Ubiquitous two-factor authentication is still far off and in the meantime we are stuck with passwords. Unfortunately, passwords usually “suck” because most lay people just use the same password everywhere on the web, whether it be for accessing their bank and credit card accounts or joining a social networking site. Worst of all this one password most likely is very weak … probably names or birthdays of family, friends, or pets or some other word of some significance to the user. Yeah, they might append a “1” or “.” at the end to get by sites with password complexity requirements … but these techniques are the first that any attacker would try.
So what’s the solution? Password managers of course… And I’d like to challenge each and every one of you to help at least one of your non-infosec friends or family (a.k.a., target) setup a password manager and show them how to use it.
Modern password managers can do almost everything nowadays. Not only can they store a bunch of those weak passwords but also automatically create complex passwords for new sites during account creation and “audit” the strength of existing passwords. Still, starting out with a password manager can be a pretty daunting task … especially for those non-infosec types. But of course the easiest way to get started is to just start using it. When your target enters in their credentials like normal, the password manager simply pops up a friendly prompt asking if it should remember it. After a few weeks the password manager should contain most of their regularly used passwords.
In the meantime the password manager will automatically fill in usernames and passwords as your target surfs around the web doing their usual things. I’ve found they just love this convenience and it serves as a great motivator for them to continue using it. And when creating a new account, they’ll be surprised when the password manager pops up with a message asking if it should generate a password. And then afterwards it’ll ask if it should remember those credentials.
So where should you get started? Well, a few weeks ago we came across an excellent article from How to Geek that takes you step-by-step through the process of getting started. They cover all the basics … like the importance of using strong different passwords for each site, choosing one super-strong master password, getting current passwords into the manager, and using it to generate passwords for new accounts. Most of the discussion centers on my current personal favorite, LastPass, but if you or your target is not comfortable with a cloud implementation, the article also covers others like KeePass.
Good luck on your weekend challenge…
The majority of people use very weak passwords and reuse them on different websites. How are you supposed to use strong, unique passwords on all the websites you use? The solution is a password manager.
Password managers store your login information for all the websites you use and help you log into them automatically. They encrypt your password database with a master password – the master password is the only one you have to remember.
Don’t Reuse Passwords!
Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.
To prevent password leaks from being so damaging, you need to use unique passwords on every website. These should also be strong passwords – long, unpredictable passwords that contain numbers and symbols.
Web geeks have hundreds of accounts to keep track of, while even the average person likely has tens of different passwords. Remembering such strong passwords is nearly impossible without resorting to some sort of trick. The ideal trick is a password manager that generates secure, random passwords for you and remembers them so you don’t have to.
Have any luck getting one of your non-infosec friends or family to use a password manager? Let us know in the comments below. Today’s post pic is from YouTube.com. See ya!