Why Passwords Suck…And What You Can Do About Yours

Password? That passwords are a hassle is a given. They’re a pain to think up and a pain to remember. If you’re anything like me you’ve probably got two or three of varying degrees of strength which you use for everything. But really, you know this isn’t the best solution.

If this sounds a little like you, your passwords – or at least your password policy – probably could do with some improvement.

Here’s why, and what you can do.

To understand what’s wrong with this approach – an approach taken by almost everyone – we must ask why we use passwords in the first place: we want to prevent others gaining unauthorized access to our personal data and accounts. Although we don’t often think of it in such terms, really these things are our non-physical property. Yet, because passwords are hard to create and remember, we stick to just a hand-full at most, and re-use them for all of our accounts.

Comparing this with the real world

If that’s currently how we protect our non-physical property, how does this compare to how we protect our physical property, in the real world? Takes keys as an example. We don’t have a single key cut and then use that to secure everything we own. Instead we use a different lock and a few copies of each, unique key for each thing we’re protecting, be it our car, home, bike, or whatever else.

To compare the two approaches, let us ask, Who tries to remember the intricacies of the grooves and cuttings of each key on his keyring every time he uses it? Obviously that’s absurd. We’d end up creating just a couple of easy-to-remember, and therefore guessable, key profiles. Actually, that sounds kind of familiar.

So in practice we protect our physical and non-physical assets fundamentally differently. This doesn’t make much sense to me:

These two forms of assets are essentially the same. We shouldn’t compartmentalize physical and non-physical security like we do.

If anything, we should take even more care over our non-physical assets, since it really costs an attacker nothing to try to break in. We could really benefit from changing the way we think about passwords. Just as we buy randomly-cut, essentially unique keys, so we ought to use randomly-generated passwords, unique for each thing we’re securing.

KeePassX Main Window

KeePassX Main Window. Once you get used to it, you’ll probably wonder how you ever did without something like this.

Do this with a password manager

Password managers allow you to do just this; in many ways they reflect our real-world experience of securing our property. They come with many additional benefits, such as allowing login information to be categorized and easy to find, some even auto-fill login forms for you, but the main advantages are the essentially impossible-to-guess random nature of the strings they create.

There are many great options out there for password managers; I personally use KeePassX which is the Linux/Mac version of KeePass for Windows, because it’s free and open source. There are solid commercial options available too (e.g. LastPass).

Try one out and test-drive it for a week or two. If you have any strong thoughts either way, let me know how it goes in the comments.

Are password managers really safe?

A wise man once said, “There are no solutions, only trade-offs”,1 and this is as true here as anywhere else. Clearly there are security ramifications of storing all of your passwords in one place (just as there are with keeping all your keys on one keyring).

A strong master password – or even better an encryption key on a usb drive – can reasonably overcome this, and overall the benefits outweigh the risks; using the same password across multiple sites leaves you far more vulnerable. After all, in that case you’re trusting all of those individual sites to keep your password safe. If one is hacked, well you can assume all of your other accounts are too.

Beef up your security even more

Even with all the above perfectly implemented, there are things you can do to improve your online security. For example, if any sites you use have two-factor authentication, turn it on! (How to for Facebook, Google, and Twitter.)

A couple of other things:

  • not logging into sites through web proxies like Zend2 . Ever wondered how they make their money?
  • logging in using “https” where available to prevent people snooping on your connection
  • not clicking through “certificate errors” (such as this) which could be someone trying to snoop on your connection
  • not writing your password on a post-it note and sticking it on your laptop. (Ought to be obvious, right? You’d think so.)

Conclusion

Online security is a minefield, but it’s not impossible, even for the casual internet user, to do it right. With a couple of changes in behaviour, protecting ourselves online can become easier and more effective. And if we start thinking about online security as we do offline security, we will certainly protect ourselves that little bit more from becoming a victim of the latest round of online crime.

  1. Tom Sowell, I guess. []