
A few months ago, news and social networking sites warned users of the website RockYou that their account and password may have been compromised. Security firm Imperva warned users that a hacker may have made off with an alarming 32 million accounts from the social gaming website. While this is nothing new, what’s interesting is the results of the security firm’s analysis of the accounts and passwords stolen.
From the data that they were able to gather, it seems that a great number of users still tend to use insecure passwords – for instance, passwords with lengths equal to or below six characters (30% of users), words confined to alpha-numeric characters (60%), passwords that include names, slang words, or dictionary words, and trivial passwords (consecutive digits, adjacent keyboard keys, and so on–50%). These types of passwords can easily fold in the face of automated brute force attacks designed to guess users’ passwords.
The reason these sorts of insecure passwords continue to be used may be simple. It’s just too hard to track all of the online accounts we have, especially as more and more specialized services are introduced and become popular. While in the past users may have only needed to memorize their email and possibly their bank’s password, today they must contend with passwords to access each of their favorite social networking sites, blogs, phones, photos, games, documents, news sites, bank accounts, expense tracking services, stores, books, and dozens of other online services.
The question for many is how can we possibly remember all of these passwords, especially if we’re using different highly secures ones (that are therefore not easily remembered) at each site as recommended? Here are some quick tips to help you be able to recall and easily manage them:
Use desktop password management tools. There are several desktop tools available that can help you manage and safely store your passwords by requiring you to download software that stores your passwords encrypted on your hard drive. You only need to provide one “master” password to access the rest. Examples of such tools include Keepass, LastPass (free and fee versions are available), 1Password for Macs, and more. These tools give you the feeling of security since your password information is stored solely within your device – but be aware that should that device get lost, stolen, or hacked, you can lose your password information as well as open yourself to attack.
Store your passwords in the Cloud. An alternative is to use password managers that are solely accessible online and are hosted in the Cloud. These work the same way as desktop password managers but with the extra benefit of not having to download and install software on your PC. Another advantage is that they are available on any device or system as long as it is connected to the Internet, and losing your device does not put your passwords at risk. Examples are tools like Clipperz and LastPass. Be warned, though, that these sites can themselves be hacked, as LastPass experienced a few months back.
Use Browser Plugins. Some tools work as add-ons for your browser. Examples of such tools are many. Some generate passwords on the fly, some store the information within your PCs, and others store it in the cloud as well as sync it to your device. These services offer a compromise between solely desktop bound password tools vs. purely online ones. They are however often tied to the browser you use.
Trust a single site with your Identity. Another alternative is simply entrusting the security of your online identity to a single provider who hopefully has the resources to manage it in a more secure manner than you can on your own. These include large sites like Facebook, Google, and Yahoo, which often allow many third-party sites to use your identity at their own sites with your permission. If you don’t trust these sites, you can manage such an online identity on your own from sites such as OpenID. This way you only need to secure and manage one password and identity—which shares this to other sites as you see fit. The disadvantage of course is that not all sites may use or be compatible with these federated identity management systems. You may also have to consider the possibility that these large sites may become compromised themselves.
Managing your passwords can be a pain. Hopefully these tools can help you do so more efficiently and more effectively. Do you have other suggestions? Do you need assistance in setting these up for you or your company? Let us know – we’re happy to help!
