Skip to content

You Need to Manage Passwords

December 12, 2012

I saw a note this week from CNet about a system built to crack passwords (also on ArsTechnica). It reminded me of the story of the guy that cracked Googles DKIM key at 512bits. Not insignificant, until you get to the point of renting that power from AWS for tens of dollars.

Here’s a great comic on the subject of passwords: Password Strength. It’s got some good advice, but there’s more to it than just having a good strong password. You need to manage your passwords, as in you need to have lots of them.

Doubt that? Here’s a good piece from Troy Hunt.

You need a password manager. Whether you use 1Password, KeePass, or PasswordSafe (my choice), choose one and set the defaults to something long. I’ve been using 12characers, but I’ve moved to 16 for my passwords. All of these work cross platform, and you can sync your files between devices.

One more thing: you need to rotate passwords. Not just on your password manager, but on your various sites. If someone gets a copy of your password manager file, then it’s just a matter of time before they can crack it. Within months, they could have all the passwords in your file if they were determined.

Lots of passwords I’m not overly worried about, but some I am. Banks, mail, a few of my profiles, these are important to me, and so I rotate the password periodically on them, using new passwords from my manager.

Security is hard, and passwords aren’t going away anytime soon. Tell your friends, family, and make sure they all consider using some type of password manager and improving their security.

About these ads

From → Blog

9 Comments
  1. Another option is to use a non-obvious formula to build passwords of sufficient length. That allows your passwords to be different for each site. It also means that when you’re in a situation where you don’t have access to your Password Manager, you can still get tow hat you need.

  2. I personally like to use l33tspeak. And since there are plenty of web sites to generate strong passwords, I am to paranoid to trust any, so I rather write my own algorithm and share with you. https://github.com/extofer/l33tPassGen

  3. That can work, but I think it’s overly complex for most people to use a formula. There are lots of non-technical users, my kids, my Mom, that this doesn’t work well for. I prefer a manager.

  4. Scott D permalink

    In this country most banks make you use two+ factor authentication forcing you to use their proprietary device (no sms) to get into your account, I mean even Blizzard uses two factor for Diablo III if you want it. Sure it’s a pain in the ass but it seems the secure way to go if you value the data you are trying to protect.

  5. Two factor is good, but cost prohibitive in some ways. The two factor with phones works OK, but it has been hacked. It’s better than nothing, but really strong passwords are also needed.

  6. What annoys me is that my banks limit the length of my passwords to ~8 characters. Plus mr banks in Canada force me to use my CC or debit card number as my login ID. It’s crazy.

    • Could be worse. I know a bank that requires you to use your social security number as your account number.

    • We have a bank that does that, and I think it’s an extremely poor practice. Until some bank gets sued, or there’s regulation, I can’t see it changing.

    • I hate that. It seems very few sites I deal with limit things to 8 characters, though I have a few that have limited things to 12, which I consider the bare minimum these days.

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 4,537 other followers

%d bloggers like this: