Passwords Are Like Snowflakes…

…everyone is unique, precious and can never be duplicated.  If only those words were true.  Passwords and the management of them, continue to be the weak link in authentication to both enterprise and personal systems.  I’m going to cover a couple of methods on how to effectively manage passwords and why it may be one of the most important things you do.

Protecting passwords can be broken down into two categories, namely, Password Strength and Password Management. 

Password Strength

Password Strength deals with the complexity of the passwords that you choose.  Having a stronger passwords, makes it harder for your password to be guessed or cracked in a brute force attack. The lockdown site has a great matrix effectively showing the importance of password complexity.  While complex passwords are great in theory, maintaining these can be a pain in the membrane.  I would like to think that as we push ourselves into the next century, humans will evolve to remember 22 alpha-numeric codes to protect ourselves.  That being said, my own experience indicates that I’m still a monkey at this point of that evolution.

Below is a small graph indicating as you create stronger passwords, the ability to remember these passwords becomes increasingly difficult.

 

image

 

What would a normal person do to address this?  Perhaps create one complex password and use it on all of services they have membership to?  …or maybe just create really simple passwords.  Neither methods are particularly effective.  Would you use the same key to unlock your car, house, garage, P.O. Box and safe?  Not likely.  If you lost your key, all of those physical assets would be at risk of compromise.  Likewise, protecting those assets with a lower quality lock to would present and ineffective control mechanism.

When I was at this point in own evolution, I used the strategy to create “theme” based passwords.  For example, I would choose something like “Last Names of Presidents of the United States”   Then I would use the widely accepted convention of replacing “e”, “i”, “o”, “a”, “s” with “3”, “1”, “0”, “$”, “@”, respectively.  So a password like “Washington” would be converted to “W@sh1ngt0n”.  It worked for a while, but the explosion of web based services I use has pushed this to limits of my abilities.  Which brings me to my next point, Password Management.

 

Password Management

Password management has evolved from simply having to remember your one email account on your ISP to having to cram in your Amazon, Bank, Email, Credit Card, eBay, Paypal, Gmail and Work Authentication passwords.  You get the picture. 

I asked a security-minded friend recently about their password management strategy and they said they had a USB drive containing all their passwords locked in a safe.  This sound secure to me, however, it’s definitely not convenient.   This makes me think of overprotective parents wrapping their kids in bubble wrap before going out to play.    Little Timmy WILL NOT be hurt…but how the hell will he swing a baseball bat?

Luckily, new applications and services have evolved to meet these needs.  The one I’ve used the most is LastPass.  They have a robust cross platform strategy of web browser plugins to store all of your passwords.  All of your passwords are protected with one password and encrypted on their servers.  Hence the name, LastPass….they claim it’s the last password that you’ll ever have to remember.  While this seems like a risky proposition, choosing a complex password for this service is paramount.  Just don’t lose it!!! (or forget) Smile

LastPass offers an integrated customer experience in your browser with secure password generation for new accounts, auto filling of your credentials for existing accounts and secure note functionality.  In addition, if you want to spring for the premium version ($12/year), you can use it on mobile devices and enable the ability for two factor authentication (which I’ll talk about later). 

Another strong contender, which I’ve briefly used, is KeyPassX.  They offer all of the same features, however, their cross platform strategy is a local application that stores an encrypted database on your local machine.  Choosing comes down to: do you want to trust LastPass as a steward of my password information in the cloud or do I prefer to manage my database locally.  There are compelling arguments for each, but at this point, I’ll leave it at personal preference.

So What Do I Do Now?

Take Inventory
1. Make sure you collect (or recollect) the credentials of every web site you regularly use authenticate on.
2. Dig deep to remember sites that your may have signed up on to post a question, win a contest, register a product on, etc.  All of these sites will have some reset password or remember password functionality.  Use them to get your credentials.

Take Action
1. Decide on a password management strategy that you are comfortable with (LastPass or KeyPassX).
2. Store all of your credentials in your password manager.
3. Reset all of your web site passwords using the secure password generation tool in your password manager.

Notes:
1. Make sure you choose a master password for your password management tool that you can remember.  Losing this will render your data inaccessible.
2. Make sure you change your passwords at the very least, twice a year.

2011 Personal Security New Year’s Resolutions

Introduction

So another year has come and gone and another list of personal resolutions start cropping up on the Internet like remixes of the “BED INTRUDER SONG”.  This one is no different.  In a year that has showed that Stuxnet virus could potentially harm people in the real world by affecting infrastructure and DDOS attacks both allied and against Wikileaks emerge as a form of “hacktivism”, taking a look at resolutions for information security in your personal life should resonate.  I’ve comprised a short list of resolutions to consider for the new year to protect yourself.  The playbook for each is simple: Take Inventory and Take Action.

1. Data Protection

Take Inventory
Knowing is half the battle (or so G.I. Joe and his marketers want you to think).  Understanding what information you store on your computer and Internet will give you a better understanding on how to protect it.  The following categories are a guideline to follow.  You can add in classifications as necessary.
Personal – Information that you would not share with anyone outside of your family or immediate social circle.  Think photographs, videos, drawings and poems.

Private – Any information that if compromised, could reveal personal information about yourself that you do not share with anyone.  This type of information could be used in conjunction with publicly available data sources to attempt to steal your identity.

Classified – Any information that if put in the wrong hands, could comprise your well being.  Think financial information, social security numbers, investments and tax returns.  This is the most prized possession for an identity thief to access since little additional information is required to steal your identity.
Take Action
Now that you understand the type of data you possess, it’s time to put countermeasures in place to protect your data.