Passwords should evolve

-Until we find something better! I was having a look recently at an interesting article on Ars Technica about how a normal guy with no particular hacking skills was able to break some reasonably complex passwords. It’s scary stuff, and should make us all have another look at this aspect of security.

I’ve recently been evaluating a free password manager called Keepass, however it is truly ugly and not very Mac like, so I can’t recommend it. Certainly I’ll be having a look at 1Password, check back for a review in the future.

Why Should you care?

Recently, Evernote was hacked. Now I don’t really care about the security of the stuff I clip off the web and into my Evernote storage, but if someone got that password and applied it to other sites, I could have a real problem. Similarly Living Social had a data breach recently- just image if you had used the same password on all of your shopping sites? In many of these cases the actual passwords were still encrypted, but it’s common for the encrypted passwords to be posted online, so that the script kiddies can untangle them. It’s an ongoing threat, and the main reason to have a different password for each site.

One of my favourite passwords has been in use since I was at university- it’s not easy to guess or crack, and I only use it these days for low level sites. But think of all of the potential access it would give to someone who had it- the online forums, support groups, manufacturer websites, etc….. it’s going to be a big job to retire it!

So where does that leave us? In an ideal world we wouldn’t have passwords, but until then-

1. You should have passwords that are 8-12 (or more!) characters long
2. They should contain a combination of letters, numbers and other characters, both upper and lower case
3. you should use a different password for each property you have access to

Now I don’t know about you, but that last requirement pretty much makes me want to forget about security altogether. However it does mean that the ONLY way to meet all of these requirements is to use a password manager. Or a little book where you write everything down…. which could get lost or stolen!

There’s no way a normal person could satisfy these requirements without a password manager unless they used a memorised sequence to generate and remember their passwords- and if they do that, it’s a security problem all of it’s own!

Biometric security hasn’t been the solution we thought it might be a few years ago- fingerprint scanners aren’t particularly reliable and facial recognition systems can often be defeated by using a photograph of the person! Two factor authentication is much better, but even RSA has had it’s own problems with SecurID.

In fact I thought the internet would explode when I found out that SSL was vulnerable, but the complexity of the attack was enough to make it technically feasible but an interesting aside, rather than a deep threat.