An even easier way to better passwords
Back in 2011 I blogged about an easy way to better password security, and I’ve tried to follow that procedure since then; but remembering complex passwords for over 25 accounts proved impossible, and I found myself sharing account passwords again. The breach of the LinkedIn website in June caused me to re-think my policy, and look for an alternative way of keeping my identity, my data and my finances secure.
I’d read about the LinkedIn breach on the Sophos ‘Naked Security’ blog, and from there followed a link to creating hard to crack passwords. That article included a video from Graham Cluley about how to chose secure passwords, and password manager tools. I’ve used PasswordSafe for many years at work, trusting to the Blowfish encryption and the programming skills of Bruce Schneier, and I decided to see if it would work for me at home as well.
Previously I’ve used PasswordSafe to store passwords for accounts with administrative access across the network I was supporting. It allows an IT Department to safely store passwords in a secure form, with only one complex password to remember. This means the passwords for your back end systems can be very complex, and different for every system, because you don’t have to remember them.
Obviously this model translates directly to todays ‘Digital Natives‘ like myself, who have multiple online accounts; social networking, shopping, banking and web forums etc. I now have one difficult password (which is 16 characters long, contains upper and lower case letters, numbers and non-alpha numeric characters), and that unlocks all my other passwords. The passwords in that database are impossible to remember, the software generates passwords like #W^:hOo13b)8, but I don’t have to remember them, so it doesn’t matter. What does matter is that those passwords would take longer to crack if the site I used them on was compromised. The time lag between the site being compromised and my password being cracked is the time I get to change it.
This means if LinkedIn is hacked again;
- I won’t care because my password will be mathematically harder to discover, and therefore way down the list
- That password will be unique and not used in any other accounts
As I was writing this blog article, another site was also reported to be compromised, this time it was Dropbox, another site I used, so that’s another password to change. This time it wasn’t a problem though, I didn’t even have to think one up, I just let PasswordSafe pick one for me, and if you’re curious the password it generated was ****************