Monday, April 1, 2013

One password to rule them all


Last week I blogged about my walmart.com account getting pwned and used fraudulently to make purchases using my credit card. Since I caught it within minutes, and Walmart acted very quickly to void the transactions and suspend my account, I avoided any real damage.

It could have been much worse. Password management is one of the great nuisances of the Internet world. I have email accounts, social media accounts, bank accounts, online shopping accounts, blogging accounts, music service accounts, streaming video accounts, even accounts with news media sites. Most if not all of these are accessed by using a username and password (some of the more risk-averse sites ask for additional information to verify my identity the first time I log in from a given location, but by and large username and password are the Internet’s way of authenticating my identity). For that matter, the PIN on my debit card is essentially another form of password. Not only do I have dozens if not hundreds of password-protected accounts, but in some cases I am required to change these passwords periodically.

There are lots of conflicting studies, but prevailing opinion is that the average person’s working memory can hold around 3 to 7 things at any one time. That’s where the 7-digit (in the US) phone number originated. So, dozens of passwords to remember, and mental capacity to remember perhaps 7. What’s a person to do?

The two most common ways people deal with this are writing passwords down, or using the same password everywhere. And therein lies the reason my walmart.com experience could have turned into a nightmare. If my walmart.com account is compromised, and I used the same password for my email, or worse yet, for my bank, then whomever pwned my Walmart account would have access to my entire digital life. Ask Mat Honan how painful it can be to unravel that sort of mess.

Here is where “one password to rule them all” comes in. In the last few years I have begun using a password manager to keep track of all my online accounts. I only have to remember one “master password,” which unlocks the “vault” containing each of my individual account credentials. As long as I have access to the Internet (which is not a real limitation since this only applies to online accounts anyway), I will always have easy access to my passwords.

There are quite a few options in the market, but I am partial to LastPass. With LastPass, I install a plug-in for my browser (it supports IE, Firefox, Chrome, and Safari), and it automatically enters the username and password when I browse to a site in my vault. There is also an app to extend this support to Android or iPhone mobile devices. LastPass even has a built-in password generator (which I can tweak to fit the password rules for any site) that will generate a completely random password - and then store it in my vault so I don't have to remember it.

As long as passwords are the method of choice for granting access to online services, there will always be bad guys seeking ways to steal those passwords - whether through malware on my PC, or through data breaches on the server side. By using a password manager and unique passwords though, I can ensure that if one account is broken into, only one account is broken into.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.