Understanding Password Vaulting

securityIn my continuing series of excerpts from my new book Understanding Personal Data Security, I’m covering password generators and password vaulting. In the previous post, Password Basics, you learned that not only should you have a completely different password for each of your online accounts, but that you also should change those passwords on a regular basis (every six months, actually).

Nobody does this. And it’s understandable why. Most of us have a dozen or more online accounts—from Facebook and LinkedIn to our office workstation, bank accounts, email, and Dropbox. How can one possibly maintain strong passwords that are necessarily complex (and, therefore, difficult to remember) for each and every online account? And then change them every six months? If this is what’s necessary to properly protect our data, accounts, and identity from malicious hackers, how can we achieve such a daunting, impractical goal?

The answer lies in password vaulting. Apps that perform this function are also known as password managers. I’ve thrown in a section on password generators to help ensure that you’re vaulting a strong, difficult-to-crack password in the first place.

curtsig2 - trans
Curt Robbins


Password Generators

Password generators are websites, applications, or mobile apps that help you create strong and randomly generated passwords. Good password generators follow all the rules of strong passwords, including length, sophistication/complexity, and uniqueness.

Examples of good password generators include Norton Identity Safe Password Generator, random.org, the Strong Password Generator, PC Tools Password Generator, Sticky Password, and the Free Password Generator.

The password generator at random.org, when instructed to create a strong password of 20 characters in length, produced “KAm3S6DFSwra2w4z8mVt.” Note that this password contains no recognizable words or number segments (such as “sandwich” or “78910”). The problem with this password? It’s difficult to remember. This is where a password vault app that remembers for you is an indispensable tool.

vault-960

If you have to choose between a difficult-to-crack password and one that’s easy to remember, always choose the strong password and leverage either your memory or a software tool to help you. A password that’s easy to remember but cracked with little effort is basically worthless. Let me say that again: Basically worthless.

Password/Passphrase Vaulting

Password vaulting is the practice of storing many different passwords or passphrases behind a single, strong “master password,” typically via a software application (sometimes called a password manager). This is good practice because it’s a security compromise to use either the same password—regardless of its strength—on multiple accounts or to write them down on physical paper.

Consider installing such a password vault app on your smartphone, because this is the device you will typically have with you at all times. Some password management software and services offer cloud-based syncing across multiple devices, meaning you can access your passwords from any device, including a laptop or tablet. However, this also potentially compromises your security because your passwords are being stored in the cloud (personally, this makes me nervous and is something I don’t do).

fire damage for blog

With a password vault, you need remember only a single strong password to access all of your others. By not having to worry about your ability to remember all of these complex passwords, you can create much stronger and completely unique passwords for all of your accounts. Many security experts would say this is the only practical way to ensure strong passwords on all of your online accounts—especially those that you update religiously every six months and that are truly complex.

Recommended password vaulting apps include LastPass (free or premium accounts available for all platforms), Password Genie ($15/year for desktop computers, mobile apps available), Dashlane (well-reviewed, with both free and $30/year premium editions), RoboForm (which offers both password management and form filling functions for $10/year), KeePass (freeware), DirectPass (from Trend Micro, free for up to five passwords, $15/year for unlimited), Sticky Password ($12/year), and Norton Identity Safe (warns of weak passwords and is free).

Your Password Challenge

Your challenge is creating and using passwords and passphrases that are easy for you to remember (or easy to access, such as with vaulting) while being very long or complex and difficult to crack. The use of password vault software obviously negates the need to remember passwords.

However, not all passwords need to be easy to remember. For example, your home wi-fi network password can be very difficult and long, because you input it only once, for the most part. A workstation login ID and password you type into your computer at work a dozen or more times per day, on the other hand, needs to be easy to remember and practical to type in at a moment’s notice (like with your boss hovering over your shoulder asking for data). These are very different types of passwords in terms of your need to memorize them and the frequency with which they are input.

Stanford University Password Rules

Stanford University in 2014 revised its password rules, encouraging students, staff, and faculty to utilize passphrases, not passwords. I’m a big fan of the Stanford password rules. They’re a great compromise between practicality (your ability to actually remember the password) and effectiveness (how well the password/passphrase keeps out hackers). If everyone simply followed these rules, their data and accounts would be much more secure.

stanford-password-policy-640x2000

In a nutshell, Stanford relaxes the strictness requirements of passwords/passphrases as they increase in length. For example, shorter passwords (eight to 15 characters) must include a mix of letters, numbers, and punctuation symbols. Passwords longer than 20 characters, however, feature no restrictions (they don’t require the use of mixed case, numbers, or symbols) because their length alone gives them the strength they need. Stanford’s standards are listed below.

  • 8-11 characters: Mixed case letters, numbers, and symbols
  • 12-15 characters: Mixed case letters and numbers
  • 16-19 characters: Mixed case letters
  • 20+ characters: No restrictions

According to tech site Ars Technica, “By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.”


Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtARobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.

Advertisements

Personal Data Security: Password Basics

securityThis post is an excerpt from my new book Understanding Personal Data Security, which covers centralized data, backups, strong passwords, and malware protection. The following is from Chapter 4: Passwords.

Also check out the previous posts in this series, including Personal Data Security: Backups, 3-2-1 Backup Rule: Get Offsite, and Personal Data Security: NAS.

curtsig2 - trans
Curt Robbins


Basic Password Rules

There are some basic rules that will help prevent hackers from stealing your passwords, gaining access to your online accounts, or stealing your identity. While following these rules doesn’t guarantee that your accounts won’t be compromised, it vastly improves the resiliency of your online accounts and protects you about as much as possible.

You’re creating what is known as a “strong password,” meaning it has a mix of letters (both lower and upper case), numbers, and symbols and is of a minimum length.

  • Make a Strong Password: Use a minimum of 16 characters that are a mix of upper and lower case letters, numbers, and symbols. Don’t use easy-to-guess phrases, such as “iloveyou” or “MaryHadALittleLamb.” While “MaryHadALittleLamb” has both upper and lower case letters and is of appropriate length, it lacks numbers and symbols. Also, hackers look for common phrases, using dictionaries and even terabytes of Wikipedia and Bible content as a “check against” list. Guess it’s time to change that “yabbadabbado123” password.
  • Change Your Password Frequently: You should change your password/passphrase every six months. This is the rule few people follow (simply because it’s a hassle), especially if all of your online accounts feature unique passwords. Nobody ever said protecting your accounts and data was a total cakewalk.
  • Use a Unique Password on Each Account: Nobody likes this because it’s such a pain (especially when you should change all passwords with such frequency). This is where password vault software comes in handy. In 2014, nearly no one has only one or two online accounts. A dozen or more accounts is not uncommon. As you’ll learn below, password vault apps that store all of your passwords in a single password-protected program or app are a solid strategy for keeping several long, strong passwords at your fingertips.
  • Tell Nobody: This means nobody. Putting effort into creating strong passwords that are difficult to crack and then simply giving them away to a friend or co-worker is stupid. Even if your friend/family member has no malicious intent, they can easily get sloppy and expose your password to others (like by writing it on a sticky note and slapping it on their computer monitor!). There’s no reason for anyone else to know your passwords. It’s simply antithetical to the cause!

Even if a hacker doesn’t get your password from you or your devices, the bad guys can compromise a password database held by a service provider (your bank, email service, large retailers like Target or Amazon, social media like Facebook or LinkedIn, etc.). Once the hacker has gotten into the password database (often by breaking its encryption), they then have to guess the passwords. Something like “P@ssw0rd1” will be guessed in mere seconds. Regardless of the quality of your home or office firewall or the security of the individual devices you use to access your accounts, the password itself must stand up to the most robust cracking attempts that will most likely be perpetrated on the organization with which you have an account.

Strong Passwords

You have already learned that the strength of your passwords is determined by their length, complexity, and lack of predictability (why you don’t want “maryhadalittlelamb” or “ILoveNY”).

The password “Tr0ub4dor&3” seems like a relatively strong password on the surface. Although it’s too short (only 11 characters), it features both lower and upper case letters, numbers, and a symbol. However, a hacker with a computer capable of producing 1,000 guesses per second (an old computer can do this) will require only three days to guess this password. Compare this to “correcthorsebatterystaple,” a passphrase that requires 550 years to crack (at the same rate of 1,000 guesses per second). And this passphrase doesn’t even include upper case letters, numbers, or symbols! By adding these elements, you would have a passphrase that, for all practical purposes, is nearly impossible to crack (unless it’s the NSA trying to get it) and relatively easy to remember.

Longer, more complex passphrases are also more difficult for others to steal through simple observation. Sometimes, passwords are nefariously obtained by the act of observing the owner type them. Short, simple passwords and passphrases can be learned by watching the owner input them only once or maybe a few times. If someone really wants your password, they may even use a wi-fi-based webcam or security camera to record your keystrokes! Don’t underestimate the lengths to which a hacker or enemy will go to steal your information, identity, or money.

One of the best ways to understand strong passwords is to consider weak examples. Weak passwords include those that:

  • are shorter than 16 characters
  • include personal details such as your name or the name of a family member, a pet’s name, your street or address, your birthday, etc.
  • include complete words or sequential number strings (like “qwerty” and “12345678”)
  • lack a mix of upper and lower case letters
  • lack numbers
  • lack symbols

Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtRobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.