Password Security

Josh's Blog

Thursday, February 4. 2010

Password Security

It seems that a number of Twitter accounts have been compromised:

Twitter resets passwords after phishing attack

The article suggests that many of the accounts in question may be from phishing or from a third party torrent site. This is a fine opportunity to talk about password security. I wouldn't be surprised at all if a fair number of accounts were compromised because of reused passwords.

There are some people who like to complain about password tracking tools like Password Safe and pieces of paper, but in all honesty, they work better than most brains. I would guess the average person can't remember more than two or three passwords at a time, and they're probably not very good ones at that. One of them is likely their ATM PIN of 1234. If you're some sort of super genius who can remember hundreds of passwords, and you read this blog, I don't believe you. Quite often the concept of perfect can interfere with our ability to get things done. In most instances, a perfect solution is unattainable, where good enough is possible and is better than it was previously.

Attacks like this have happened more than once, I've had it happen to me. I used to use a throw away password for all my public mailman accounts (this was before I realized that mailman will randomly assign me a password, as I never actually need it). That password was then later used to attempt to gain entry to private archives to a list I'm on. I didn't use that password there, but this made me understand that it was time to get serious about my passwords. I now use a tool called pwsafe, which uses the Password Safe database format for storing passwords. I of course don't use this for any REALLY important passwords (I keep those in my brain, and they're not near as impressive as the pwsafe passwords).

If you're like most people, and use a couple of passwords everywhere, please stop doing that. Find a good password generating tool, and either use a piece of paper or something like password safe to store them. The other big advantage to using not your brain to store passwords, is that it's much easier to change them. How many of you have been using the same password for five years, because it's too annoying to think up a new good password? Lots of us do that, it's hard to change.

Remember, good enough is the goal, not perfect.
Posted by Josh Bressers in Security at 00:00 | Comments (5) | Trackbacks (0)
Twitter Facebook Bookmark Password Security at reddit.com

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

I've been using http://passwordmaker.org/ for a few years to fix this password problem. It works great for me, there's even a firefox extension. I think you should have a look at it.
#1 Aurélien Bompard (Homepage) on 2010-02-04 02:51 (Reply)
I'm personally not a fan of password maker. I think it's a suitable solution for some people, but I'm not willing to use it, I wouldn't sleep at night. My problem is that in the event a bad guy comes to have your default password maker settings, they have access to all your current and FUTURE passwords.
#1.1 Josh Bressers (Homepage) on 2010-02-04 06:47 (Reply)
I'm quite a big fan of revelation in en encrypted partition of a usb stick.
#2 pingou (Homepage) on 2010-02-04 04:14 (Reply)
Yep, password reuse is evil!

That's why I love to use OpenID when available :-)
#3 Juanjo (Homepage) on 2010-02-04 11:35 (Reply)
One solution is to have a random password ( let's say aaaaaaa ) that you prefix or suffix with a context dependent letters ( let's say the two first letter of the website, and the first of the tld ).

So to log on example.org, the password will be aaaaaaaaexo.

The benefit are simple, we only need to remember the first password, and the scheme we use to generate the password. This is perfectly doable for most people, as this doesn't requires much long term memory. Yet this provides differents passwords for differents services, and the scheme can add enough complexity ( ie here, we take a 8 letters password and get a 11 letter one ) to protect against brute force attack.

There is some problems however, if someone get one password, and figure the scheme, you are screwed. And if you need to change the password somewhere, you will have to add a exception , and that's bad.

But I think the risk are quite low, the scheme can be made easy to remember but complex to figure. As you say, good enough is the goal.
#4 Michael (Homepage) on 2010-02-04 11:39 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 

Calendar

Back May '13
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Twitter


Quicksearch

Archives

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog