Wednesday, 12 April 2017

Stop remembering passwords!


I have heard a number of times recently of people unwittingly giving away their passwords or reusing passwords on different websites.  With the number of websites being hacked increasing if one site that you have created an account with uses poor security then your email address and password will be known, hackers will then try other websites with that username and password.  If you reuse the password they will have access.
I recently heard that someone had their Facebook account compromised (as they reused the password) and they tried to get money from their Facebook friends.

So don't reuse passwords!  I mean it!

Ok, but this means
"I will need a different password for each website that I use, that's ridiculous, I can't remember them all!"
This is where Password Managers come in.

So what is a Password Manager?
A password manager is an application that remembers all of the passwords for you.  Most of them will automatically register when you have logged in or changed a password to a website and it will pop up and ask if you want to save or update it.  This works really well when you are using a PC but not so well (in my opinion) when on a mobile device.
All of the passwords that are stored in the password manager need to be secured by, yes you've guessed it - a password!
However, I dislike the phrasing here, they should be protected by a passphrase rather than a single word.  The longer a password the more secure it is, using numbers and special characters does help but it is the length that makes it harder to crack.

So when creating a passphrase it should be something that you'll remember and fairly secure and contain letter, numbers and digits.
This video (from Google) gives an idea of how to create secure passwords:


There are a number of different password managers around but I'll limit this to just three (as I don't have enough time to review them all).

KeePass (free)
KeePass works really well if you log in from one device all the time and you want full control over where your passwords are stored, personally I think it also works best on a PC rather than a mobile device.

It works by creating your own vault which is where you store the passwords and you have to maintain them.  It requires you to remember to add the passwords it the vault and update them if the password has changed.
You can create folders and store the entries where you like.


The downside to KeePass is when you want to use it with multiple devices such as mobile phones.  As the vault is stored in a file for it to be on a mobile device this needs to be available using Dropbox or a similar tool.  When I did this I had problems with the database being overwritten as it wasn't in sync and I lost entries.  This led me to look for another tool.

LastPass (free and paid for mobile use)
I was introduced to LastPass by a friend and I've been quite happy with it.
When I first installed the extension into Chrome it took me through a process and took all of the passwords from Chrome and had an import mechanism to extract any passwords from Chrome and importing from KeePass was fairly straight forward (from what I can remember now).
When used on a PC LastPass will automatically populate the username and password if it knows the password, so normally I just need to hit login and the job is done.
Also when I need to create an account it abstracts away the password process and automatically stores the new entry if you choose to.
If you want to use LastPass on a mobile device you need to upgrade to the premium version, the cost for this is $12 for a year.
The mobile version uses an App (free to download) that has a browser in built that has the functionality to populate usernames and passwords when you browse to website in the same way it does when you use a PC.
If you are using a separate mobile app you need to copy and paste the password which involves flicking between the apps which is a bit of a pain but I believe this is a common problem between all password managers (maybe less so if the app uses google or facebook logins).
With LastPass it is possible to arrange how the sites are stored and to create a shared area, allowing a single username and password to be used by two or more people.

I feel obligated to say LastPass has recently come under some criticism as some faults have been found in the way they store passwords:  ttps://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
Personally I think any review of security is a good thing and LastPass have been very quick to respond and resolve the issues raised.

1Password (free and paid for)
I haven't actually used 1Password but my understanding is that they are very similar to LastPass.
The premium version is $2.99 per month (billed annually) so it is fair bit more expensive than LastPass but it is recommended by a number of people including Troy Hunt who is a industry recognised security researcher.

I urge everyone to use a password manager and not to re-use passwords.
With so many websites being hacked if you reuse a password it won't be long before someone else knows your password.

Have I been Pwned?

If you suspect or are paranoid Troy Hunt has a website where you can enter your email address and it will inform you if it has been exposed by a breach (a website that has been hacked).
https://haveibeenpwned.com/

As a final word, don't trust anything!  If an email or webpage looks to good to be true, it probably is!
If someone on facebook suddenly asks you to take payment for something on ebay and send them the money, think twice and speak to the person.

No comments:

Post a Comment