Passwords

I wrote a few weeks ago about the challenge of passwords and keeping them straight. The recent series of posts about the journalist who had his apple and other services hacked has just continued to highlight the problem and the challenge of keeping everything safe.

I’ve used one of the commercial password safes for years and due to hating some of their recent changes, I decided to switch. After asking some security professionals and reading some of the online posts about these tools, I made a jump to one of the leading systems.

After loading all my passwords into the new system, it then provided a grading system to show how safe my accounts were as defined. I’m not sure how that algorithm works, but it looks for repeated passwords, length of passwords, types of passwords, etc. and then complies a score between 100 and 0. If had guessed my score before hand, I would have said around 70-80 since I talk about security all the time.

My score was 33.

I’ve since started making lots of changes. I turned on two-factor authentication on several services I use. I went to system generated passwords on key accounts. I’ve eliminated most of the duplicates.  There is more to do.

Please protect your accounts. Use long passwords. Use two-factor authentication if available. Do it now.

7 thoughts on “Passwords”

  1. I agree although there’s just a lot of bad advice that is considered best practice. Best example longer pass phrases are better than more complexity (mixed case, symbols et el). Also, sometimes IT policies of requiring frequent password changes make things worse not better, as people just write them down. My advice is generally use 12-15 character pass phrases and some kind of password valut or at least use that as a master password on some kind of encrypted file to store your other passwords.

    I’m also surprised and embarrassed how many people say oh my password is XYZ I don’t care if you know. I am kind of a jerk and scold them. PLEASE don’t tell me your password. 1) you should care more, they are increasingly critical 2) if something bad happens and it’s with your account I don’t want to be a suspect.

  2. Hi Mark,

    Couple of weeks ago I spent few hours trying to recover a password for an online service that I had signed up for few years ago. I hadn’t used the service in a while, so I had forgotten not only the password but also the username. They password recovery required me to enter my email address AND the username. The customer support was only available during business hours. I tried every possible combination of username that I typically use and all my online email accounts. I was finally able to recover the password after 30 or so attempts + solving numerous CAPTCHA challenges. Terrible experience. Since then I have resolved to ONLY sign up for services that support Federated Login using either my Verisign PIP account or my Yahoo account. Verisign PIP provides 2-Factor authentication, so I use it where I need added security. I will not use any service that forces me to create yet another account. I went in and terminated approx. 20 of my accounts that don’t support Federated Identity.

    Saqib

    1. Mark,

      I have never felt comfortable with storing important data on either dropbox or sugarsync. While I trust these two vendors and trust that their employees are not malicious, I don’t think these two vendors have the infrastructure and knowledge to detect malicious hacking (brute-forcing) attempts. I think Microsoft and Google have better knowledge and infrastructure to detect the modern day attacks, and they continually improve their detection systems. For personal digital asset storage and sharing, I have long used Microsoft’s skydrive cloud storage. They have apps for various platforms, and recently announced a skydrive app for Android as well

      Saqib

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s