It is important to note that LastPass stores only encrypted passwords on their servers. So even if encrypted passwords are stolen, it will be nearly impossible to reveal them if the master password is strong. This reinforces the need to choose a strong master password to guard the passwords stored in a password manager. For more on master password selection, see here: Master Password Selection.

FilterJoe is a Different Kind of Blog

This revision to Which Password Manager was the most substantial revision I’ve made to a prior post. However, please note that I make revisions to past material frequently. The majority of my posts contain information that will be relevant for at least a year, sometimes much longer. Therefore, I spend a lot of time and effort revising content I’ve already written.

Frequently revising prior blog posts is not standard practice. But I treat FilterJoe more like a reference site than a blog.

To be a good reference site, material needs to be accurate and up-to-date. If anyone ever notices anything in my posts that is not accurate or up-to-date, please point it out, and I’ll be sure to make the necessary revisions.

Even the lightest of users may have a dozen or so online accounts and heavy users have hundreds. How do you keep track of all these passwords?

The Way Most People Manage Their Passwords Is Not Secure

The way most people manage their passwords is to use a 2 or 3 password system. A typical 3 word system is to use:

• The same short and simple password for unimportant accounts
• A better password for all moderately important accounts
• The best password for critical accounts such as online banking

While this makes passwords easy to remember, this is not a secure password system. Password thieves understand and increasingly exploit this common setup to compromise accounts and sometimes even take over identities. Having your e-mail or financial accounts compromised is a considerable distraction and having your identity stolen is even worse.

Typical Password Advice Is Unrealistic

Unfortunately, if you follow typical password advice you’ll suffer even more password distractions. Overwhelmingly long lists of password rules include using a mixture of upper, lower, number, and special characters, never storing passwords electronically, and changing your passwords every few months, just to name a few. Some of this password advice is unnecessary, yet how do you know which?

More importantly, how many people outside of the security industry have the time, patience, and motivation to manage passwords like this?

A Better Way to Manage Passwords—the Short Version

Here’s a much better way to manage passwords:

Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.

Why does this work so well?

It’s convenient. Your password manager automatically stores and enters all user names and passwords for you and associates them with the correct web site. All you need to do is enter your master password once at the beginning of your computer session.

It’s much more secure. Because all your passwords are unique, random 15 character jumbles, your passwords are nearly impossible to crack by brute force. Even if one of your accounts gets compromised through no fault of your own, no other accounts will be compromised.

A Better Way to Manage Passwords—the Long Version

The rest of this post is a guided index to a series of posts I wrote on password management, set up so that you can learn as little or as much as you like.

If you’re new to password management and want to develop some intuition through extended metaphors, first read Password Management for the Average Joe. Then, to better understand why password managers are the best solution for typical users, read Why Use a Password Manager.

If you’re ready to choose the password manager that’s best for your situation, read Which Password Manager. For tips on how best to use your password manager, including master password selection, read Tips for Wise Use of Password Managers, Including Master Password Selection. You might also want to read Bad or Useless Advice About Password Managment.

You’ll be better able to defend yourself against password theft if you take the time to read and understand How Attackers Steal Passwords, and How Attackers Exploit the Usual Way Passwords Are Managed.

To improve password management without the use of a password manager, read A Base Phrase Approach to Password Management.

Here’s a list of Definitions For Common Password Security Terms.

Acknowledgements

It took me hundreds of hours of research to write this comprehensive set of posts on passwords, and I continue to spend more time maintaining this guide as new developments occur in the password security field. I received help from a few security experts along the way, some of whom provided feedback after carefully reading through my posts. These people are:

• Carl Hallberg, Information Security Engineer at Wells Fargo
• Mark Burnett, author of Perfect Passwords
• Ron Bowes, Skull Security, Security Research Engineer at Tenable Network Security
• Simon Davis of RoboForm
• Jeffrey Goldberg of Agile Web Solutions

One other person I would like to acknowledge is Karin Fisher-Golton, my wife. She uses her skills as a children’s book writer and former technical writer/editor to edit most of my posts. She went above and beyond the call of duty helping me refine this password management series.

A sincere thanks to all of you who helped make this guide useful, accurate, and comprehensive.

I have been reluctant to post this article as I continue to strongly believe that using a password manager is a much better approach for most people. But having seen a few articles recently describing how to manage passwords without a password manager, I felt the time was right to complete the series on password management.

Read on for specific, detailed examples of how to implement the base phrase approach.

How to Make Good Passwords Using a Base Phrase Approach

This first example illustrates the basic concept: You start with a base password (in this case, “password”), and then you construct the passwords for your Facebook, Gmail, and Chase accounts by using the same rule for each account—in this case, appending the name of the service.

Base Phrase: password
Addition method: append name of service to the end of the base phrase

Example passwords:
Facebook – passwordfacebook
Gmail – passwordgmail
Chase – passwordchase

These kinds of passwords are too obvious, so we need a far better base password, but still easy to remember. So let’s take a phrase you remember but is unguessable, and convert it to a “base phrase” by using the first character of each letter in a logical way, using symbols and capital letters when possible. Use a phrase that is easy for you to remember, such as an interesting fact or a line from a song or poem. For example, let’s say you got a Porsche for your 18th birthday and loved it:

Phrase: For my 18th birthday I got a Porsche 911.  Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: add name of service to the end of the base phrase

Example passwords:
Facebook – Fm18bIgaP911.$bIli!facebook
Gmail – Fm18bIgaP911.$bIli!gmail
Chase – Fm18bIgaP911.$bIli!chase

These are much stronger passwords and individually very difficult to crack, but there is still a problem. If one of your passwords gets captured, the attacker will do the obvious:  try the same base phrase for all of your other accounts, using the same rule. So we need a better method for naming the service that is much less obvious to an attacker, but easy to remember. Here is one such method:

Phrase: For my 18th birthday I got a Porsche 911. Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: Transform the first and last letters of the service into other characters by shifting one letter to the right on the keyboard. Insert first transformed character before the base phrase. Append last transformed character after the base phrase.

Example Passwords:
Facebook – gFm18bIgaP911.$bIli!l
Gmail – hFm18bIgaP911.$bIli!;
Chase – vFm18bIgaP911.$bIli!r

With only one captured password, it would be difficult for an attacker to identify which part of the password is the base phrase. On the other hand, if two or more passwords were captured, an attacker could very easily identify the base phrase portion. Armed with this information, the attacker could use brute force methods to crack the rest of your passwords. This is still a vast improvement over standard password management for most people and would thwart many forms of automated attack.

It is also possible to construct more complicated rules that combines your base phrase with the name of the service into a password which eliminates the base phrase altogether. Called “password hashing,” this is considerably more secure than what I outlined above, but far too difficult to implement manually. For more information about password hashing, including helpful tools, read here.

Guidelines

To sum up the above discussion, here are some guidelines to setting up your own personal base phrase system:

• The total password length (base phrase + additional characters) should be 15 or more characters.  I explain why, here.
• The “base phrase” should be easy for you to remember and type, but impossible for others to guess.
• You may want to avoid using special characters in the base phrase, as not all sites accept them.
• The discovery of one password should not imply the others. Use a rule which transforms the additional characters into something else and appending them in a way which is not too obvious.

Gina Trapani of lifehacker fame is an advocate of a base phrase approach (which she refers to as a key with a pattern). You can read her take on the subject here, or even see a video she prepared, here.

A more recent article on this subject was posted to the New York times blog, here. In a follow-up comment, author David Freedman challenged his readers to discover the password he thought up for accessing his nytimes.com account (mcZ3sbja) using an algorithm he devised in his head in 4 seconds. Guess what? A reader quickly figured it out, as described here.

Closing Comments

Correct implementation of the base phrase approach requires considerable care and discipline, and for this reason I do not recommend this approach for most people. There are also other disadvantages compared to a password manager, such as being less convenient to use, not working for sites that require short passwords, and requiring that all passwords be changed if one suspects multiple passwords have been captured.

Nevertheless, some people are very reluctant to entrust software with something as critical as passwords. A base phrase approach correctly used may not be as effective or convenient as using a password manager, but it is a far better method for managing passwords than that practiced by the average Joe.

What should you do if you are a Skyrock user? What should you do if you are not a Skyrock user?

Skyrock is a leading social network site and blogging platform in France, Belgium and Switzerland and the seventh largest social network in the world. The number of accounts that were potentially compromised have been variously reported between 30 million and 38.5 million.

Social networks with advanced blogging platforms such as Skyrock are a prime target, because successful attackers can steal your identity, install malware on your account, trick your friends into installing malware, and/or break into any other account you own that uses the same password.

If You are NOT a Skyrock User

If you don’t use Skyrock, you should be concerned. Any Skyrock blog you visit could potentially inject malware into your browser. I discuss defenses for browser-based attacks here. Expect an increase in the amount of e-mails or facebook messages from friends asking you to click a link, watch a video, install something, or send money. If you receive such a message, be very cautious. Verify it is really coming from your friend before taking any suggested action.

If You ARE a Skyrock User

If you are a Skyrock user change your password (mot de passe) immediately. Also change your passwords on all other services for which you were using the same password. If you don’t, there is a good chance that all of your accounts will be taken over that use this password, using the method I describe here.

If you have a different password for each of your accounts, the damage from this attack will be minimal. Simply change your Skyrock password and you’re done.

A Better Way to Manage Your Passwords

Most people use the same password for multiple accounts, because it is hard to remember more than a few passwords. This is not a good idea, as many Skyrock users are about to find out.

Earlier this month, I described an easy way to keep track of a different password for each account, here. Use a password manager to assign unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password. Sounds hard, but it is actually easy to do, and you save yourself time in the long run.

FilterJoe is not a news reporting site so posts of this type will be rare. I made an exception for SkyRock because it is such a large security breach, U.S. reporting of it has been scarce, and password security has been a recent focus on this site. If a few people improve the way they manage passwords as a result of reading this post, then the exception will have been worth it.

Like personal security, password management is something most people don’t think much about until after something bad happens. Unfortunately, the Internet is not secure. Just as you need to be “street wise” when venturing onto streets, you need to be “net wise” – especially with passwords – when venturing onto the Internet. Because, like it or not, your passwords are currently the main barrier between you and the bad guys.

Most password management advice seems designed to torture you as opposed to help you. For the average Joe with average security needs, password management advice needs to be simple and usable, not just secure. Luckily, there is a reasonably secure form of password management that is simple and usable. Here it is:

The Four Steps to Simple, Usable, and Secure Password Management

• Choose a password manager.
• Setup unique, random 15 character passwords for every online account. Sounds hard, but most password managers make this easy to do.
• Protect these passwords with a master password that is strong and memorable.
• Use your password manager by typing in your master password each time you start your computer work.  Then use a single click to log in to each account, as needed.

This is all you need to do.

This is not the usual advice you’ll find in formal and informal blogs across the internet, and it will not perfectly secure you against all possible forms of password theft. It is, however, the best blend of security and ease-of-use I’ve been able to come up with after considerable research and thought about the subject.

If you follow the four steps above, you’ll be much safer than the average netizen – comparable to having a home protected by locks, burglar alarms, smoke detectors, and sprinklers as opposed to just a front door lock with a spare key underneath the mat. You will not only protect yourself from the most common threats, but you will also save yourself a lot of time over the long run thanks to automatic logins and form filling.

Read through the entire series to learn why you should take the time to do this, the best way to go about doing it, what security advice you should ignore, and most importantly to become as “net wise” as you are “street wise.”

The complete list of posts:

Contents

• Password Management for the Average Joe (this post)
• Use a Password Manager to Assign Unique, Random 15 Character Passwords for all Accounts, Protecting them with a Strong Master Password
• Which Password Manager?
• Tips for Wise Use of Password Managers – Including Master Password Selection
• Bad or Useless Advice about Password Management
• A Base Phrase Approach to Password Management
• How Attackers Steal Passwords
• The Usual Way to Manage Passwords and How Attackers Exploit It
• Definitions for Common Password Security Terms

Disclaimers

1)  Passwords are just one form of necessary security. PCs with out-of-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles, and will receive no payments if you click on any links in the main content area. The only free product accepted as part of writing this series of articles was 1Password for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Most thieves are not highly skilled, and even thieves with greater skill prefer easier targets. So locking doors will discourage many thieves, and a big, barking dog will discourage even more.

The same is true with hackers – most are not highly skilled and even those who are prefer easy targets. If you are a typical consumer without data of great value to criminals, then using a password manager as I describe here can act as the equivalent of a locked door combined with a barking dog, an alarm system, and a sprinkler system – which will keep out all but the most highly skilled and determined hackers.

Unfortunately, the way most people manage their passwords can be easily exploited by automated malware or as part of larger attacks that harvest thousands of passwords. Even more unfortunately, the vast majority of advice about password management is either misguided or too complicated. In this post I explain why I believe using a Password Manager (to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password) strikes the best balance of usability and security for the average Joe.

The title of this post sums up the password management approach that I believe provides the most benefit for the least effort. In the rest of this post, I explain why.

Why Use a Password Manager?

It is entirely possible to manage passwords well without a password manager, using a base phrase approach. The problem is, few people do it. And for good reason.

With a password manager, it is very easy to manage hundreds of accounts, each with unique, long, randomly generated passwords. The user simply enters a master password at the beginning of each computer session, and all subsequent passwords are entered with a single click or keystroke. With most password managers, you can also have your address and credit card information filled in automatically when setting up new accounts or making one-time purchases.

It takes several hours to set up a password manager for the first time and change your collection of passwords to stronger ones. But in the long run, you actually save time and attention as you will no longer have to manually enter passwords or fill forms many times per day. You also reduce the chance you’ll ever have to spend time recovering a hijacked account.

Why Should Every Account Have a Unique Password?

By far the most important advice in this series of posts is to never use the same password for more than one account. There are numerous ways attackers can capture a password. If you use the Internet in a typical way, chances are high that one of your passwords will get captured, perhaps once every 2 or 3 years. It can happen to anyone, even tech savvy, security conscious people like Amit Agarwal or Cory Doctorow. Once an attacker has your password for one account, the attacker has the password for all accounts which use this same password.

But it is often worse. If you used this same password for an e-mail account, even an old, abandoned e-mail account, it is possible to use information contained in old e-mails to break into most or all of your accounts. It is by this means that several high profile break-ins have occurred to corporate networks over the past year, including the well publicized Twitter break-in.

None of this is an issue if you have a unique password for every account. While it will not protect you from getting the occasional password stolen, it will limit the damage to just that one account.

Why do Passwords Need to be 15 or More Characters Long?

Most people don’t realize that user names and passwords routinely get stolen while your computer is off and disconnected from the internet. How? Web sites with many users and weak security are prime targets for attackers who want to steal a password file which lists all user names and passwords. While most sites do not store passwords as clear text, many sites store passwords in a form that can be read using widely available rainbow table software. For people who use the same password on many sites, the theft of this password on one site can be the starting point for an attack on all of your accounts.

You may not care about all the technical details, but the bottom line is that it is very difficult to crack a password that is 15 or more randomly generated characters, either by brute force or using rainbow tables on captured passwords files. Even more advanced password cracking techniques using the latest software, graphics cards, or bot nets will not be able to crack such passwords.

An additional benefit of using randomly generated passwords that are so long, is that passwords composed of just lowercase letters are plenty strong. For passwords that you need to enter into a cell phone manually, 15 random lowercase letters are easier to enter than something like r5!9f#X.

Why do Passwords Need to be Randomly Generated?

Humans are notoriously poor at generating randomness, in passwords or anything else. It is actually possible to devise memorable passwords which are also very strong. It is something you will need to do once, for your master password, and it will probably take at least a few minutes to come up with a really great password. But there is no need for you to remember any of your other passwords when your password manager remembers them all.

While a computer may have difficulty generating random character strings that would satisfy the stringent standards of a mathematician or cryptographer, in actual practice the passwords generated by password management software will not be the weak link in your password security.  Attackers have many easier ways to steal passwords.

The way password cracking software works is to test passwords from dictionaries, proper names, and lists of common passwords. The software may also try minor variations of all of these common words such as adding or inserting an extra digit – since that is how many people construct passwords. If that doesn’t work, then it will try every possible combination of characters up to a certain length – perhaps 8 or 9 characters.

The random password generators included with the more popular password managers will generate passwords that aren’t on any of these lists, and will not construct passwords the way a human would. Combined with 15 character length, the resulting password is nearly uncrackable by brute force methods.

Why do Passwords Need to be Guarded by a Strong Master Password?

The most common criticism of password managers is that it has access to all of your passwords. In the event that someone gets access to your password manager, they have access to all of your passwords. And this is true.

This criticism scares away many people from using password managers, and many of these people will continue to use the same 2 or 3 weak passwords for all accounts.

The fact of the matter is, it’s not so easy for an attacker to get access to passwords when they are protected by a strong master password. It is theoretically possible for key logging software or hardware to capture the master password or for flaws in the operating system, browser, or password manager to be exploited. But if master passwords were frequently captured, there would be reports of it. I looked but was not able to find any such reports. I was also told by Simon Davis of Siber Systems (makers of RoboForm) that his company has never received a report of someone’s master password being compromised by a keystroke logger. For those working in an environment where keystroke logging might be an issue, Roboform and some other password managers offer an on-screen keyboard option which can not be recorded by keystroke logging software.

Nevertheless, if you use password management software to store all of your passwords, you do need to recognize that all of your passwords are collected in one spot. The way you can protect this collection is to choose a very strong master password, which applies to all of your accounts. I explain master password selection and other password management tips here.

If you’re already using and liking a password manager not mentioned in this post, by all means keep using it so long as it offers master password protection in combination with strong encryption. While most password managers offer password import and export functions, the actual practice of switching password managers and learning a new one is cumbersome.

However, if you’re selecting a password manager for the first time or dissatisfied with your current password manager, you may as well benefit from my efforts to identify the best password managers for individuals. My efforts included extensive use of two password managers and poring through hundreds of reviews, forums, and comments about many others.

Below I describe four password managers with an outstanding combination of features, low cost, ease of use, and well-deserved popularity.

What to look for in a Password Manager

• Security must be a given (master password, AES).
• It should be as easy as possible to get started using the password manager, without sacrificing security.
• It must be easy to securely auto-fill user name and passwords in the more popular browsers.
• It must be easy to capture new login information and associate with one specific site.
• Passwords should be synced and easily available on all the desktop and mobile platforms you use. Keeping your passwords on your phone is more secure than carrying around a printed listing of your passwords, so long as it is protected by a master password.

There are also a few optional features that you may want, such as automatic form filling, secure notes, multiple identities, easy import/export, password generation, USB key support, and additional security features such as virtual keyboards, two-factor authentication, and one-time passwords.

Weaknesses Shared by all Password Managers

So far as I have been able to determine, all password managers will let you choose as weak a master password as you like, some without any warning. Most password managers allow some or all passwords to not be protected by a master password. Furthermore, many password managers ask users to make decisions during setup (or offer options) that require significant knowledge of password security.

By allowing this flexibility, users can be exposed to more danger than if they weren’t using a password manager at all – because all of these unprotected or lightly protected passwords are assembled in one electronic location.

Simon Davis of RoboForm-maker Siber Systems says that users of RoboForm fall into two categories: those who seek convenience and those who seek security. His experience has been that convenience users outnumber security conscious users. Some people do not protect any data with a master password.

I suspect that most users seeking convenience would use a strong master password to protect all passwords if they understood the risks involved of not doing so. I started out as a RoboForm convenience user but changed my habits to a secure user after educating myself about the risks of unprotected passwords.

It is possible to imagine password manager software which does a better job of both warning and educating users about unsafe password practices. It is also possible to imagine a setup process for password managers that asked the user a simple question at the beginning of setup: Do you want to optimize for security, convenience, or half-way in between? At the very least, I would like to see improved, cooperative efforts by the security industry to promote safe password practices.

Best Cloud-Based Password Manager: LastPass

Cloud Computing is the use of web services to create, edit, and store data on servers located elsewhere. A number of cloud-based password services have launched in the past few years. These password services make it easy for you to access your passwords from any desktop or mobile browser. While many people feel instinctively more comfortable storing sensitive information on their own hard drive rather then some far off server, the developers of such sites explain that they don’t store your master password. It is impossible to view the encrypted passwords stored on their servers without the master password, even for employees of the online password service.

If you’re comfortable with your passwords being encrypted and stored in the cloud, you’ll find that using cloud-based password services are convenient. Your passwords are easily available and synced across all platforms using browser bookmarklets, plugins, or extensions. For people who use multiple operating systems, browsers, and mobile devices on a daily basis, a cloud-based solution is far more convenient than the desktop-based competition, which is generally compatible with fewer systems. Assuming proper security, the only disadvantage is that the service can be partially or fully disrupted when the server storing the passwords goes down.

LastPass is one such cloud-based password service. Though I have not personally tested LastPass, an examination of reviews, forums and the LastPass web site suggests that users are overwhelmingly satisfied with LastPass. This service is the only password manager system for consumers I’ve come across that includes every optional feature offered by any of its competitors. The “one-time passwords” feature provides a secure means to access passwords from public WiFi. The potential disruption caused by temporary server failure can be mitigated by local password caching for those who use a plug-in for Firefox or Internet Explorer. LastPass maintains an extensive and well organized web site and forums.

LastPass is a free service with basic functionality comparable with RoboForm or 1Password, yet available on a wider variety of platforms. For $12/year, LastPass offers mobile clients, two factor authentication, and emergency phone support. And most people who have tested multiple password managers claim that LastPass is one of the easiest to use.

You can learn more from these two reviews:

LastPass Review by PC Magazine

LastPass Review by Tech Herald

And from the LastPass web site:

LastPass.com

Risks of Storing Passwords in the Cloud with LastPass (UPDATE)

Two recent incidents highlight the risks of storing passwords in the cloud, so I felt a need to update this post with this entirely new section.

On May 4, 2011, lastpass notified users of an unexplained transmission of data to and from their services. It is not known whether passwords were stolen. Given that stored passwords are encrypted, this is not likely to cause problems but lastpass management has taken precautionary steps. Details here.

On February 26, 2011, security researcher Mike Cardwell reported a LastPass vulnerability. A cross-site scripting (XSS) vulnerability allowed the possibility of any logged-in LastPass user visiting a malicious web site to have various account details logged (though not in a way that exposed encrypted passwords). Mike Cardwell believes other XSS LastPass vulnerabilities may be discovered in the future, based on his understanding of the LastPass architecture. LastPass is a top notch company and I expect them to do everything possible to eliminate any remaining vulnerabilities. Details from lastpass are here.

LastPass responded with great speed and openness to both issues which is a great credit to their integrity. However, these incidents serve as a reminder that web-based software is more difficult to secure than desktop-based software. LastPass is a tempting target for password thieves. I have no doubts about the integrity or ability of the LastPass team. But the more popular they get, the more resources will be used by the bad guys to break in and steal passwords. People with nagging doubts about the security of web-based password managers can now point to these real examples.

Best Windows Password Manager: RoboForm

UPDATE: EasyPass was launched by security software leader avast! in October 2011. It is essentially RoboForm. So this review of RoboForm serves as a review of the Avast EasyPass password manager as well.

For those people who use their passwords primarily on their Windows systems, RoboForm offers fully featured password management and automatic form filling software for a reasonable cost ($29.95 for the first system, $9.95 for subsequent licenses). An online version of RoboForm with fewer features is available for free. For years, RoboForm received top accolades from PC magazine and other publications, though in recent times the competition has greatly improved.

For those who prefer to store their passwords on their own system, RoboForm remains the best option for Windows. Plug-ins for Firefox and Internet Explorer (UPDATE: and in 2011, Chrome and Opera) makes RoboForm work very smoothly with browsers. I have used RoboForm for over 5 years and have no plans to switch. Dropbox keeps my 3 Windows systems’ passwords in sync.

While RoboForm has its roots as Windows software, it has versions for most major mobile platforms ranging from the Blackberry (nonsyncing, basic password storage that can be used via copy/paste) to the iPhone (includes sync and 1 click logins). Using an optional, free RoboForm Online service in conjunction with the RoboForm Bookmarklet allows RoboForm to autofill logins on unsupported browsers or unsupported operating systems (OS X, Linux). RoboForm extensions for Firefox and Chrome used in conjunction with Roboform Online means that RoboForm can be accessed from either of these two browsers on any operating system.

RoboForm is very flexible – perhaps too flexible – as it allows users many options to reduce security. For example, the security settings can be set so that 5 hours after you close your browser, log out, and put your computer to sleep, someone could waken the computer, log in to the guest account, and start logging in to all your web sites. RoboForm is not set up this way by default, but why even allow the possibility of such an insecure setup?

Once you do set up RoboForm securely, it has all the required and most of the optional features one would want in a password manager. Its superior handling of a wide variety of web site styles for automatic form filling and login field detection makes it very easy to use, and a big time saver. Additional nice touches include tracking password changes, an optional feature to gracefully handle new account setup, and a customizable tool bar.

Version 7 of RoboForm (currently in Beta) will improve the user interface, add fingerprint reader support, and extend functionality beyond browsers into many other windows programs that require passwords. Also under development is a Mac OS X client, a Google Chrome plug-in (that does not require the use of RoboForm Online), an Android client, and improved versions of the existing mobile clients.

You can learn more from this review:

RoboForm Review by Tech Herald

And a video demonstration of RoboForm that is helpful for those totally new to password managers:

RoboForm Demonstration Video

And the RoboForm web site:

RoboForm.com

UPDATE: Roboform 7 was released in December of 2010. See PC Magazine’s Roboform 7 review for an excellent review.

Best Mac OS X Password Manager: 1Password

1Password is by far the most tightly integrated password manager for Apple’s computers, iPads, iPhones, and iPod touches. It looks, feels, and acts as if were a part of the Mac OS, while also including most of the features found in other great password managers. It is therefore the obvious choice for people who use only Apple devices. It costs $39.95 for the Mac version, and $14.99 for a mobile version which works on the iPad, iPhone, and iPod touch. Less expensive mobile versions are also available that have fewer features and work on fewer devices.

Like all password managers, setting up 1Password requires some learning. Trying to determine which versions of 1Password work on which operating systems for Macs and iPhones is mildly confusing, as is certain choices during setup.

But once set up, logins are fast and integration with Firefox and Safari is seamless. When you change passwords, 1Password prompts you to replace the prior password so you don’t have to do it manually. The product is very well supported, including an extensive web site with forums. Agile Bits (formerly Agile Solutions) is always very quick to make versions of 1Password available for any new Apple product or operating system (most recently, the iPad).

My wife Karin tested 1Password 2.9.x over the past year with her iMac (Mac OS 10.4.11). Prior to 1Password, Karin had never used a password manager. While Karin expressed reservations both prior to getting 1Password and during the first two weeks of use, it has since become second nature and she has become a fan of the password manager concept in general. So much so, that she recently purchased the 1Password iPod touch version.

Version 3.x was released in November of 2009 and requires Mac OS X 10.5 or higher. It has a number of helpful new features, including an option to make your passwords available to other operating systems and mobile devices, software license management, greater mobile syncing flexibility, and password storage for applications and other services that aren’t used in a browser.  Setup has also been simplified as the user is no longer required to make a decision about how to store passwords—the Agile keychain is now the only choice.

A 1Password client for Windows is under development (UPDATE: Windows version available since December, 2010).

You can learn more from this review:

1Password Review by SmokingApples

And the 1Password web site:

1Password

Best free password manager: KeePass

KeePass is a free, open source password manager first released in 2003. It now has versions available for Windows, Mac OS X, Linux, and a number of mobile devices. An advantage of open sourced software is that it is open to scrutiny, which greatly increases the chances that it will be secure and free of bugs, as compared with its proprietary counterparts. This is especially advantageous for security software such as a password manager which requires a user to entrust sensitive data to a third party.

KeePass is a fully featured password manager that includes random password generation, support for desktop application passwords, and additional security features such as two-factor authentication. Various plug-ins provide additional functionality.

However, using KeePass requires a certain amount of computer sophistication and tinkering. The lack of browser integration requires the use of global, auto-login keyboard shortcuts (auto-type), which works on some sites but requires tinkering to get working on others. The commercial password managers discussed above all take care of automatic logins more gracefully and have superior user interfaces. Therefore, KeePass may not be appropriate for the average Joe, but any article about the best password managers should mention KeePass given its zero cost, its open source scrutiny, and its popularity among more sophisticated computer users. Among the tech savvy lifehacker crowd, KeePass is most popular, though the others mentioned in this post are also popular.

Here is a review of KeePass:

KeePass review by Tech Herald

And the KeePass web site:

KeePass

Honorable mention goes to Password Safe (also free and open source), which is associated with cryptography expert Bruce Schneier. It has fewer features than the other password managers mentioned in this post, concentrating on password entry alone. But it works, and may be sufficient to meet some peoples’ needs.

Password Safe

Built-in Browser Password Managers

Many people use password managers that come built-in to their browser or security suite. There are several reasons not to do this:

• Passwords are not shared everywhere you use them (though Xmarks can partially solve this issue)
• Browser password security is sometimes inferior or buggy as compared with stand-alone products, as it is not the main focus
• Several stand-alone password managers have superior user interfaces and flexibility, making single click logins, form filling, and other common functions a breeze

That being said, for users who log on to accounts using only a single browser on a single computer which nobody else shares, a browser’s built-in password manager protected by a master password would be sufficient. Firefox users should be aware of Sxipper, an extension which adds significant functionality such as single click login, automatic form filling, and multiple personas.

So Which One is Best?

The 4 password managers profiled above are all very good and always improving. If forced to choose which is the most convenient for the most users, I’d go with LastPass, because you won’t need to switch to another password manager when changing browsers, operating systems, or mobile devices. Developers for RoboForm, 1Password, and KeePass devote considerable effort to making passwords synced and available on a wide variety of platforms, but the cloud-based roots of LastPass means it will usually be the first to support any new browser or operating system.

As mentioned in the update section, it is possible that cloud-based solutions are inherently less secure than desktop-based password management software. For those who value the (possibly) greater security of desktop software over cloud-based solutions or don’t need multi-platform convenience, great choices are:

• RoboForm for Windows users
• 1Password for Mac users
• KeePass for tech savvy users who would rather tinker than pay

But I can’t say it too many times – more important than which you choose is how you use it. Use unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password – and your chance of getting multiple accounts compromised will be minimal. And that is something you can do with almost any password manager.

Disclaimers

1)  Passwords are just one form of necessary security. PCs lacking up-to-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles or recommend these products, and will receive no payments if you click on any links in the main content area or buy one of the reviewed password managers. The only free product accepted as part of writing this series of articles was 1Password for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Tips for Standard Use of a Password Manager

15 Character Passwords

For each account, use your password manager’s random password generator to generate passwords that are 15 or more characters long, and make sure your password manager stores it. Usually you will want to generate passwords that include upper case, lower case, numbers and special characters to increase password strength. But for passwords that you sometimes enter manually into cell phones or other devices without full-sized physical keyboards, you can generate 15 random lowercase letters. 15 random character passwords are very strong even if restricted to lower case letters.

Unique Passwords

Do not reuse passwords for more than one account. This is especially important for all financial, e-mail and social networking services. I could provide you with a list of reasonable exceptions to this rule, but why bother? Your password manager remembers and enters all your passwords.

Turn on Master Password Protection and Keep it on for All Passwords

All password managers offer a master password to protect your account login data. Always have the master password enabled to protect all current and newly created login data. Most password managers have an option to require new login data be protected by the master password – make sure this option is turned on. Turning off your master password protection is very risky, equivalent to leaving your key chain hanging on the outside front doorknob to your house.

Select a Strong Master Password

Choose your master password wisely and never share it or write it down. It should be at least 15 alphanumeric characters, very hard for anyone to guess, yet very easy for you to remember and enter. Pass phrases containing a mixture of words and numbers work well for this purpose.

Passwords constructed out of obvious personal information (i.e. MySonIs4YearsOld) should be avoided, because password cracking software may try such passwords.  On the other hand, a lie or intentional misspelling (i.e. MySunIs444YearsYoung) is not something password cracking software will have enough time to try, as the number of possible 15+ character lies and misspellings is far greater than the number of true and obvious personal facts.

Following are some weak and strong examples:

Weak:

mybirthdayisJanuary7—guessable as this phrase (or 364 others like it) applies to all people.

antidisestablishmentarianism—long but terrible because it is in the English dictionary. A phrase should have at least three words and 1 number.

4scoreand7yearsago—easily guessable as it is the start of a very famous speech by Abraham Lincoln, and is likely to be in some password cracking programs.

Strong (but don’t use these specific phrases, obviously):

FredAusterlitzwasbornMay101899inOmaha—though in some ways similar to above birthday password it is much stronger because it is longer, unrelated to your life, and it’s not even clear who it refers to, even though it’s easy to remember for fans of Fred Astaire. If it takes you a long time to type out this 37 character password then go with something shorter and with fewer capital letters – you don’t want a password that is really annoying to enter, as you may then be very tempted to abandon a strong master password.

Ireland1871Wales1920disestablished—though inspired by the Wikipedia entry for antidisestablishmentarianism, this is much stronger because it has three separate words divided by 2 numbers.

AIisnolongerthe76ersAnswer—obscure, yet an easy phrase to remember for a 76ers fan who knows that Allen Iverson, nicknamed “The Answer,” no longer plays for the 76ers.

Fred’sPorsche911Turbo–If a minor acquaintance of yours owns a Porsche 911 Turbo, this is a good  password: 19 characters, fairly easy to type, very easy for you to remember, but too obscure for someone else to guess.  If Fred is your husband, though, this is a less good password, because the password contains obvious personal information, which is something password cracking software might try.

And here are a few more examples of strong but memorable passwords from the book Perfect Passwords by Mark Burnett:

• 2+2+3 isn’t five
• staying “interconnected”
• (999) dog-walk
• 1-900-go-NUTS
• 43 O’Clock is late
• Dr.Seuss@greeneggs.com

The examples I provided are long and will take 5-30 seconds to enter, depending on how fast you type. But you’ll only need to type the master password at the beginning of each computer session. This is minor overhead in return for an enormous security benefit.

Expire Your Master Password

After you first enter your master password, you can then log in to online accounts (with a single click each) for the rest of your work session. However, you want your master password to expire as part of your natural work flow—you don’t want someone to walk up to your desk and start logging into your various accounts. Go to your password manager’s security settings to make sure that the master password will logout automatically when you close the browser, put your computer to sleep, go into screen saver mode, and/or after a certain number of minutes of inactivity. Most password managers provide options to customize these sorts of settings to suit your own circumstances.

Open Web Sites Directly From Your Password Manager

Security expert Robert Chapin has criticized password management software for making it too easy for users to automatically login to a fake web site, which then steals the user name and password entered by a password manager. To thwart this technique and save yourself a click, you should only log in by using your password manager to open password-protected web sites directly. Simply select the web site from within your password manager, and you will be taken to the web site and automatically logged in.

Some password managers have an option to automatically log you in if you just happen to visit a site whose name is the same or similar to the one stored by the password manager. Do not enable this feature. You don’t want to automatically be logged into a fake site.

Test Memorized Passwords After Opening a New Account

Password managers can be awkward to use when you open a new account. They will memorize login information for the account registration screen but then might not work for the regular login screen. The best way I’ve found to deal with this is to NOT have your password manager record the password when setting up a new account. Keep the username and password somewhere temporarily. Logout of the new account immediately after setup. Then log back in using the regular login screen and have the password manager record your information as usual. RoboForm has a new account feature to make this whole process easier but it doesn’t get it right for every site, so even with RoboForm you should still test the recorded information by logging back in right away.

Test Changed Passwords

Some password managers don’t deal very gracefully when changing passwords on an existing account (though both 1Password and RoboForm usually get this right). As with new accounts, after changing an account password be sure to temporarily record the new password, then log out and log back in with the new password to make sure the new password was properly recorded.

Backup Your Passwords

You must back up, sync, or print out password files regularly. If you lose your password data due to hardware failure, loss, or theft, or any other reason, then you’ve lost all your passwords and you will only be able to get them back from any backups you’ve made. If you already have a backup system in place, be sure that your password files are part of the backup set. A reasonable low tech solution is to print out your passwords and store them in a safe and hidden off-site location.

For those who regularly use multiple computers, having access to your passwords on every computer can be very handy. “Sync” solutions can do this while simultaneously taking care of backup as well. Web-based password managers such as LastPass do this automatically. Some desktop based password managers offer syncing via an online service or via proprietary syncing software (RoboForm offers both). Yet another option is to use a sync service like Dropbox to sync data among multiple computers.

Any of these options can work. Just make sure these backups are done automatically, or at least frequently. Apart from your master password, you may not actually know any of your passwords, including the new one you just created last week . . .

Use AES

Some password managers offer a choice of encryption algorithms. Be sure that AES is selected (AES 128, 196, and 256 are all fine). This algorithm has withstood extensive scrutiny and as of 2010, breaking AES encryption without the key is so difficult that it is rare for an attacker to even try. AES is the default encryption used by these four password managers.

Tips for Extra Password Security

Everything in the previous section should be considered standard password security procedures. The next few steps are for those who want to be even more secure, but the incremental extra security comes with a significant hit to convenience and usability. So you’ll have to be your own judge as to how much of this is necessary.

Empty the Clipboard

If you use your computers clipboard to store passwords temporarily (for example, when setting up a new account or changing passwords), be sure the clipboard is emptied. Some password managers have an option to empty the clipboard automatically upon logoff or a few minutes of inactivity. Enable these options.

Purge the Newly Generated Password

Similarly, a newly generated password is temporarily held in memory. Some password managers have an option to purge this password upon logoff or a few minutes of inactivity. Enable these options.

Enter the Master Password Using a Virtual Keyboard

Keystroke loggers can and do get installed on some systems, and you won’t know they are present. You can thwart most keystroke loggers by entering your master password using your password manager’s virtual keyboard, and only when all browsers are closed. While the chance of your master password being recorded by malware is small, it is even smaller if you follow these steps.

Use Two-Factor Authentication

Two-factor authentication (an option available for KeePass and LastPass) is an even stronger way to thwart keystroke loggers. With two-factor authentication, you will need both a master password (something you know), and an additional factor such as a USB stick or fingerprint reader (something you have) in order to access your passwords. Current implementations of two-factor authentication are somewhat cumbersome to set up and require you to carry something extra in your pocket. Perhaps some day it will be easier to set up and will use something you always carry anyway such as your cell phone.

Store Passwords on a USB device

Some password management software offers an option to store passwords and the software on a USB flash storage device. When the USB device is in physical possession of the owner and not inserted into a computer, it is impossible to steal the passwords. If you choose to follow such an approach, you still want your passwords backed up so that you don’t lose everything if the USB device is lost or destroyed.

Store Encrypted Notes

Most password managers have a feature that allows users to save encrypted notes, protected as usual by the master password. Use this for bits of private information that are not online accounts, such as the username and password to your router, logins to your Windows account, your burglar alarm code, etc.

Periodically Change Your Password

Many claim this is necessary. However, if you use long passwords (15+), never share them, and are a typical home user with average security needs, then the answer is no. The time to change your password is right after you temporarily share it, if it is short, if it is weak, if it is used for more than one account, or if you have even the slightest suspicion that the password has been captured. In fact, an argument can be made that a policy of changing passwords frequently weakens password security, because this cumbersome requirement will cause people to simplify their password management. Common, unsafe tactics people use when faced with periodic password change include:

• Write down the password, perhaps on a sticky note posted near the screen
• Use the same password for multiple accounts
• Use short passwords
• Change the password by 1 character each time

UPDATE: see security expert Bruce Schneier’s post here for more detail on changing passwords.

Do Not Use Password Management Software

This advice is often part of a long list of security precautions. The reason cited, if a reason is given at all, is that an attacker who steals your master password through keystroke logging or some other means will have access to all of your passwords. While this is certainly possible, try searching for instances of this happening to average consumers using one of the 4 password managers I profiled here. You won’t find any. If anyone can cite an actual example, please let me know in the comments and I’ll update this post.

Two-factor authentication can at least partially address this concern by adding an extra layer of security, which makes it much more difficult for an attacker to gain access to the master password. LastPass and KeePass are two consumer-grade password managers that provide this capability.

There is actually a legitimate concern around password managers which I rarely see discussed: They can easily be used insecurely. Many people use password managers without a master password, especially if using password managers built into a browser. The passwords are then stored in clear text that can be scanned by malware. And, as I detail here, several steps are required to insure that a password manager is being used in a secure manner. However, if used correctly, password management software can greatly reduce the possibility of password theft for the average Joe. Hopefully the various posts in this series can help make that happen.

Strong Passwords Require a Mix of Numbers, Special Characters, and Both Lower and Upper Case Letters

This is not true. Length and randomness of password are far more important than the mix of characters. If there are certain accounts you need to input manually on a device without a keyboard (i.e. cell phone), you may as well use passwords composed of 15 lowercase letters, which will be much easier to type.

A random jumble of 15 lower case letters, if it is protected by a typical, strong encryption algorithm such as AES, is for all practical purposes uncrackable. I have seen many advice articles that are against the use of password managers, yet insist on passwords that include a random jumble of alphanumeric and special characters. These difficult-to-remember passwords cause people to circumvent security by doing things like posting sticky notes on their monitors with the password or using the same password for every account.

The following Mandylion spreadsheet is a terrific tool for showing you how long it would take to crack randomly generated passwords by brute force:

Brute Force Attack Time Estimator by Mandylion Labs

Plug in a purely random combination of 7 Alpha/Numeric/Special characters and you’ll see that it would take less than 79 days for an average computer to crack the password. This is far stronger than a password composed of 7 random lowercase letters (less than 15 minutes to crack), but is much weaker than a password composed of 15 random lowercase letters (over 5 million years to crack). And, as I have mentioned here, your passwords stored on web sites in encrypted form are often susceptible to rainbow attacks which can easily obtain all passwords that are less than 9 characters, and in some instances even passwords that are 14 characters long. This is why 15 character passwords make sense.

Wikipedia has a nice chart showing you password strength based on length and character types. You can see that a 64 bit-strength password is very strong and can be had with 14 lowercase letters or with 10 Alpha/Numeric/Special characters.

Simply put, password length is much more important than mixing in numbers, special characters, or capital letters.

Unfortunately, some web sites (especially banks) limit password length to less than 15, so for these sites you’ll need to use special characters and numbers to make up for the lack of length.

For users of password management software, it is no harder to automatically log in using passwords composed of a mix of special characters. So for passwords that you will never enter on cell phones, you may as well use the special characters. Some computer services do a poor job of encrypting data or use a weaker form of encryption than AES – in these cases the more diverse mix of characters may help resist some forms of attack.

Final Comments

The reason people use such terrible passwords is because manually having to manage strong passwords is hard. Periodically changing passwords or using passwords like ;iq3*;@%t will be a nuisance for the typical person, and likely circumvented.

Store unique 15-character passwords for all accounts with your password manager, protecting them all with a strong master password – and the chance of getting multiple accounts compromised will be much lower than that of the average user. Use the auto-fill features of your password manager and you’ll actually save time in the long run despite the better security.

It is better to have pretty good security that is easy for all, rather than perfect security that is never truly implemented because it is too onerous for the average Joe.

#1:  You Hand it Over Voluntarily

People frequently hand over their passwords via phishing, other forms of social engineering, or when a person or entity asks for temporary use of a password.

Protection: The simplest defense is to NEVER share your password for any account with any person, organization, or web site. An additional good defense is to develop “net smarts” analogous to “street smarts” to avoid phishing scams or other forms of social engineering. If you must temporarily share your password (i.e. to import contacts into Facebook), then change your password immediately after its temporary use is complete.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#2:  You Hand it Over Unknowingly

This overlaps with the previous attack. You think you are on the web site you intended but you actually mistyped it by one character, you clicked a bad link to get there, or you were tricked by tabnapping.  So you end up on a fake or spoof web site that looks legitimate. When you log in, it collects your credentials then passes you on to the real site. A variation on this theme is an attack which layers extra fields over a legitimate web site. You are tricked into typing private personal information such as birthday, mother’s maiden name, social security number, etc. and then this information is used to “recover” your account (see #7 below).

Protection: A good defense against this ploy is to only login to a web site by selecting it from your password manager’s drop down menu (even if the tab was one you thought you opened yourself). This will automatically log you in to the correct site, which the password manager stores. Another type of defense is for your browser to use a security service that warns you when you might be about to open a hazardous web site – but this may slow down browsing.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#3:  Mass Theft of Password Files

Most people don’t realize that user names and passwords routinely get stolen while your computer is off and disconnected from the internet. How? Web sites with many users and weak security are prime targets for attackers who want to steal a password file which lists all user names and passwords. Recent examples include Monster.com and RockYou.com. While most sites do not store passwords as clear text, many sites store passwords in a form that can be read using widely available rainbow table software. For people who use the same password on many sites, the theft of this password on one site can be the starting point for an attack on all of your accounts.

Protection: A simple and effective defense for users is to only use long, randomly generated passwords. How long? 15 characters. Rainbow tables easily crack passwords 8 or fewer characters long and in some cases up to 14 characters.

Damage Control: In the unlikely case that a rainbow table attack manages to crack one of your 15 character passwords, at least your damages will be limited to one account if you have a unique password for each account. Change the password of any account that becomes compromised due to mass theft.

#4:  Brute Force

Brute Force refers to discovering passwords through trial and error, similar to trying every possible combination on a lock. The most well known form of brute force attack is for password cracking software to methodically try millions of passwords on one specific user name on a specific account. A typically weak password can be cracked in less than a day using this method.

Security conscious online vendors like banks or e-mail services provide some protection against such brute force attempts by denying access if there are too many attempts per hour. However, different forms of brute force can be used to get around these safeguards. A common example is software which automatically logs in to millions of different accounts per day by combining popular user names, passwords, and web sites (i.e. try password1 at Jsmith@gmail.com, 123456 at dj@facebook.com, qwerty at Mrodriguez@yahoo.com, etc.). As such methods becomes more widely adopted, it would not be surprising if nearly all accounts with short user names and short passwords get compromised.

Brute force is also used as a supplementary attack after a first password is captured. For example, if the password badpassword1 was captured by phishing, brute force can be used to try similar passwords on other accounts.

Protection: Brute force attacks are highly unlikely to crack very strong passwords. So just use strong passwords. I suggest randomized 15 character jumbles.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#5:  Eavesdropping: Keystroke Logger on Your Browser

Many people believe that nothing bad can happen to people who only visit safe, well respected sites. They are wrong. Malicious JavaScript can be injected into any browser on any system, visiting any web site. Keystroke logging is something that is done by some of these Javacript injections. In most browsers, malicious JavaScript can log keystrokes in all open tabs, until the browser is closed. Usernames and passwords entered during the session can be captured this way.

Protection: Keystroke logging via browser is growing more common but is unfortunately one of the more difficult threats to defend against. Defenses include:

• Use Firefox in conjunction with the NoScript extension. While this is a strong defense, the overall complication of using NoScript (popups, whitelists, blacklists) is more of a hassle than the average Joe wants to deal with.
• Some security suites attempt to defend against this threat with browser plug-ins, but these can dramatically slow down browsing.
• A simpler option is to only access the internet using the Google Chrome browser, which is designed so that malicious JavaScript can be theoretically contained to a single tab. At least other tabs will be safe.
• Some password managers such as RoboForm enter passwords and usernames in a way which most JavaScript keystroke loggers can not intercept.

None of these suggestions are sure to stop browser-based keystroke loggers, but if you implement one or more of these suggestions you’ll at least reduce your chances of getting your usernames and passwords logged by malicious JavaScript. The only perfect defense is to not connect to the internet at all.

Damage Control: Your damages are limited to logins captured while browsing, so long as you have a unique password for each account. Immediately change the password of the affected accounts. If using a browser-based or web-based password manager, you should also change your master password.

#6:  Eavesdropping: Public WiFi Monitoring

Passwords are frequently stolen on public computers and over public WiFi connections, using free WiFi traffic monitoring software that is simple to operate.

Protection: Never log in to online accounts using a public computer. When using open WiFi hot spots, you should only log in with your own notebook with services that enforce secure log-ins and sessions (HTTPS), perhaps using the Firefox Add-on HTTPS Everywhere to help. It is far safer to access email and other accounts using your phone data service, if you have one.

Damage Control: If you discover that this type of attack has occurred, then you will need to change the password for all of your accounts as well as your master password. If you know exactly when the attack occurred, you can change passwords only for the accounts you used during that session.

#7:  A Thief “Recovers” Your Account

Many accounts provide an automatic “password recovery” system that allows you to recover your account if you forget your password. But armed with basic personal information (easy to gather, as described here), a thief can “recover” your account and effectively take it over. An especially rewarding target is your e-mail account, where the attacker can find out all sorts of things to attack you further, such as user names and passwords that were e-mailed to you when you opened other accounts.

Protection: The best defense against this form of attack is to disable the “password recovery” option for all sensitive accounts. This option is not usually provided, so the next best defense is to supply only obscure or false information to the password reset mechanism for each account – don’t use information like your mother’s maiden name or the name of your pet which can be easily obtained by a thief.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Use the password reset mechanism to get back control of your account. If that doesn’t work, you’ll have to contact customer service for that account. Once you get back control, disable the password recovery option. If this is not possible, change the questions/answers needed to verify your identity to something much more obscure or false.

#8:  Eavesdropping: Keystroke Logger on Your System

Malware that manages to install itself on your system will often be able to log every keystroke and thus capture all of your user name and password information over time.

Protection: The best defense is a combination of typical safe computing practices such as never logging in on a public computer, installing software from trusted sources only, avoiding phishing attacks, only connecting safe devices to your computer, and keeping your operating system, browser, and security software all up to date. Using Mac OS X or Linux is also a way to lower risk, because most malware is written for Windows. Some password managers enter passwords and usernames in a way which most keystroke loggers can not intercept.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

#9:  Malware Searches Your System

One class of malware searches your computer’s hard drive or memory for passwords that are not encrypted. Testing software provided by RoboForm and other password manager vendors demonstrates how Windows computers yield a surprisingly large number of passwords when searched this way.

Protection: Passwords stored and entered from within a password manager (that are protected by a strong master password) are immune from this type of attack.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

But What About . . .

The remaining ways passwords can be stolen are all rarely employed against home users. Such methods include looking over your shoulder as you type, exploiting vulnerabilities in password-handling software or the operating system, zero day exploits (taking advantage of a security flaw in software or operating systems before it is patched), hardware keystroke loggers, monitoring Bluetooth keyboard activity, acoustic cryptanalysis, wiretapping, dumpster diving, side-channel attacks, and undoubtedly a few more I haven’t mentioned.

If you are well protected against the more common attacks listed above, you’re already doing better than the vast majority of home computer users and partially protected against some of the unusual threats mentioned in this section. While security professionals working at large organizations need to guard against these possibilities, it is not worth the time, cost, or effort for a typical home user to guard against or even think about these more esoteric attack possibilities.

However, one possibility that worries some potential users of password managers is what happens if the master password is somehow stolen due to keystroke logging or some other means. While this is possible, I have been unable to find a single instance of a home user getting a master password stolen when using one of the best password managers. Why spend time worrying about something that hasn’t yet happened when there are tens of millions of passwords being stolen per year for the more common reasons listed above?

For those home users concerned about master password capture, two-factor authentication can insure that a captured master password is useless. It is available as on option with password managers LastPass and KeePass, but is unfortunately a bit complicated to implement for the average Joe.

And the Winner Is . . .

When it comes to security, there is no such thing as winning – it’s a matter of trying to minimize risk with as little effort as possible. For a home user, the amount of effort must be very small or it won’t happen. Correct use of a password manager takes little effort, yet effectively blocks attacks #2, #3, #4, #7, #8, and #9 above, as well as limiting damage to a single account from most other forms of attack. Combine that with typical security procedures and a reasonable amount of “net wisdom” and you get good results—a minimal amount of effort to greatly reduce the chance that your passwords will get stolen.

In this post, I describe the typical home user system for managing passwords and how attackers exploit this system.

The Usual Way to Manage Passwords

Many home users manage their passwords something like this:

• For accounts that are unimportant (forums, news sites, etc.), the same password is used for all of them. This password is likely to be a short, easily remembered word or name, perhaps followed by a single digit.
• For accounts that are somewhat important (Gmail, Facebook, etc.), this same weak password may be used, or perhaps a moderately stronger password that is a little longer and has one or two digits or symbols thrown in. But again, the same password is used for a number of different sites.
• For accounts that involve finance or commerce (banks, brokerage, e-commerce, etc.), most people are more cautious. Some people use (what they believe to be) a stronger password for all of their finance sites, while others may have a separate strong password for each financial site, keeping track of the passwords with a password protected spreadsheet or on a piece of paper.

It is possible my description is too optimistic, as 33% of participants in a Sophos study indicated that they use the same password for every site. Only 19% indicated using a different password for every site. Two-thirds of respondents to a 2010 Consumer Reports Survey use some variation of the same password or personal identification number for all or most accounts. Bruce Schneier’s analysis of actual passwords indicates that many are weak.

What’s Wrong with the Usual Way to Manage Passwords

The key weakness is the use of the same password for many accounts. There are many ways to capture passwords, and once an attacker has the password to one account, it can be used on all other accounts that use the same password. Even worse, an attacker may be able to get additional passwords if able to get into your e-mail account. In my opinion, email accounts should be protected with even greater diligence than your financial accounts, because they have fewer layers of safeguards and attackers can use information in old e-mails to gain access to other accounts.

How Attackers Exploit a Weak Password System

Here is an example to illustrate how typical password management fails:

Your name is John Doe. You use the strong password Fm18bIgaP911.$bIli! for all e-commerce, bank, finance accounts, and paid subscriptions including JohnDoe@chase.com, and JohnDoe@burghound.com. You use the weaker password John123 for all the rest, including your Gmail account JohnDoe@gmail.com.

One day, the user list for superduperfastcars.com gets stolen. You posted 3 messages to superduperfastcars.com 2 years ago but then lost interest and forgot all about it. The attacker uses a rainbow table to decrypt over 70% of the hashed passwords from superduperfastcars.com, including your easily crackable John123 password.

The attacker then uses software to automatically try logging in to Gmail, Yahoo mail, and Hotmail using the user information and passwords obtained. One combination that is tried uses the first and last name of the user and the password obtained: JohnDoe@gmail.com using password John123. This one actually logs in.

Next, the attacker searches Gmail for “password.” Many online services automatically e-mail you a user name and password upon sign up. Sure enough, two passwords are found among a number of such e-mails: John123 and Fm18bIgaP911.$bIli!. The stronger password was in a confirmation e-mail you received from burghound.com upon registering for this paid service several years ago.

Now the attacker has your two passwords and can log in to all of your accounts that were discovered in your Gmail archive. Here are some examples of what the attacker can do with this information:

• Transfer funds out of some of your financial accounts
• Copy your contacts’ e-mail addresses into a spam mailing list.
• Send a message to all of your contacts to ask for emergency money to be wired
• Send a message to all of your contacts discussing a really cool site – just click on this link (and if they do, malware is installed)
• Use the information obtained to try to break in to a corporate network, by testing your password on your work account.

The famous Twitter hack of 2009 had many elements in common with this example. An even simpler attack is to capture e-mail login information when someone is logging in using an open WiFi hotspot.

All it takes to limit the damage from these kinds of attacks is to have a different password for each account. If the Sophos survey is accurate, only 1 in 5 people do this. Most people can not remember more than a few passwords, so any approach to password management must take this into account.

Note that attackers are well aware of common password practices and can take advantage of these practices when trying to steal passwords (either automatically or manually). So if whatever approach you take to password security is unusual, that in and of itself is a good defense. Effective use of a password manager is currently one such approach.

AES – Advanced Encryption Standard is a widely used encryption standard adopted by the U.S. Government in 2001. This terrific cartoon is a great tutorial on the inner workings of AES.

Average Joe – American idiom that means a typical person. FilterJoe aims to help typical people (the average Joe) learn key skills for the information age regardless of computer skill level, gender, ethnicity, or nationality.

Encryption – Encryption is the process of transforming information into a form that is unreadable by anyone except those possessing a key. Information encrypted on computers using AES cannot be read without the key, usually a password.

Keystroke Logger – Keystroke logging or keylogging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored

Malware – Malicious software designed to infiltrate a computer without an owner’s informed consent. Malware includes computer viruses, works, trojan horses, spyware, rootkits, key loggers, and other malicious and unwanted software.

Master Password - Password Managers typically use a user-selected master password or passphrase to form the key used to encrypt the protected passwords. This master password must be strong, because a compromised master password renders all of the protected passwords vulnerable. How to select a Master Password is discussed here.

Password Manager – Desktop or cloud-based software which stores user names and passwords.Also known as password management software.

Phishing – In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging.

Sync, synch, or syncing – Keep data identical in two or more locations. Short for file synchronization.

Tabnapping - A combination of the words “tab” and “kidnapping” to describe a type of phishing attack. Malicious software secretly changes already open browser tabs, then collects the username and password when entered. For example, a user wants to log in to her Facebook account and sees an open Facebook tab. She clicks on the tab, and seeing that she needs to log in, she types her user name and password. She thought it was a tab she had left open, but it turns out it was a tab that was changed by malicious software, and it collects her username and password as she enters them.

Two-Factor Authentication – Two-factor authentication requires two different “factors” to validate who you are. This can be done using any two of the three “factors” below:

• Something you know: password, birthday, government ID#
• Something you have: bank card, passport, key
• Something you are: finger print, eye, DNA

A popular use of two-factor authentication is withdrawing cash from an ATM, which requires both a card and a PIN number. Some password managers may be set up with two-factor authentication for the master password, requiring both the password and a USB stick.

Virtual Keyboard – An on-screen keyboard that allows a user to enter characters. Virtual keyboards can be used to reduce the risk of keystroke logging. It is more difficult for malware to capture passwords entered from virtual keyboards than it is to capture passwords from real keystrokes.

For a while I decided that you can’t do password security without putting it into the context of all computer security. After learning a bit about computer security, I returned to passwords, because for the average Joe it is often the weakest link in security while actually being the easiest to correct.

It is hard to write well about password security because it’s a complex topic with various trade-offs, such as security versus usability, and complete versus brief explanations. It’s also preferable for people to become more “net wise” as they read through the material, as opposed to memorizing a bunch of rules they don’t understand.

I believe the following series on password management reasonably navigates these constraints, tying together little bits of good advice that is scattered all over the net. It is targeted at home users, but IT professionals may find some of it useful as educational material for users.

I consider the password series a work in process, so I will greatly appreciate any and all suggestions for improvement.

The introductory post which also services as an index to the entire series is:

A Guide to Using Passwords Without Distraction