The Security Blog
Password Security
I would like to address the subject of passwords. Many users underestimate the threat of using the same log-in credentials for various online services. Using an easy-to-guess password for social networking, online-shopping, e-mail and work related topics like TAC management poses huge risks to private and business-related interests.
Modern password-guessing tools have no problems extending their range of attacks to your favorite car model and the year you bought it (Mu$tang2010, anyone?). As an example, Mu$tang2010 seems perfect as a secure password. It matches a lot of password criteria: It has minor and capital letters, numbers, a special character and is more than 10 digits long. But it is not secure. It is a pronounceable, a well-known word and if the attacker has collected some personal background information he might not even need a rainbow-table. In addition: switching from S to $, from E to 3 or anything else “1337”-related is a very cheap trick.
To be honest and open, I must admit something. I learned the lesson the hard way. I have fallen victim to the Sony hack last year, when 100s of 1000s of user information were stolen, including log-in credentials. Among those were mine. My log-in credentials for that online service and other online-shopping services were the same. Luckily I secured my mail account and online-banking with a different password, so I was save from any possible fraud scheme. Nevertheless I was shown a huge security gap.
Now, what did I do?
I went pretty radical on that subject. I have changed all passwords to service-individual, long, unpronounceable and hard to remember passwords. In addition I refuse to memorize any of my passwords. I have no idea what my mail, shopping, social networking or any other service password is. Helping me on that are password tools like Password Manager, which is available for download in the software installer and an App for the phone: MiniKeePass. Whenever I need to log-in somewhere, I run the program and perform autotype or copy the password temporarily to the clipboard for copy & paste on the log-in screen. Yes, you give up comfort − but unless fingerprints and retina scanners are well established this procedure keeps you save from trouble.
The applications are easy to use. Simply create a database, fill it up with entries for the desired services and let the Password-Manager generate the passwords according to a password policy that you can set up. Then just change the password in the account settings of the online service using copy and paste and use the autotype feature the next time you log-in. One side effect of this is that you get shown to how many online services you are actually subscribed. I was amazed to see how many password entries I have ended up with, after I ended changing all my passwords.