How many passwords do you have?
One – Yeah, single sign-on has arrived (finally)
Ten – I wish
One Hundred – Perhaps
Are they all complex, unique, secure, and not written on a sticky note stuck to your monitor? Passwords are a form of authentication based on something you know and that you keep secret. They are frequently used around the world, and usually fairly easy to hack. There have been lots of discussion about two-factor authentication, and it is finally being implemented for some applications. Two-factor can be expensive because it might involve a biometric scanner of some kind or some additional hardware for the second form of authentication.
Some existing hardware may be used for the second form of ID. This might be the camera built into your laptop, or the keyboard (sensing the way you type in addition to the keys you hit), or perhaps sending a text message to your cell phone. These and other methods for second factor authentication will improve over time; until then we are left with plain passwords for logging in to the many items that require them. So how can you pick a good password?
Here is where the terminology causes problems. Your password should NOT be a word. You may have heard them called passphrases, which is better, but still not the best. The length of the password, not its complexity, is what makes it harder to crack. There is a great xkcd comic that describes this. The second, fairly simple passphrase is easy to remember, while the first passphrase in the comic is difficult to remember even though the first one can be brute forced in 3 days and the second one takes 550 years to brute force.
So now you know how to pick a good pass-phrase, just pick a unique set of four random words for each of the accounts you have and you are good to go. The catch is that you need to remember which password goes with each account and you cannot write any of them down.
At a recent SANS training that I attended, Keith Palmgren gave a talk entitled “Debunking the Complex Password Myth.” His primary point was that password length is the most critical factor in making it secure. Even repeated sequences of characters and common words are OK, if the length is sufficient. His definition of “long enough” was greater than 20 characters. Even with repeated character sequences you still need to remember which password belongs to which account. Perhaps embed the service name in the password? There must be a better way.
The only viable solution I heard mentioned at the SANS training for managing passwords is a password manager. Yes, put all your eggs in one basket, and protect that basket the best you can!
A password manager uses a single password, er passphrase, to access your password “vault.” It stores your encrypted passwords in the vault with the service that uses that password so you do not need to remember which password is used with each service. Furthermore, the password manager can create the password for each site and you do not even need to know what the password is for any particular site. The password is really just a long random string of characters for each account. No password would ever be shared between accounts so that a compromise on one website does not affect the probability of your account on another site being hacked.
Password managers may be the best option to protect your accounts until two-factor authentication is used everywhere. Even then, password managers will probably still have their place. So what is the best password? It is a long random sting of characters that no one, not even you, has ever seen. It only exists inside an encrypted vault for which you hold the key.
To learn more about password managers, read Brian Steigauf’s post, Using a Password Management Application: KeePass vs. LastPass.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601