Understanding Password Vaulting

securityIn my continuing series of excerpts from my new book Understanding Personal Data Security, I’m covering password generators and password vaulting. In the previous post, Password Basics, you learned that not only should you have a completely different password for each of your online accounts, but that you also should change those passwords on a regular basis (every six months, actually).

Nobody does this. And it’s understandable why. Most of us have a dozen or more online accounts—from Facebook and LinkedIn to our office workstation, bank accounts, email, and Dropbox. How can one possibly maintain strong passwords that are necessarily complex (and, therefore, difficult to remember) for each and every online account? And then change them every six months? If this is what’s necessary to properly protect our data, accounts, and identity from malicious hackers, how can we achieve such a daunting, impractical goal?

The answer lies in password vaulting. Apps that perform this function are also known as password managers. I’ve thrown in a section on password generators to help ensure that you’re vaulting a strong, difficult-to-crack password in the first place.

curtsig2 - trans
Curt Robbins


Password Generators

Password generators are websites, applications, or mobile apps that help you create strong and randomly generated passwords. Good password generators follow all the rules of strong passwords, including length, sophistication/complexity, and uniqueness.

Examples of good password generators include Norton Identity Safe Password Generator, random.org, the Strong Password Generator, PC Tools Password Generator, Sticky Password, and the Free Password Generator.

The password generator at random.org, when instructed to create a strong password of 20 characters in length, produced “KAm3S6DFSwra2w4z8mVt.” Note that this password contains no recognizable words or number segments (such as “sandwich” or “78910”). The problem with this password? It’s difficult to remember. This is where a password vault app that remembers for you is an indispensable tool.

vault-960

If you have to choose between a difficult-to-crack password and one that’s easy to remember, always choose the strong password and leverage either your memory or a software tool to help you. A password that’s easy to remember but cracked with little effort is basically worthless. Let me say that again: Basically worthless.

Password/Passphrase Vaulting

Password vaulting is the practice of storing many different passwords or passphrases behind a single, strong “master password,” typically via a software application (sometimes called a password manager). This is good practice because it’s a security compromise to use either the same password—regardless of its strength—on multiple accounts or to write them down on physical paper.

Consider installing such a password vault app on your smartphone, because this is the device you will typically have with you at all times. Some password management software and services offer cloud-based syncing across multiple devices, meaning you can access your passwords from any device, including a laptop or tablet. However, this also potentially compromises your security because your passwords are being stored in the cloud (personally, this makes me nervous and is something I don’t do).

fire damage for blog

With a password vault, you need remember only a single strong password to access all of your others. By not having to worry about your ability to remember all of these complex passwords, you can create much stronger and completely unique passwords for all of your accounts. Many security experts would say this is the only practical way to ensure strong passwords on all of your online accounts—especially those that you update religiously every six months and that are truly complex.

Recommended password vaulting apps include LastPass (free or premium accounts available for all platforms), Password Genie ($15/year for desktop computers, mobile apps available), Dashlane (well-reviewed, with both free and $30/year premium editions), RoboForm (which offers both password management and form filling functions for $10/year), KeePass (freeware), DirectPass (from Trend Micro, free for up to five passwords, $15/year for unlimited), Sticky Password ($12/year), and Norton Identity Safe (warns of weak passwords and is free).

Your Password Challenge

Your challenge is creating and using passwords and passphrases that are easy for you to remember (or easy to access, such as with vaulting) while being very long or complex and difficult to crack. The use of password vault software obviously negates the need to remember passwords.

However, not all passwords need to be easy to remember. For example, your home wi-fi network password can be very difficult and long, because you input it only once, for the most part. A workstation login ID and password you type into your computer at work a dozen or more times per day, on the other hand, needs to be easy to remember and practical to type in at a moment’s notice (like with your boss hovering over your shoulder asking for data). These are very different types of passwords in terms of your need to memorize them and the frequency with which they are input.

Stanford University Password Rules

Stanford University in 2014 revised its password rules, encouraging students, staff, and faculty to utilize passphrases, not passwords. I’m a big fan of the Stanford password rules. They’re a great compromise between practicality (your ability to actually remember the password) and effectiveness (how well the password/passphrase keeps out hackers). If everyone simply followed these rules, their data and accounts would be much more secure.

stanford-password-policy-640x2000

In a nutshell, Stanford relaxes the strictness requirements of passwords/passphrases as they increase in length. For example, shorter passwords (eight to 15 characters) must include a mix of letters, numbers, and punctuation symbols. Passwords longer than 20 characters, however, feature no restrictions (they don’t require the use of mixed case, numbers, or symbols) because their length alone gives them the strength they need. Stanford’s standards are listed below.

  • 8-11 characters: Mixed case letters, numbers, and symbols
  • 12-15 characters: Mixed case letters and numbers
  • 16-19 characters: Mixed case letters
  • 20+ characters: No restrictions

According to tech site Ars Technica, “By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.”


Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtARobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.

Advertisements

Personal Data Security: Password Basics

securityThis post is an excerpt from my new book Understanding Personal Data Security, which covers centralized data, backups, strong passwords, and malware protection. The following is from Chapter 4: Passwords.

Also check out the previous posts in this series, including Personal Data Security: Backups, 3-2-1 Backup Rule: Get Offsite, and Personal Data Security: NAS.

curtsig2 - trans
Curt Robbins


Basic Password Rules

There are some basic rules that will help prevent hackers from stealing your passwords, gaining access to your online accounts, or stealing your identity. While following these rules doesn’t guarantee that your accounts won’t be compromised, it vastly improves the resiliency of your online accounts and protects you about as much as possible.

You’re creating what is known as a “strong password,” meaning it has a mix of letters (both lower and upper case), numbers, and symbols and is of a minimum length.

  • Make a Strong Password: Use a minimum of 16 characters that are a mix of upper and lower case letters, numbers, and symbols. Don’t use easy-to-guess phrases, such as “iloveyou” or “MaryHadALittleLamb.” While “MaryHadALittleLamb” has both upper and lower case letters and is of appropriate length, it lacks numbers and symbols. Also, hackers look for common phrases, using dictionaries and even terabytes of Wikipedia and Bible content as a “check against” list. Guess it’s time to change that “yabbadabbado123” password.
  • Change Your Password Frequently: You should change your password/passphrase every six months. This is the rule few people follow (simply because it’s a hassle), especially if all of your online accounts feature unique passwords. Nobody ever said protecting your accounts and data was a total cakewalk.
  • Use a Unique Password on Each Account: Nobody likes this because it’s such a pain (especially when you should change all passwords with such frequency). This is where password vault software comes in handy. In 2014, nearly no one has only one or two online accounts. A dozen or more accounts is not uncommon. As you’ll learn below, password vault apps that store all of your passwords in a single password-protected program or app are a solid strategy for keeping several long, strong passwords at your fingertips.
  • Tell Nobody: This means nobody. Putting effort into creating strong passwords that are difficult to crack and then simply giving them away to a friend or co-worker is stupid. Even if your friend/family member has no malicious intent, they can easily get sloppy and expose your password to others (like by writing it on a sticky note and slapping it on their computer monitor!). There’s no reason for anyone else to know your passwords. It’s simply antithetical to the cause!

Even if a hacker doesn’t get your password from you or your devices, the bad guys can compromise a password database held by a service provider (your bank, email service, large retailers like Target or Amazon, social media like Facebook or LinkedIn, etc.). Once the hacker has gotten into the password database (often by breaking its encryption), they then have to guess the passwords. Something like “P@ssw0rd1” will be guessed in mere seconds. Regardless of the quality of your home or office firewall or the security of the individual devices you use to access your accounts, the password itself must stand up to the most robust cracking attempts that will most likely be perpetrated on the organization with which you have an account.

Strong Passwords

You have already learned that the strength of your passwords is determined by their length, complexity, and lack of predictability (why you don’t want “maryhadalittlelamb” or “ILoveNY”).

The password “Tr0ub4dor&3” seems like a relatively strong password on the surface. Although it’s too short (only 11 characters), it features both lower and upper case letters, numbers, and a symbol. However, a hacker with a computer capable of producing 1,000 guesses per second (an old computer can do this) will require only three days to guess this password. Compare this to “correcthorsebatterystaple,” a passphrase that requires 550 years to crack (at the same rate of 1,000 guesses per second). And this passphrase doesn’t even include upper case letters, numbers, or symbols! By adding these elements, you would have a passphrase that, for all practical purposes, is nearly impossible to crack (unless it’s the NSA trying to get it) and relatively easy to remember.

Longer, more complex passphrases are also more difficult for others to steal through simple observation. Sometimes, passwords are nefariously obtained by the act of observing the owner type them. Short, simple passwords and passphrases can be learned by watching the owner input them only once or maybe a few times. If someone really wants your password, they may even use a wi-fi-based webcam or security camera to record your keystrokes! Don’t underestimate the lengths to which a hacker or enemy will go to steal your information, identity, or money.

One of the best ways to understand strong passwords is to consider weak examples. Weak passwords include those that:

  • are shorter than 16 characters
  • include personal details such as your name or the name of a family member, a pet’s name, your street or address, your birthday, etc.
  • include complete words or sequential number strings (like “qwerty” and “12345678”)
  • lack a mix of upper and lower case letters
  • lack numbers
  • lack symbols

Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtRobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.

Kevlar Woofers & Affordable Home Theater

3d1When I had to choose the backdrop photo for this blog, I instinctively opened the folder on my network storage device that contained my most recent photos. I had one I especially liked that I perceived to express the tone and flavor of this blog: The yellow Kevlar woofer from one of the B&W surround speakers in my living room.

I realized how small the world can be sometimes. The device on which I had archived and from which I was accessing this photo was one of the central topics of my latest ebook, Understanding Personal Data Security. But the content of the photo itself, the funky Kevlar woofer, was one of the many topics covered in two of my new books, Understanding Home Theater and Home Theater for the Internet Age. In all honesty, the purpose of this blog is to share ideas covered in this new series of books—available exclusively on Amazon Kindle. Basically, this blog is a supplement (think of it as the free dessert that comes with your ebook meal). Which makes it ironic if you’re reading it standalone, but I’m glad it can work that way in this funky web 2.0 intellectual property economy.

About this time you might be asking “What’s so cool about yellow Kevlar woofer cones?” Well, first, they represent passion, commitment, and technical excellence. I know, that sounds dorky, but hear me out. They really do. Especially if we use objective metrics like money or time to measure the importance of a topic like home theater, which the yellow woofer obviously represents. Speakers featuring kevlar woofer cones, from companies like B&W and Noble Fidelity, are typically a tad better than your average variety.

If you’re a hobbyist, you put real money and plenty of time into your hobby. For my wife, it’s the springtime bonanza of gardening and flower landscaping that consumes a decent amount of money and tons of her time. For a buddy of mine in Colorado, it’s an expensive carbon fiber racing bicycle and race entry fees. For yet another friend in Texas, it’s cruising around the Gulf of Mexico in his 30-foot sailboat. In other words, most middle class consumers have one or more hobbies and, by definition, drop a considerable amount of disposable income into them.

Kevlar woofer in a B&W 705 speaker.

Kevlar woofer in a B&W 705 speaker

Another function of this blog is to lend transparency to my books. If you’re a real tech geek or connected consumer and want to dig deeper, this blog is the free value-add for my books. Because my entire book catalog must be updated bi-annually (based on the dynamic pace of the technical topics covered), this blog gives you an opportunity to provide feedback and maybe even influence the content of future editions.

Now, back to home theater.

One of the things that prompted me to publish Home Theater for the Internet Age and the subset, Understanding Home Theater, was the fact that consumers of all income levels can now enjoy quality big-ass display panels and real surround sound involving five or six speakers. Yes, there’s certainly a difference between a $2,500 home theater system and one costing ten times as much. But what can be purchased for between $2,000 and $15,000 is truly mind blowing. The convergence of computer, wireless networking, and home entertainment technologies—combined with the proliferation of media streaming services like Netflix, Hulu Plus, and Pandora—has resulted in price points and functionality that even the most optimistic home theater fan could not have imagined a decade ago.

In addition, the production quality of even mediocre television content and basically all films involves widescreen high-definition video and surround sound comprised of at least six separate audio channels, including a dedicated subwoofer feed that you can feel as much as hear. This, plus the affordability of popular media streaming services like iTunes, Google Play, and Rhapsody has resulted in a very consumer-friendly home theater market. This consumer-friendliness is in terms of both the raw capabilities of the receivers, Blu-ray players, and streaming media boxes that consumers are installing in their living rooms and also how bloody affordable even mid-grade examples of these product categories have become. Go entry-level and you’ll really blow your mind in terms of what you can get for your money in 2014.

curtsig2 - trans
Curt Robbins

[See also Home Theater Basics, Home Theater: Surround Sound Basics, and Take My Remote, Please.]


Curt Robbins is author of the following books from Amazon Kindle:

You can follow him on Twitter at @CurtRobbins, read his AV-related blog posts at rAVe Publications, and view his photos on Flickr.