To continue my examination of passwords, we have already seen how to generate them. Now that we have spent all of that time coming up with a password that is hard for someone to guess, we need to be able to use it while keeping secure. How do we make them user friendly and accessible while at the same time ensuring that they are secure from prying eyes?
Once you have generated your password, you need to remember it. Anyone can remember a few secure passwords, but remembering a bunch of them becomes problematic, especially when they are secure and change every few months, as they should.
The use of password memory devices like license plate numbers, or children’s birthdates, or whatever other memory devices you may use has two different drawbacks- the number of passwords that you can remember like that will be limited, and will also be difficult to keep straight across a large number of accounts. I tried that method, and it fails when you begin getting a large number of them.
My password wallet has over 300 unique passwords stored in it. Some of them, like for bank and email accounts, are 20 characters long and change twice a year. Others, like for commenting on Disqus, are 12 characters long and may change every two or three years. That’s a lot of remembering. I simply can’t do it.
So how do we store our passwords? I used to use one common password for bank accounts, another for email accounts, yet another for blogs, etc. What this means is that you are running the risk of a data breach at one company exposing your passwords for others. Not ideal.
You can keep them off of all computers and just do what my mother in law does. She keeps a notebook with all of her passwords written down in it. Then what? Do you carry it around with you? What if you lose it? How do you constantly update it? Not convenient, not secure.
How about letting the browser on your computer store it? Then it isn’t portable across platforms. Many browsers store passwords in an unsecure format that is there for some hacker to steal. Not secure. That’s because desktop web browsers do a lousy job of safeguarding your information.
One big security hole for passwords is your spellchecker. Your spellchecker has a list of words that are spelled correctly, and compares that list to the words that you are typing. If there is not a match, it marks a ward as misspelled and may even suggest the correct spelling. Some systems will even automatically insert the word that is a likely match. Users add new words to the spellcheck dictionary by telling the system that the word is correctly spelled, then the software adds the new word to the dictionary.
What if that new word isn’t a word at all, but is instead the password to your bank account? Spellcheck dictionaries aren’t secure at all. The spellchecker simply marks the passwords as being correctly spelled by saving them to the dictionary. The two Internet browsers that are most notorious for this are the “enhanced spell check” feature found in Chrome’s settings or the browser extension “Spelling & Grammar Checker” for Microsoft Edge. Huge security problem there.
You can let Google store them for you, but that isn’t a great idea. Do I really need to explain why?
So we are left with password storage companies. If we want our passwords to work across multiple platforms- at home, on our cell phones, at work, and everywhere else where we use it, there are only a couple of ways to do that. We can transfer it from platform to platform manually, or we can allow the password wallet to be stored on another person’s system.
These systems have advantages- we can store a large number of complex passwords in a format that makes them readily available. The password list is more secure than writing them down, and since the password storage company stores the password file in an encrypted format with the decryption key being your master password, you now only have to remember the master password. For those of you who have a trick for memorizing a password, here is where you shine. You can use the license plate numbers of your last three cars, your kids’ birthdates, and other mnemonics to come up with a secure passphrase that is easy for you to remember, but hard for a black hat to guess, and use that to secure your password wallet.
The risk here was displayed by LastPass recently. A password companies files can be compromised, and the black hats are now in possession of your encrypted passwords. They can now brute force your master passphrase at their leisure and get your passwords.
This post is already long, so we can discuss this in a later post.