I’ve been enjoying Bob Covello’s recent posts on passwords and password managers – A LastPass Hack with a Happy Ending shows how idiot simple it can be to find someone’s “hidden” password list. A surprising interchange on passwords came up in November, during a Chertoff Group Security Series panel entitled “Enough with Getting Pwned Through Passwords: Time for Stronger Identity Solutions.” One of the panelists asked the audience to raise their hand if they required user IDs and passwords for more than 10 accounts, and to keep their hands up if they used 15, then 20. He stopped above 20 because most of the hands had started to go down, but he used the opportunity to talk about how difficult it is to maintain that many unique, adequately lengthy and complex passwords. Most of the panelists agreed that passwords pose a really problematic security challenge that must be addressed but, unfortunately, will continue to be with us for many more years. What shocked me about the interchange was seeing most of the hands dropping after 20 accounts. I expected the speaker to have to jump to 50 or 75 before he started to lose us. What! Aren’t these people using the Internet? Either people are embarrassed to admit the truth, or most people have NO IDEA how many user accounts they are maintaining. The number of accounts I have is very apparent to me. I’ve used a password manager for many years, Password Safe – a free, open source software originally created by Bruce Schneier. I suspect It’s fairly crude compared to newer ones. Using Password Safe, I get a pretty good idea of how many unique accounts/user IDs/passwords I have; they’re presented in a folder/list format – and in my case it’s way over 50. I refuse to count… and it doesn’t matter… they’re easy to manage. How many accounts do you have? If you’re not using a password manager, how do you track them? I can go to one place and find all of those annoying accounts that I only have to log into once or twice a year – the URL and my user ID are both there; the program generates appropriately complex passwords, and best of all, I don’t ever have to type the password. That’s pretty important if they are all long and have lots of odd characters, and also useful if you are worried about keyloggers. Yes, passwords are inherently flawed and provide inadequate protection. And yet, most of the risks are introduced by using passwords that are too simple and by reusing passwords across multiple accounts. If you don’t use a password manager, START NOW. There are a whole host of password managers, inexpensive or free, many of them quite elegant and more transparent to the user than mine. The other week, PCMag reviewed 10 password managers, all between $12 and $40, and another 8 that are free. By the way, Bob's second post on this topic "On Password Managers, Perspective and Patience" considers some reasons our non-technical friends may resist using a password manager. He raises good points. Another reason is that we typically advocate password managers because of their security benefits – as I just did. But at this point, I would never do without one because of the convenience. Let’s make sure to talk about that too! I’d love to hear from others about what products they like and what they don’t. I should probably think about trading up for greater convenience. But for now, I know I’m getting the best security I can for the security technology that we all love to hate.
