Infosec for everyone

Infosec for everyone
Library Risk Quotient

Password Managers... and why you need them

Posted on: 18-Oct-2012
Author: cmk
Show me a person who has not reused his password on at least two websites and I will show you a liar.- Practical InfoSec All of us, even the most security conscious, have used the same password across multiple logins at least once. Not only that, most of us have used passwords that are easy to remember (and easy to guess!). Some of us write down passwords on post-its to ensure they are never forgotten. Meanwhile, security professionals (yours truly included) are at their job to make our lives tougher. They want us to keep ‘complex’ passwords. Not only do I have to use numbers, upper case and lower case, but I also need to use characters that look like edited expletives. Then, they want me not to write it down. To top it all, I cannot use the last three passwords. Why is there such a hullabaloo about passwords? I shall resort to the most used cliche. Passwords are like keys to doors. Will you use the same key for your home and for your safe deposit vault? Will you use the same password for your mail and your net-banking? Get the point? System compromise due to poor passwords is one of the most common type of attacks. When you think of a ‘hacker’ (not getting into the hacker, cracker and script kiddie business here) do you imagine a geek in front of a black and green screen running complex code that ends with ‘Access Granted’? Change that perception. Think of your friend, your girlfriend, your next door neighbor, all just typing your username and trying to guess what your password might be on gmail. This is the attack you are most likely to face. Your password needs to be complex enough to prevent it. Another type of common attack is what security professionals call ‘dictionary attacks’. Basically, it means is that I write a simple program that checks every word in the dictionary  (and some combination of that and commonly used passwords) on your account to see if it gets unlocked. Attackers will try ‘password’ or ‘password123’ or ‘password@123’ or ‘password#123’ or ‘qwerty#123’ and so on (all words in the dictionary and common distortions of the username) till they get access to your account (the primary reason why accounts gets locked out after a particular number of incorrect attempts). Hence, the insistence on complex passwords. The need for complex passwords and the need for something simple to remember have been tugging at each other for a while. Simple solution? Start using password managers. Password managers are software programs (either downloadable or on the web) that remember your passwords for you. Effectively, you have to remember only one complex phrase. The rest is managed by the password manager. If you search for password managers, you will come across many links to products that manage passwords. I have used ‘KeePass’ www.keypass.info, for a few years. I put all my passwords in a KeePass container and kept it on a USB drive. I backed it up to dropbox at regular intervals. Of course, there is the additional pain of connecting your USB and entering the master password ever so often, but it is well worth it. There are other applications like ‘Roboforms’ or ‘Lastpass’ and ‘1password’ (which I am currently using). Some of them come with password generators, which means not only do you not need to remember passwords, you don’t even need to know them! Techsupportalert has a very nice page for it: http://www.techsupportalert.com/best-free-web-form-filler-password-manager.htm Download one of them and start using it now! Peace of mind guaranteed! Warning: Ensure that you download authentic software that has a reputation of security.
Library Risk Quotient