2014-08-14 Fox Valley Toastmasters
Today I’d like to talk to you about one of the most pervasive and pernicious plaguing the world today. You may have received one (or several) emails in the past year from internet sites sayings “OOPS! We lost your password. You might want to reset it before something bad happens.” If it hasn’t happened to you personally, you’ve heard the stories in the news – database after database compromised, each exposing millions of user’s accounts and passwords to criminal attacks.
These sites were relying on passwords for account security. As shared secrets, passwords make it possible for either you or an internet site to loose or compromise your account. Passwords in particular suffer from a number of issues.
With the profusion of site today, passwords are commonly reused. This, however, is a bad practice. Reusing passwords turns a compromise of one account into a compromise in several accounts. This problem is magnified significantly by the occasional database loss, giving internet criminals access to a large quantities of passwords that are likely used on many other sites. There are ways for internet applications limit the damage of a database, but these means are not always implemented well, if at all. I recommend that you always use a unique password for every site you visit. If you really can’t bear to manage that many passwords, at least do it for your important accounts – banks, online email, or any e-commerce site that has your payment information.
Weak passwords are another major issues; reused passwords are often weak, but the temptation is doubly strong if you need to keep track of several. Here is a selection of the most common passwords (hint: all of them are weak)
… and so on. I recommend that you use long and complicated passwords. Long in this context means twelve characters, at a minimum. Complex means using arbitrary combinations of different character types – upper and lower case letters, numbers, and symbols.
People also have trouble remembering passwords – especially if you are tying to use unique, long, and complicated passwords for every site. This often leads to writing passwords down somewhere, such as a notebook. Unfortunately, this exposes you to the risk of someone peeking at your notebook and getting access to all your accounts. I recommend using a password manager. I use LastPass, and there are number of others, such as 1Password, KeePass, and many more. A password manager will keep all of your passwords – much like a notebook – but a good one will keep them encrypted while no in use. You use one good long, complex password to unlock your manager. Once unlocked, the password manager can assist with generating good passwords, and many can automatically fill in web forms, saving you from even having to copy and paste.
The ultimate solution is to get rid of shared secrets. The gold standard right now is public/private key cryptography. A private key, which is never shared, allows you to make assertions. Those assertions can be verified by the matching public key, which can be freely shared. The major caveat to this system is that the user has to take full responsibility for their private key – there is no more “password reset” button. I’m investigating a system called SQRL (squirrel) that makes public/private key cryptography as simple as scanning a QR code with your phone, yet secure enough to log into an untrusted public terminal.
SQRL is the future. In the meantime, I encourage you to use a password manger. A password manager will help you generate long, complicated passwords, and keep track of unique passwords for each site you visit.