Passwords have become a permanent part of our day-to-day lives. Every year you must remember more passwords, and every year they get easier to crack. The recent theft of over a billion passwords by Russian hackers is just one of many incidents forcing us to take notice. Simply put, we need to do more to keep our passwords safe.
Before we get into solutions, it is important to understand just how easily your password can be cracked. The basic methodology behind password cracking is simple:
- Step 1: Obtain encrypted file – Obtaining the encrypted files varies in complexity. It can be as simple as stealing a laptop, or as complex as sitting in a public space pretending to be a wireless access point. It is all up to how much time and effort someone wants to put into the attack.
- Step 2: Run programs designed to “crack” the encryption against the file – Once you have the encrypted files, running programs against the files are as easy as a free download. Easily one of the most talked about reports (and a wonderful read) is Steve Ragan from The Tech Herald. Back in 2012 Ragan cracked over 80,000 encrypted passwords in just 5 hours with a $300 off the-shelf computer and free software.
- Step 3: Use the password obtained to gain access – Once you obtain the password, access is the simple part, just “plug and play”. Many web apps send the user name out across the network in the clear. They do nothing to even try and cover up the user name.
“So as long as my password is very strong, I’ll be safe?”
Unfortunately no. Consider the password you are using for the computer you are on right now. How many times have you used that same password on another site? How many times have you reused any password on any site?
A 2013 study by Ofcom shows that 55% of adults use the same password for every site. Most people do not want to remember a bunch of 20 character passwords. Just remember that not all websites are created equal. Banks have regulations and security professionals to track and mitigate all the risks of logins, passwords and the databases that house them. What about that forum you joined with all those great recipes? Did you use the same password? What if that forum is maintained by someone who knows nothing about information security? By using the same password, a hacker can easily crack the unsecure forum and use it to access all of your other accounts that use that same password. Assume that every site you sign up for and use a password on are at risk.
“So as long as my passwords are all different going forward, I’ll be safe?”
Not necessarily. You’ll need to go just one step further and change all your passwords now. One of the many reasons for this is because of the Heartbleed exploit. This well-known vulnerability was out in the wild for two years before it was found. So any password you used in the last two years should be assumed compromised.
“How can I keep track of all these passwords?”
Chances are you probably won’t be able to keep track of all your passwords. I have seen people create text files filled with their passwords and print them out. Nine times out of ten, they also save the text file on their desktop. This idea is a massive security risk. Malware can easily search through these files and find this information.
There are a few great programs out there that can help you keep track of passwords. The one I prefer is KeePass. It runs on Windows, OSX, Linux, Android and iPhone. KeePass requires you to create an encrypted database. Additionally it has options to create random passwords if you like. Imagine having a bank password 64 characters long and you can easily change any time you want.
Check out this calculator from opensecurityresearch.com. A password generated at 64 characters long, uses upper and lower case alphanumeric and all the special characters available would take approximately 3.616970485907535e+113 years 79 days 18 hours 55 minutes and 58 seconds to brute force attack.
KeePass requires one of three methods to secure your password database. Master password is what I use so I can access my database on any device. If you absolutely hate passwords all together, you can opt for a key file. This makes it so you do not need to have any password, only the file you designate as the key. This is a popular option, although, I would suggest backing up your key file. Windows User Account will attach the encryption to your Windows logon. If your machine takes a dive however, your database will be no good.
In the main window, you can categorize all your passwords in containers with labels and icons differentiating each. There is no limit to the number of entries you can add to each container.
Adding a new entry is a breeze. KeePass also has an option to auto input your username and password into web forms with just a click.
Password Generator, the reason I use KeePass. This is where you can generate long passwords and never have to know them. Remember that every web page out there is not created equally, so using that same password over and over is a security risk. With this available, you can protect yourself by always having something different. KeePass will also remind you when to change your passwords based on criteria you set.
Before you dump all of your passwords into a KeePass database, or any other password manager, remember that once that database is gone, it’s gone forever. Always backup your data to a safe location.