Securing your online identity – your username and password – is especially important today as more and more attacks using weak, compromised, and re-used credentials take place. Password security is the first (and one of the most effective) in securing your online identity.
A few months ago, news and social networking sites warned users of the website RockYou that their account and password may have been compromised. Security firm Imperva warned users that a hacker may have made off with an alarming 32 million accounts from the social gaming website. While this is nothing new, what’s interesting is the results of the security firm’s analysis of the accounts and passwords stolen. We’ve blogged extensively about the need to use unique and secure passwords.
From the data that they were able to gather, it seems that a great number of users still tend to use insecure passwords – for instance, passwords with lengths equal to or below six characters (30% of users), words confined to alpha-numeric characters (60%), passwords that include names, slang words, or dictionary words, and trivial passwords (consecutive digits, adjacent keyboard keys, and so on–50%). These types of passwords can easily fold in the face of automated brute force attacks designed to guess users’ passwords.
The reason these sorts of insecure passwords continue to be used may be simple. It’s just too hard to track all of the online accounts we have, especially as more and more specialized services are introduced and become popular. While in the past users may have only needed to memorize their email and possibly their bank’s password, today they must contend with passwords to access each of their favorite social networking sites, blogs, phones, photos, games, documents, news sites, bank accounts, expense tracking services, stores, books, and dozens of other online services.
The question for many is how can we possibly remember all of these passwords, especially if we’re using different highly secures ones (that are therefore not easily remembered) at each site as recommended? Here are some quick tips to help you be able to recall and easily manage them:
Use desktop password management tools. There are several desktop tools available that can help you manage and safely store your passwords by requiring you to download software that stores your passwords encrypted on your hard drive. You only need to provide one “master” password to access the rest. Examples of such tools include LastPass (free and fee versions are available), and 1Password for Macs. These tools help enhance your password security by supporting the use of more complex passwords that are unique to each website / service that you access. LastPass also will securely synchronize across all of your devices – PC, Laptop, Tablet, Phone, etc. It supports sharing passwords selectively between team mates (at work) and family members (at home).
Store your passwords in the Cloud. An alternative is to use password managers that are solely accessible online and are hosted in the Cloud. These services use the Security Assertion Markup Language (SAML) to securely communicate between themselves and the services you are trying to access. These work the same way as desktop password managers but with the extra benefit of not having to download and install software on your PC. Another advantage is that they are available on any device or system as long as it is connected to the Internet, and losing your device does not put your passwords at risk.
Use Browser Plugins. Some tools work as add-ons for your browser. Examples of such tools are many. Some generate passwords on the fly, some store the information within your PCs, and others store it in the cloud as well as sync it to your device. These services offer a compromise between solely desktop bound password tools vs. purely online ones. They are however often tied to the browser you use. LastPass is a good example of a hybrid solution that works both on the desktop, in the cloud, and within virtually all browsers.
Trust a single site with your Identity. Another alternative is simply entrusting the security of your online identity to a single provider who hopefully has the resources to manage it in a more secure manner than you can on your own. These include large sites like Facebook, Google, and Yahoo, which often allow many third-party sites to use your identity at their own sites with your permission. If you don’t trust these sites, you can manage such an online identity on your own from sites such as OpenID. This way you only need to secure and manage one password and identity—which shares this to other sites as you see fit. The disadvantage of course is that not all sites may use or be compatible with these federated identity management systems. You may also have to consider the possibility that these large sites may become compromised themselves.
Managing your passwords can be a pain. Hopefully these tools can help you do so more efficiently and more effectively. Do you have other suggestions? Do you need assistance in setting these up for you or your company? Let us know – we’re happy to help!