The Sad State of Passwords Part 1: Use a Password Manager!

posted in: Uncategorized | 5

Security is something no one wants to deal with.  They don’t want to think that they are they are impervious to being targeted.  Hacking someone previously was targeted.  Being a victim in the Internet age is beyond trivial.  It is a blanket attack instead of targeted. In an age where getting your Facebook account hacked is generally accepted, people haven’t found the need to step up their security.  Hacking someone’s Facebook isn’t that offensive (yet), but we haven’t really seen a massive ID theft problem.  Can we agree to stop the problem, and educate people about password security?

This series is not the end all be all of security advice.  This is general information that everyone should implement.  I understand that I’m omitting a lot of information, but the goal is getting more people to start thinking with security in mind.

The main issue is that there is no punishment for both the company that allows the database to get stolen, nor the individual that allows it to happen.  The closest we came to any sort of outrage was the PlayStation Network losing full account information including credit cards of most of their users.  Not even pension systems getting hacked, or government records being released has brought us to that level.  Does anyone still care about wikileaks?  Probably not because it doesn’t affect you directly.  Even getting your credit card stolen, may only cost you $50, if that.

This is part 1 of many.  If I had to come up with one thing that will make security better this is it.  Get some sort of secure password manager, and let it manage your passwords.

If you want to check to see if your LinkedIn password was compromised go here:
eHarmony here:
LastFM here: 

If your password was compromised, it just proves the point you need another way to secure yourself.  Sign up for LastPass with this code to get me a referral bonus:

The two ways passwords get stolen are: 1) A database gets hacked, and 2) You give it to the bad guys.  I know I’m really being broad here, but most attacks are done this way.

1) A database gets hacked:  This is becoming increasingly common.  Most sites were established years ago.  In that time computers have increased in power (doubled every 18 months).  What time it took to crack a password 6 years ago, is almost trivial now.  Your username and password is there for the taking.  Hackers then try these user/pass combinations on all the sites.   If your password is password, chances are your password is password on all sites.  Ask yourself, is your LinkedIn password the same as Facebook (both are social networks)?  Even worse, is your password the same across everything.

2) You give the password out:  Nobody just gives their password out.  Well not explicitly.  What used to happen is you would get an email asking you to log in and change your password.  You were socially engineered.

Look at the following questions Yahoo! challenges you before it helps you into your account.  Remember this is how Former Alaskan Governor Sarah Palin was hacked.

Secret Question 2

Take a close friend of yours, or your ex-wife, and try to answer these questions.  Farmville has full access to your Facebook profile by the permissions it asks for.  Are these questions answered in your profile?  Generally there is no limit to the number of responses for secret questions, so from someone’s filled in Facebook page, you can answer this.  It will take some time, but how valuable is the information?

LinkedIn got hacked a month ago.  Your resume is probably there.  A lot of personal information is on your resume.  Some clever social engineering can create a pretty accurate picture of who you are.

So what can you do?

The simple answer is to use a different strong password on each site, and choose secret questions with fake answers.

However, that isn’t feasible because it is hard to remember all those passwords.  I used to say to come up with a few different passwords and assign them levels of security.  Have a common passwords for sites that need a password, but has no real personal information. You will have no problem if it gets compromised. Have a second for email and such that you rather not leak, but it isn’t a huge hassle to change.  Have a third, that you will protect, never give out, and will have a huge crisis if it does get leaked.

I’ve changed the belief of a few good strong ones, and now fully recommend password managers.  There are a ton of them, which is a problem.  You have to trust the password manager.  The biggest danger is that if you crack the password manager, ALL YOUR DATA is there.  You really have to vet them.  The idea is that it creates and stores the password for you.  It will input it when you are asked for it.  As long as you can remember one super secure password you are safe.  Don’t just trust the one your teenage son’s friend made, really read into it.  Some of them aren’t any more secure than having a post it note under your keyboard.

My recommendation for this is Lastpass (  They work on ALL platforms and browsers.  They are free and my belief they are rock solid.  They did everything right.  If you want to hear my interview with them, you can listen to the inThirty show:  The core functionality is free, but if you really get into security they have a $12/year option.  If you like them, please use this code to get me a referral bonus:

Second choice is 1password from agilebits (  These guys have the UI down.  It is a beautiful piece of software.  The reason I didn’t start using them is because it was mac only.  Since then they have developed to many platforms, not as many as LastPass however.  For $40 they are rock solid and highly recommended.

Final choice is KeePass (  They may be the most secure. They are open source. This is a true Trust No One approach.  You put your database on a USB key, and you have to  always have it with you.  It doesn’t support mobile (third-party apps only), and the UI is left to be desired, but this is the end all be all.

Remember, security is difficult.  It is inconvenient.  It is not fun, nor something you want to think about.  Just like backing up, there are a ton of better activities you can do rather than think of security.  The goal is to make your life easier with the best security you can have.


5 Responses

  1. Verint

    Why is it when you hear that password were stolen a million articles about password strength and password managers are flying around? It is time to face the facts that the strength of your password or having it locked-up in Fort Knox does not mean anything when it is stolen from the source! Stop talking about strong password start talking about other steps like the need to implement some form of 2FA (two-factor authentication) were you can telesign into your account to protect you if your password were to be stolen. If these thieves were to try to use your “stolen” password and were not on the computer, smartphone or tablet you have designated trusted, they would still need the one-time PIN code which is delivered to YOUR phone via SMS or Voice.

  2. chaimtime

    You are absolutely correct. The problem is that people are lazy. I think the greatest thing I ever did was turn on two factor authentication. In one of the next parts, I want to discuss two factor. I just want the basis to be put down.

    People get mad with the different requirements, the need for a password, and just being challenged for a password that they give up. Immediately after I posted this I had two well educated people talk to me about how they hate passwords. They both repeated all the frustrations.

    People don’t know about managers. They don’t know the reason we discuss this. They can’t tie having your Facebook account hacked and your credit card stolen as one event. Why manage my password when they can all be the same thing? So what they got this site, they won’t get others, is the manta I always here.

Leave a Reply