Understanding Password Vaulting

securityIn my continuing series of excerpts from my new book Understanding Personal Data Security, I’m covering password generators and password vaulting. In the previous post, Password Basics, you learned that not only should you have a completely different password for each of your online accounts, but that you also should change those passwords on a regular basis (every six months, actually).

Nobody does this. And it’s understandable why. Most of us have a dozen or more online accounts—from Facebook and LinkedIn to our office workstation, bank accounts, email, and Dropbox. How can one possibly maintain strong passwords that are necessarily complex (and, therefore, difficult to remember) for each and every online account? And then change them every six months? If this is what’s necessary to properly protect our data, accounts, and identity from malicious hackers, how can we achieve such a daunting, impractical goal?

The answer lies in password vaulting. Apps that perform this function are also known as password managers. I’ve thrown in a section on password generators to help ensure that you’re vaulting a strong, difficult-to-crack password in the first place.

curtsig2 - trans
Curt Robbins


Password Generators

Password generators are websites, applications, or mobile apps that help you create strong and randomly generated passwords. Good password generators follow all the rules of strong passwords, including length, sophistication/complexity, and uniqueness.

Examples of good password generators include Norton Identity Safe Password Generator, random.org, the Strong Password Generator, PC Tools Password Generator, Sticky Password, and the Free Password Generator.

The password generator at random.org, when instructed to create a strong password of 20 characters in length, produced “KAm3S6DFSwra2w4z8mVt.” Note that this password contains no recognizable words or number segments (such as “sandwich” or “78910”). The problem with this password? It’s difficult to remember. This is where a password vault app that remembers for you is an indispensable tool.

vault-960

If you have to choose between a difficult-to-crack password and one that’s easy to remember, always choose the strong password and leverage either your memory or a software tool to help you. A password that’s easy to remember but cracked with little effort is basically worthless. Let me say that again: Basically worthless.

Password/Passphrase Vaulting

Password vaulting is the practice of storing many different passwords or passphrases behind a single, strong “master password,” typically via a software application (sometimes called a password manager). This is good practice because it’s a security compromise to use either the same password—regardless of its strength—on multiple accounts or to write them down on physical paper.

Consider installing such a password vault app on your smartphone, because this is the device you will typically have with you at all times. Some password management software and services offer cloud-based syncing across multiple devices, meaning you can access your passwords from any device, including a laptop or tablet. However, this also potentially compromises your security because your passwords are being stored in the cloud (personally, this makes me nervous and is something I don’t do).

fire damage for blog

With a password vault, you need remember only a single strong password to access all of your others. By not having to worry about your ability to remember all of these complex passwords, you can create much stronger and completely unique passwords for all of your accounts. Many security experts would say this is the only practical way to ensure strong passwords on all of your online accounts—especially those that you update religiously every six months and that are truly complex.

Recommended password vaulting apps include LastPass (free or premium accounts available for all platforms), Password Genie ($15/year for desktop computers, mobile apps available), Dashlane (well-reviewed, with both free and $30/year premium editions), RoboForm (which offers both password management and form filling functions for $10/year), KeePass (freeware), DirectPass (from Trend Micro, free for up to five passwords, $15/year for unlimited), Sticky Password ($12/year), and Norton Identity Safe (warns of weak passwords and is free).

Your Password Challenge

Your challenge is creating and using passwords and passphrases that are easy for you to remember (or easy to access, such as with vaulting) while being very long or complex and difficult to crack. The use of password vault software obviously negates the need to remember passwords.

However, not all passwords need to be easy to remember. For example, your home wi-fi network password can be very difficult and long, because you input it only once, for the most part. A workstation login ID and password you type into your computer at work a dozen or more times per day, on the other hand, needs to be easy to remember and practical to type in at a moment’s notice (like with your boss hovering over your shoulder asking for data). These are very different types of passwords in terms of your need to memorize them and the frequency with which they are input.

Stanford University Password Rules

Stanford University in 2014 revised its password rules, encouraging students, staff, and faculty to utilize passphrases, not passwords. I’m a big fan of the Stanford password rules. They’re a great compromise between practicality (your ability to actually remember the password) and effectiveness (how well the password/passphrase keeps out hackers). If everyone simply followed these rules, their data and accounts would be much more secure.

stanford-password-policy-640x2000

In a nutshell, Stanford relaxes the strictness requirements of passwords/passphrases as they increase in length. For example, shorter passwords (eight to 15 characters) must include a mix of letters, numbers, and punctuation symbols. Passwords longer than 20 characters, however, feature no restrictions (they don’t require the use of mixed case, numbers, or symbols) because their length alone gives them the strength they need. Stanford’s standards are listed below.

  • 8-11 characters: Mixed case letters, numbers, and symbols
  • 12-15 characters: Mixed case letters and numbers
  • 16-19 characters: Mixed case letters
  • 20+ characters: No restrictions

According to tech site Ars Technica, “By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.”


Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtARobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s