Tag Archives: keepass

The Sad State of Passwords Part 3: A Letter to Webmasters About Authentication

passwordmanager

I’ve said over and over, the best password is one that you don’t know, and is so incredibly long and complicated that you need to write it down. That is what security people have always recommended, yet for whatever reason people are still using insecure passwords. Mainly because websites impose so many restrictions to what a password can be. These same restrictions the hackers understand, and will use against you, or the site.

The problem is two-fold. First, entering data into a smartphone or any small keyboard is time-consuming. Having to go back and forth to where the password is stored, writing a character or two at a time (due to its complexity), will cause anyone to give up. You can not have secure and convenient. Using a password manager is inconvenient, but much more tolerable if the process was made easier. Second, websites in order to be more secure, are banning password managers from filling in the fields, or not allowing copy and paste. While, preventing these two actions make it more secure in a perfect scenario, where the average person understands this, the reality is people want access to their stuff NOW! By lifting these restrictions, and pushing password managers, you will increase security.

The new recommendation is to use a password manager. Let the password manager create, store, and fill in the password. Set it to create the longest nonsense it can. So difficult, you won’t remember, nor write it down. All of this is in addition to using a second form of authentication, however, the password is the most important part.

I spent a lot of time explaining managers here: http://chaimtime.com/2012/07/25/the-sad-state-of-passwords-part-1-use-a-password-manager/

I’ve drafted a letter that I want people to email to any website that refuses to allow a password manager from doing their job. I’ll leave it editable, so that people who are much better writers than I am can add to it.  Hopefully, this will be a catalyst for everyone to email the webmaster and forcing a policy change.

To Whom It May Concern:

I appreciate the security imposed by the site to keep my information safe and secure, but may I offer a few suggestions.  My suggestions are based on technical support inquiries I’ve been getting from less tech savvy and security conscious people.  I understand that as a business you have to weigh security versus convenience, but I don’t think the security you implement is acceptable enough to warrant the inconvenience

I’ve been a proponent of password managers to fill in credentials.  Your website will not allow the auto complete of username and passwords.  Password managers allows people to create passwords to your current website password restricts easily, and fills it in automatically.  They also make it easily to remember the change when needing to change passwords.  Allowing the automatic filling or copy and pasting means people can create more secure passwords with less inconvenience.  Allowing copy and pasting makes entering credentials on a smart phone much easier.  If you want people to use your app, you need to make it easy to log in, and keep user data secure.

Thank you for listening to my suggestion.  I am open to discussing this with you, or your security team.  I believe that this is a simple change that will allow a better experience on your website.

Your Customer,

 

As always, please comment on the Google+ Post below:

 


The Sad State of Passwords Part 1: Use a Password Manager!

Security is something no one wants to deal with.  They don’t want to think that they are they are impervious to being targeted.  Hacking someone previously was targeted.  Being a victim in the Internet age is beyond trivial.  It is a blanket attack instead of targeted. In an age where getting your Facebook account hacked is generally accepted, people haven’t found the need to step up their security.  Hacking someone’s Facebook isn’t that offensive (yet), but we haven’t really seen a massive ID theft problem.  Can we agree to stop the problem, and educate people about password security?

This series is not the end all be all of security advice.  This is general information that everyone should implement.  I understand that I’m omitting a lot of information, but the goal is getting more people to start thinking with security in mind.

The main issue is that there is no punishment for both the company that allows the database to get stolen, nor the individual that allows it to happen.  The closest we came to any sort of outrage was the PlayStation Network losing full account information including credit cards of most of their users.  Not even pension systems getting hacked, or government records being released has brought us to that level.  Does anyone still care about wikileaks?  Probably not because it doesn’t affect you directly.  Even getting your credit card stolen, may only cost you $50, if that.

This is part 1 of many.  If I had to come up with one thing that will make security better this is it.  Get some sort of secure password manager, and let it manage your passwords.

If you want to check to see if your LinkedIn password was compromised go here:  https://lastpass.com/linkedin/
eHarmony here: https://lastpass.com/eharmony/
LastFM here: https://lastpass.com/lastfm/ 

If your password was compromised, it just proves the point you need another way to secure yourself.  Sign up for LastPass with this code to get me a referral bonus:  https://lastpass.com/f?76016

Continue reading