So many websites, so few passwords

This article was re-published, with permission, in Chicz magazine Autumn 2012 issue, under the title “Passwords can be both strong and simple.”

I was recently asked to install an operating system and software for a friend. He gave me the password he wanted to use for his computer login, and also asked me to set up access to some of the websites he uses regularly. Unfortunately, I discovered that he is one of those people who uses the same username/email/password combination for multiple accounts and websites. If I thought this individual would listen, I’d sit him down for an hour and give him an introductory lecture on online security.

Folks in the security community will tell you that you should not use the same credentials for multiple websites and computers. But so many of my friends and family don’t seem to exercise this amount of caution.

For those of us who deal with web development, IT related work, and security, this seems obvious. The reason being, if a malicious individual manages to acquire your credentials, either by cracking your password, or by stealing it, or through your own carelessness (logging in from a public computer for example), they can effectively control your entire online presence. If you use the same username/email and password for your bank account, your Facebook account, your Twitter account, your Google account, your iTunes account, you have given the “bad guys” the keys to your kingdom. They can empty your financial accounts, make bogus purchases on your dime, scam your friends and family, and lock you out of your digital life by changing the password before you have even noticed that something is wrong.

And these days, there are a lot of threats to your credentials online. There are numerous cracking groups dumping the data from their exploits. If you had an account on the Playstation network, for instance, your credentials (and possibly financial details) may have been exposed in the much publicized attack that took place earlier this year (April 2011). The people who perpetrate these types of attacks often sell the data they obtain to less than reputable folks who use the information for ill, or they dump it on websites for other crackers to sift through for fun and for profit. If your credentials (email, username, password) were in one of those dumps, and you used those same credentials on multiple services (think Gmail, Hotmail, iTunes, Facebook, Twitter, your bank), then you could be in serious trouble. You didn’t just lose information for one website or online service, you’ve lost control of all of them.

The most common reasoning that I have heard for using one password for multiple sites/services/accounts is “I can’t remember multiple passwords.” While that may seem like a legitimate argument to a non-technical user, there are a myriad of tools available that can aid in managing multiple passwords. With these tools available, and many of them completely free, there is no excuse for using the same credentials for multiple systems, services, and websites.

KeePass, LastPass, 1Password, and Keychain Access are examples of tools that can be used for password management. These tools allow you to store multiple passwords in a secure, encrypted form, that can be retrieved as needed through a master password. So, for instance, you can have any number of username/password combinations for your online website accounts, safely stored in a manner that is unreadable. When you need to access the password for a particular account, you enter a single master password that you can remember, to retrieve one of your encrypted passwords.

The password manager that I am most familiar with is Keychain Access, built into the Macintosh Operating System since OS 8. Because it is a Mac specific application, integrated directly into the Operating System, many Macintosh applications and the OS itself can access the Keychain for storage and retrieval of credentials. So, for instance, if I were to set up an account on a website, using Safari, Safari can store the login credentials in the Keychain for use at a later date. When I access that website again in the future, Safari will ask for my permission to retrieve my website credentials from the Keychain. As long as I remember my master password (typically the same password used for login on the Mac), I will be able to access those stored credentials in the Keychain. One very strong master password allowing access to multiple unique passwords for website logins. Problem solved.

Of course, not everybody uses a Mac, so you may want to look into some of the alternative options.

I have some limited experience with KeePass, as I am a supporter of Open Source and was interested in how it functions. I found it to be a little cumbersome compared to the built in Keychain on Mac. But for Windows I have heard that the functionality is quite good, when used in conjunction with their browser plugins.

I have heard extremely good things about LastPass on Steve Gibson’s Security Now podcast. It really is worth checking out, and though I haven’t personally made the jump yet, LastPass will likely be my password manager for the future. It allows synchronizing across multiple computers, multiple web browsers (Explorer, Firefox, Chrome, Opera, Safari), and it is cross platform (runs on Windows, Mac, Linux, Android, iOS, WebOS, Blackberry). There is a free version, and a paid premium version ($1 per month billed annually), so there’s no reason not to at least give it a test drive.

Of course, if you’re going to use a password manager, you will need to be sure that your “master password” is of sufficient strength that it can resist attack. If someone were to crack your master password, then they would be able to access all of your services, just as if you had used the same password across multiple services. So your master password should be very strong, and there are a few guidelines you can follow to ensure that your master password is of sufficient strength.

Never use a single word, name, or common phrase. Passwords of that type are easily cracked by dictionary attacks. Use a combination of uppercase letters, lowercase letters, numbers, and symbols. Using a larger character space makes your password harder to crack, because it increases the number of variations a cracker would have to test against. Make your master password long. The length of a password increases the strength of it. It takes longer to crack a 24 character password, than it does to crack a 12 character password, again, because it increases the number of variations a cracker would have to test against. You can make a strong password by using a “padding” technique. Also called a haystack technique, essentially, you hide your needle (password) in a haystack (padding). By adding extra characters to the beginning and end of your password, you increase the length, thereby increasing the strength.

What follows is an oversimplified example. Do not actually use this example, it is merely for illustrative purposes. Let’s say you had a password phrase of “I love hats and cats”. You could begin constructing your password by doing a simple character replacement technique (substituting a symbol or numeric character for a letter) similar to “leet speak” and end up with “!10v3#@t5&C@t$”. That’s great, it includes upper and lowercase letters, numbers, and symbols. Although it isn’t likely that someone could guess that, it could be even stronger. If “!10v3#@t5&C@t$” is the needle, let’s throw it in a haystack and make it harder to find. We could pad the password with another 12 characters, 6 on each side (or 8 and 4, or 3 and 9, whatever to obscure it), and the padding could be just about anything. It could be random characters, or it could be a numeric sequence, or it could be an incrementing/decrementing number. Whatever is easy for you to remember, but isn’t completely trivial either. How about “ABCDEF!10v3#@t5&C@t$654321”? That’s an incredibly long and strong password, but it would be fairly easy to remember… if you love hats and cats that is.

Now, a real security guru would tell you that the character replacement technique I just employed (leet speak-esque) is a horrible idea, and if I was protecting national security I would agree. But, cracking that password would almost certainly require the attacker to know that you love hats and cats, and they would need to know that you have employed a specific padding technique. And if you have a 26 character password, containing 7 uppercase, 3 lowercase, 10 digits, and 6 symbols, it is highly unlikely that anyone would be able to crack that in your lifetime. Now I wouldn’t employ that technique on a critical system like a nuclear reactor, but for my own accounts, that is a very strong password that I am completely comfortable with.

Want more information about password strength? Read more about the haystack technique at GRC. You can also test the strength of your passwords with Microsoft’s online password checker. You may be shocked at just how weak your current passwords really are, and how you can increase their strength using some of the simple techniques I have described above.

To summarize, it isn’t really all that difficult to protect your credentials by increasing your password strength. And using a password management system to maintain unique credentials for the myriad of online services that we have all become dependent on in today’s digital life can protect your online identity from malicious individuals on the net. Don’t let yourself become a victim by using one password across multiple websites and services.

Update: 10/08/2012 — I have had many friends tell me over the years that they don’t care if someone hacks into their Gmail, or takes over their Twitter or Facebook account. What most of them have not considered, is how so many of these online cloud services are tied together. For an example of just how horrific the fallout of an online security lapse can be, read this article by Wired’s Mat Honan. He gives a first hand account of how he was recently hacked, his Google account was deleted, his iPhone, iPad, and MacBook were all remotely erased, including irreplaceable family photos, and his Twitter account became a platform for the hackers to broadcast racist and homophobic messages. Although Mat’s experience wasn’t directly related to the strength of his password choices, it is a clear indication of the potential damage that online security lapses can cause. Something to keep in mind the next time you consider tying multiple cloud services together, or using a weak password, or using the same password for multiple services.