Your Weekend Security Challenge: Password-Style

Ubiquitous two-factor authentication is still far off and in the meantime we are stuck with passwords. Unfortunately, passwords usually “suck” because most lay people just use the same password everywhere on the web, whether it be for accessing their bank and credit card accounts or joining a social networking site. Worst of all this one password most likely is very weak … probably names or birthdays of family, friends, or pets or some other word of some significance to the user. Yeah, they might append a “1” or “.” at the end to get by sites with password complexity requirements … but these techniques are the first that any attacker would try.

So what’s the solution? Password managers of course… And I’d like to challenge each and every one of you to help at least one of your non-infosec friends or family (a.k.a., target) setup a password manager and show them how to use it.

Modern password managers can do almost everything nowadays. Not only can they store a bunch of those weak passwords but also automatically create complex passwords for new sites during account creation and “audit” the strength of existing passwords. Still, starting out with a password manager can be a pretty daunting task … especially for those non-infosec types. But of course the easiest way to get started is to just start using it. When your target enters in their credentials like normal, the password manager simply pops up a friendly prompt asking if it should remember it. After a few weeks the password manager should contain most of their regularly used passwords.

In the meantime the password manager will automatically fill in usernames and passwords as your target surfs around the web doing their usual things. I’ve found they just love this convenience and it serves as a great motivator for them to continue using it. And when creating a new account, they’ll be surprised when the password manager pops up with a message asking if it should generate a password. And then afterwards it’ll ask if it should remember those credentials.

So where should you get started? Well, a few weeks ago we came across an excellent article from How to Geek that takes you step-by-step through the process of getting started. They cover all the basics … like the importance of using strong different passwords for each site, choosing one super-strong master password, getting current passwords into the manager, and using it to generate passwords for new accounts. Most of the discussion centers on my current personal favorite, LastPass, but if you or your target is not comfortable with a cloud implementation, the article also covers others like KeePass.

Good luck on your weekend challenge…

via HowToGeek.com

The majority of people use very weak passwords and reuse them on different websites. How are you supposed to use strong, unique passwords on all the websites you use? The solution is a password manager.

Password managers store your login information for all the websites you use and help you log into them automatically. They encrypt your password database with a master password – the master password is the only one you have to remember.

Don’t Reuse Passwords!

Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.

To prevent password leaks from being so damaging, you need to use unique passwords on every website. These should also be strong passwords – long, unpredictable passwords that contain numbers and symbols.

Web geeks have hundreds of accounts to keep track of, while even the average person likely has tens of different passwords. Remembering such strong passwords is nearly impossible without resorting to some sort of trick. The ideal trick is a password manager that generates secure, random passwords for you and remembers them so you don’t have to.

Continued here.

#####

Have any luck getting one of your non-infosec friends or family to use a password manager? Let us know in the comments below. Today’s post pic is from YouTube.com. See ya!

6 comments for “Your Weekend Security Challenge: Password-Style

  1. April 5, 2013 at 1:57 pm

    BLOGGED: Your Weekend Security Challenge: Password-Style http://t.co/ztzqQcHMaH

  2. April 6, 2013 at 7:01 pm

    Your Weekend Security Challenge: Password-Style – http://t.co/1nCDypMTxY

  3. Carrie
    May 3, 2013 at 3:39 pm

    I agree you definitely have to use a password manager. You can’t generate passwords on your own that are going to keep you from the bad guys so using a pass manager helps you create ones that are tough to guess. I use roboform and it works great. I have the free version on my home computer, work computer, and iphone.

  4. Kyle
    May 3, 2013 at 5:16 pm

    I’ve been a fan of RoboForm myself since its beginning back in the early 00’s. Great little tool to generate 32+ or less character passwords.

  5. Desiree
    May 6, 2013 at 9:57 am

    Great article, the only part I disagree with is the part regarding Lastpass. They’ve had two major security breaches within the past few years. The actually prompted me into looking at Keypass, 1Password, and RoboForm. In the end my company ended up switching to RoboForm Enterprise. Never looking back on that.

  6. Al Simmons
    May 31, 2013 at 2:56 pm

    Glad to see someone mentioned the RoboForm password manager. I have been using RoboForm for year to generate passwords.

    When I create a new account it generates a statistically secure password of random characters (based on my settings to include symbols, capital letters, numbers, etc.) then stores and replays the password for me do I am not tasked with remembering the long password.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.