

Gmail, and others, offer MFA where you need two things (the multi part) to log in: something you have, and something you know. The something you know is your password. The something you have would be a token with a code on it. This would be on your phone with TOTP protocol, like Google Authenticator, or built into programs like 1Password, or a text message code. You are probably familiar with TOTP because that’s what runs the six digit codes on the little tokens you get from a bank. With MFA enabled on your account, even if someone hacks your password, they don’t have the “something you have” the TOTP code on your phone, or the text message that is sent to your phone. So, when logging in, you are asked for your password and your code and you are ahead of 90% of everyone else in securing your account. In the case of Gmail and probably others, it only asks for your code when you log in from an untrusted computer (you aren’t in Romania today?) or every 30 days. The inconvenience factor is tiny, but the payoffs are huge. MFA truly works and is trusted by banks: think debit card plus pin number. The pin is only 4 digits, but without both the card and the pin, your money is safe. Here is a nice list of sites that use MFA to secure their access.

Tip

Finally, here is a (semi)pro tip on those stupid account security questions. Most of the answers to these questions about you can be found online. Your mother’s maiden name, high school mascot, first child’s name, etc. are terrible questions. With a password manager, the answers to all these questions for me are gibberish. We honeymooned in KDhRJWBbWmvGhoKiXhFY and my first car was a EoRBNemksMUZbckyxpyn. Password managers make this a snap and easily prevents someone from trying a reset based on simple information found on Google. Plus, it saves me trying to remember the inane answer of my favorite restaurant: was it Jimmy’s, jimmies, Jimmy . . . crap, I’m locked out.

Links

For further reading, information, and education:

Passwords under assault

Crackers make minced meat out of your passwords

Password Managers