Saturday, 22 February 2014

Why you need to start using a password manager.

I bought against using one for ages...but my brain has failed me... I can only re-hash, re-formulate, completely re-define passwords so many times before things become impossible...

In the end people either start doing a few simple things... Using repeat passwords or worst of all, writing them down! More commonly they also use really simple passwords... That ones always been a mystery to me as to why as it's easy to come up with at least one good complex password.

So in steps some password managers:
KeePass & LastPass

There are a lot more out there. These are the best known to me.

LastPass uses the cloud and personally, I find it the easiest to use as a switch devices a lot.

For those not as happy with the cloud being used there is also KeePass.

So why use them?

Cracking passwords is becoming easier with more computational power and large lists of breaches becoming more increasingly available. The tools for cracking them are also getting a lot better. Examples being; RockYou.txt coming in around 60MB (Yes that's a .txt file).

Also think about this expert from a Ars Technica article:

"A PC running a single AMD Radeon HD 7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

So whats the key to a half decent password these days? Length combine with complexity.Don't just pick a really long word. 

i.e. Defenestration (A favourite word of mine for some random reason)

Now the character length is good but it's bound to get found on a dictionary brute force attack.. 

Next found would be passwords like Defenestration13 or Defenestration231127

Then D3f3n3str4t10n

Now we're getting into the area of a more solid password: 

45%D3fe[3str4t^on#!1731 (Not so heavy with the l33t speak, miss some characters on purpose)

So you're happy with your genius password that you think is uncrackable. 6 months down the line its in some dictionary because Tescos, Sony, Twitter or whom ever had a breach that month was not taking enough care to hash, salt their data. 

So this is why those password managers are becoming important and I've moved over. I;ve never had a breach of security (that I know of) but with unique complex random and long passwords on my logins I will certainly minimise any damage that could be done. I would make the password to your email account particularly complex! 

A lot of services are now starting to also use 2 step authentication where your mobile / email gets sent a verification code to input at login... it costs you a little more time but it's well worth it. Get used to using them as they can also be invaluable if your password is compromised. Facebook and Google have been using these for a while and they work pretty smoothly.  MMO games such as World of Warcraft and Guild Wars 2 also make extensive use of this tech as well so it's becoming increasingly popular.

Some good links worth a read:
Wikipedia -Password cracking
ArsTechnica - The secret to online safety: Lies, random characters, and a password manager