Security News

<< Next Post - Previous Post >>

A story about Password: The Wrong Formula

In this article I will first talk about some misconceptions regarding what is considered a secure password and then about how you can leverage different technologies to help protect your different credentials.

In the past few years there has been a sharp increase in websites being hacked and their users’ passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery or your electricity bill, access your bank account, connect to your work email, etc.

The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.

One way to counter that risk would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it down. However, the question is how secure your formula really is? How easily could it be reverse engineered? It may not be possible for an attacker to do it with knowing only one password, but what about 2? or 3? or more? would a pattern start to emerge?

Let’s take an example of a simple password formula, by taking the first letters of an easy to remember sentence tailored to a given site, www.google.com in this example:

I Love My dog And I Like Google since 1997

The password would be: ILMdAILGs1997

At first, this looks pretty good… especially if you start adding punctuations and special characters.

But if you use the same formula somewhere else, this time for www.yahoo.com, the password would just have one different letter: ILMdAILYs1997

Even if you were to make your password “expire” by changing the last number on a regular basis, I.e. each January, a pattern would still to be easily identifiable if an attacker gets hold of several of your passwords…

Of course, this means someone would need to get your credentials from different sources, Google and Yahoo in this example. But the point is that with the increasing number of websites we subscribe to, we are also increasing the chances that our credentials get stolen and patterns get discovered.

Passwords need to be unique to each system they are used on and they need to be as random as possible.

Not writing your password down but remembering it feels like the most secure solution. Until you look a bit deeper at how all your different passwords are constructed and realise they are not truly random and unique…

The best way to use unique, random and strong passwords is to save them into a password safe, a software that acts as a safe for sensitive information by storing it into an encrypted database. All your passwords are then protected by a master key/password.

Password safes are not new, in fact one of the most popular has been around since 2002.

http://passwordsafe.sourceforge.net/

But what is new is how you can achieve the following requirements, so you do not compromise on usability:

– Passwords need to be accessible from all your devices;

– Passwords need to be backed up securely;

– Passwords need to be easy to reset.

This is where Cloud storage can help you.

You can use PasswordSafe from Sourceforge to create an encrypted list of strong passwords and store that list onto a cloud storage service such as Dropbox. Then synchronize that Dropbox folder/file on all your different devices.

Because PasswordSafe and Dropbox can be used on most operating systems and platforms, including mobile devices, you will be able to access your passwords from anywhere. More importantly, you will also be able to synchronise any changes from anywhere, securely.

You do rely however on how secure the implementation of Password Safe is on the different medium you install it and if someone installs a key logger on your computer then you could lose access to all your passwords!

The only password you need to remember is the master password to your safe which should not be reused anywhere else.

<< Next Post - Previous Post >>