Blog

Password Security and Management

The Setup

In 2010, several popular web sites were hacked and their password data stolen. If you were part of one of these sites, you may already know about this since emails warning of the break-in were sent out to users. If not, then why worry, right?

Why worry, indeed.

The Problem

The problem is twofold. On the one hand, hackers, over time, have managed to get their hands on what turns out to be a very large list of passwords, that have given them clues how passwords are utilized by all sorts of people from different walks of life. The list is in the millions of passwords, so it’s an incredibly large sample size. This has allowed programmers to write increasingly accurate cracking algorithms by which they can crack weak passwords quickly and effortlessly. A 16-character password, virtually uncrackable five years ago, is now child’s play (almost literally, given the cut-and-paste nature of the practice in a so-called “script kiddie’s” hands).

On the other hand, the computing power necessary to crunch through billions—yes billions, with a B—of password combinations per second is relatively cheap and commonplace.

For example, a password that many people would think secure, for example, Rumbl3H0use, might seem secure, but given today’s password-cracking knowledge, coupled with cheap hardware, this is almost a painlessly easy password to crack.

The Solution

A solution, at least for now, is longer, randomly-generated passwords, at least 23 characters long. Passwords that length require immense amounts of computing power and crackers will forego trying to casually break those in favor of the low-hanging fruit of passwords like the above (or even better, your mother’s or kid’s name followed by a number—so trivial).

Of course, committing a 23-character password to memory is not a reasonable expectation, especially if you use a different password (which you should be doing and crackers know you’re not) for each of the average 25 online accounts most people have.

Enter password management software

The idea behind password management applications is that you need remember only one password, the master password that unlocks the password manager itself. Once it is unlocked your list of passwords becomes available to you. From there it is a simple matter of copying and pasting the passwords into the appropriate fields for the sites you want to access. Some password managers have browser plugins that will fill these fields in for you once you enter your master password. Many of them have mobile counterparts to their desktop apps. Three good ones are 1Password ($49), LastPass (free, $12 a year for the “premium” version), and KeePass (free, open source).

Using a password manager to generate random, minimum 23-character passwords is one of the best defenses for your most valuable online assets (or Facebook) against the increasingly sophisticated password-cracking underground. And while it may give you a sense of security (maybe even security-through-obscurity) to think your data would never be a target, think again. They’re out there and they’re harvesting data all the time. Even if it’s true, for now, that you’re not worth their time, why make it easy for them if you ever do become a target?