Securing a computer is hard. A highly skilled hacker can easily break into to your accounts or computer. But the same can be said of home security. A highly skilled thief can easily bypass a locked door or alarm system.
Most thieves are not highly skilled, and even thieves with greater skill prefer easier targets. So locking doors will discourage many thieves, and a big, barking dog will discourage even more.
The same is true with hackers – most are not highly skilled and even those who are prefer easy targets. If you are a typical consumer without data of great value to criminals, then using a password manager as I describe here can act as the equivalent of a locked door combined with a barking dog, an alarm system, and a sprinkler system – which will keep out all but the most highly skilled and determined hackers.
Unfortunately, the way most people manage their passwords can be easily exploited by automated malware or as part of larger attacks that harvest thousands of passwords. Even more unfortunately, the vast majority of advice about password management is either misguided or too complicated. In this post I explain why I believe using a Password Manager (to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password) strikes the best balance of usability and security for the average Joe.
The title of this post sums up the password management approach that I believe provides the most benefit for the least effort. In the rest of this post, I explain why.
Why Use a Password Manager?
It is entirely possible to manage passwords well without a password manager, using a base phrase approach. The problem is, few people do it.
With a password manager, it is very easy to manage hundreds of accounts, each with unique, long, randomly generated passwords. The user simply enters a master password at the beginning of each computer session, and all subsequent passwords are entered with a single click or keystroke. With most password managers, you can also have your address and credit card information filled in automatically when setting up new accounts or making one-time purchases.
It takes several hours to set up a password manager for the first time and change your collection of passwords to stronger ones. But in the long run, you actually save time and attention as you will no longer have to manually enter passwords or fill forms many times per day. You also reduce the chance you’ll ever have to spend time recovering a hijacked account.
Why Should Every Account Have a Unique Password?
By far the most important advice in this series of posts is to never use the same password for more than one account. There are numerous ways attackers can capture a password. If you use the Internet in a typical way, chances are high that one of your passwords will get captured, perhaps once every 2 or 3 years. It can happen to anyone, even tech savvy, security conscious people like Amit Agarwal or Cory Doctorow. Once an attacker has your password for one account, the attacker has the password for all accounts which use this same password.
But it is often worse. If you used this same password for an e-mail account, even an old, abandoned e-mail account, it is possible to use information contained in old e-mails to break into most or all of your accounts. It is by this means that several high profile break-ins have occurred to corporate networks over the past year, including the well publicized Twitter break-in.
None of this is an issue if you have a unique password for every account. While it will not protect you from getting the occasional password stolen, it will limit the damage to just that one account.
Why do Passwords Need to be 15 or More Characters Long?
Most people don’t realize that user names and passwords routinely get stolen while your computer is off and disconnected from the internet. How? Web sites with many users and weak security are prime targets for attackers who want to steal a password file which lists all user names and passwords. While most sites do not store passwords as clear text, many sites store passwords in a form that can be read using widely available rainbow table software. For people who use the same password on many sites, the theft of this password on one site can be the starting point for an attack on all of your accounts.
You may not care about all the technical details, but the bottom line is that it is very difficult to crack a password that is 15 or more randomly generated characters, either by brute force or using rainbow tables on captured passwords files. Even more advanced password cracking techniques using the latest software, graphics cards, or bot nets will not be able to crack such passwords.
An additional benefit of using randomly generated passwords that are so long, is that passwords composed of just lowercase letters are plenty strong. For passwords that you need to enter into a cell phone manually, 15 random lowercase letters are easier to enter than something like r5!9f#X.
Why do Passwords Need to be Randomly Generated?
Humans are notoriously poor at generating randomness, in passwords or anything else. It is actually possible to devise memorable passwords which are also very strong. It is something you will need to do once, for your master password, and it will probably take at least a few minutes to come up with a really great password. But there is no need for you to remember any of your other passwords when your password manager remembers them all.
While a computer may have difficulty generating random character strings that would satisfy the stringent standards of a mathematician or cryptographer, in actual practice the passwords generated by password management software will not be the weak link in your password security. Attackers have many easier ways to steal passwords.
The way password cracking software works is to test passwords from dictionaries, proper names, and lists of common passwords. The software may also try minor variations of all of these common words such as adding or inserting an extra digit – since that is how many people construct passwords. If that doesn’t work, then it will try every possible combination of characters up to a certain length – perhaps 8 or 9 characters.
The random password generators included with the more popular password managers will generate passwords that aren’t on any of these lists, and will not construct passwords the way a human would. Combined with 15 character length, the resulting password is nearly uncrackable by brute force methods.
Why do Passwords Need to be Guarded by a Strong Master Password?
The most common criticism of password managers is that it has access to all of your passwords. In the event that someone gets access to your password manager, they have access to all of your passwords. And this is true.
This criticism scares away many people from using password managers, and many of these people will continue to use the same 2 or 3 weak passwords for all accounts.
The fact of the matter is, it’s not so easy for an attacker to get access to passwords when they are protected by a strong master password. It is theoretically possible for key logging software or hardware to capture the master password or for flaws in the operating system, browser, or password manager to be exploited. But if master passwords were frequently captured, there would be reports of it. I looked but was not able to find any such reports. I was also told by Simon Davis of Siber Systems (makers of RoboForm) that his company has never received a report of someone’s master password being compromised by a keystroke logger. For those working in an environment where keystroke logging might be an issue, Roboform and some other password managers offer an on-screen keyboard option which can not be recorded by keystroke logging software.
Nevertheless, if you use password management software to store all of your passwords, you do need to recognize that all of your passwords are collected in one spot. The way you can protect this collection is to choose a very strong master password, which applies to all of your accounts. I explain master password selection and other password management tips here.