Cyber and you: Password Managers
In this edition of Cyber and you, we talk turkey on Password Managers. Hopefully you will learn something while being entertained!
This is a continuation of prior posts on the use of Gmail, and what browser you use. The series is intended to be a relatively simple set of guidelines to improve your safety online, common sense options to secure your life.
It is not intended to bullet-proof you, because that is nearly impossible, but to improve your odds.
Past posts:
Geoff Anderson
and
Geoff Anderson
Today, we're going to talk passwords.
My history
My first brush with online computing was my first account on the PDP-11 at San Jose State University in the fall of 1983, I was assigned a user ID and password. My user ID was the first letter of my first name and the first 5 letters of my last name: GANDER (and yes, it was all uppercase). My password was a 7 letter randomly generated set of characters.
I still remember it to this day, 42 years later.
For years, I used that password because it was unique, it was something I memorized, and it was just easy to reuse.
Until the Internet took off, and I was an early adopter, using all sorts of weird things to get online in the early 1990's, reusing that password was probably fine.
In the early 2000's I went to work for an actual internet company, Cisco Systems, and at the time I ran a couple of what they called SEVT's (Systems Engineering Virtual Teams) that covered campus networking and security. It was about that time that I became aware of the importance of password security.
But I still had mostly weak-ass passwords that were easy to remember.
But at least I didn't continue to use the same password over and over.
The real earthquake came in 2006 (I adopted it in 2008 and have paid for it ever since) when a little company called AgileBits released a novel new application, 1Password. I learned about it from a listserve from my time at Cisco for Mac users. Some of the smartest people I ever knew were on it, and I got seriously educated. Once they discovered 1Password, they shared their experience. They poked at its encryption, they poked at its password generator, they prodded it, and they declared it "good".
Good enough for me, and I've been a user since, and turned lots of people on to it.
That's 'nuff for the preamble. On to the main event!
Why you should use a password manager
My mother got online in the late 1990's, and whenever she signed up for some account, be it for the local newspaper, or eBay, she created an account and dreamt up a password. They were terrible passwords, usually the name of something, or a name + digits that are relevant to it.
And then she had a little spiral notebook between her computer and her ashtray where she would write it down.
I bet that sounds familiar to many readers (perhaps sans-ashtray).
The advent of the GPU (Graphical Processing Unit) and some clever algorithms made these simple passwords vulnerable to what is called a dictionary attack, basically a brute force attack using a dictionary or list of words and cycling through them until it gets it right. This became feasible in the mid aughts even for people with an ordinary computer.
I saw a demo that a 9 character password could be broken in a few minutes with hardware I could walk into Fry's Electronics and buy for a couple thousand dollars.
The way to combat that is to not use words, or things that are akin to words, (like "D!et C0k3") with character substitutions. But 15 characters minimum, with letters (upper and lowercase) numbers, and special characters. These are impossible to guess but really annoying to type. And they are terribly difficult to create on your own. There are many password generators online, and one that I use is Password-Generator.
This doesn't run on their server, but it is a javascript on your computer, so any passwords they generate are seen only to you.
And I do use this to create passwords that I will never have to type in. For example, the database that this site runs on is MySQL, and it has a "root" user [1], that needs a strong password, so that if someone does get past my firewall, they can't actually do anything with my database. I create a password, copy it into the configuration, and I am done with it forever. (I do have a text file where I save that too) But I don't ever as a user log in.
And frankly, who wants to remember "0V/22[qX.DwnmYR8" to type in daily?
The answer to that is to "cache" these passwords. Sure, you could just have a text file on your computer, that you copy-pasta it in. And pre-smartphone this was "ok" but if you had more than one computer, you had to find some way to synchronize this text file between them. Today, you would use Google Drive, or OneDrive, or if you are old school Dropbox.
But then someone might be able to hack your storage, and voila, they have all your passwords.
No bueno.
Oh, and I have to add: Under no circumstances, especially if you use Google's Chrome browser (but Firefox and others as well) let the browser "save" your passwords. This is super weak security, and these passwords get hacked all the time by poorly behaving plugins. Whatever browser you use, go to the configuration and turn off all "offer to save passwords" options RIGHT NOW.
Solution: Password Managers
As I alluded to earlier, I was an early adopter of a technology called "Password Manager". It is a lot like using that pad of paper, and the secure password generator, except that it runs on your computer, your tablet and your phone, and it can store unlimited passwords, generate random ones for each service you use, and most importantly, securely keep them sync'd to some cloud storage, encrypted naturally.
There are several of them, but the two most common ones are LastPass and 1Password.
Both of these do the job, and both will support Windows, MacOS, iOS, and Android devices. Both are subscriptions, but the price is reasonable.
Both generate secure passwords, and give the the ability to store notes (some sites will have recovery codes that are handy to have in the app in case you mung your multi-factor authentication (that will be next week's installment).
I chose 1Password back before full featured password managers were really a thing, and I have never been tempted to change. What I say here is generally true though.
The strength of password managers is in the integration with your device and browser. Both of these have plug-ins for all the major web browsers that will automatically connect to the application, and to fill in the credentials needed to log in.
This makes it stupid simple to have strong passwords everywhere.
The main app is simple too, but you don't need to spend much time there unless you are adding notes, or doing some stuff logging into an application (say Steam the games platform).
We (my wife and I) have a family account, that means we share one account but they are separate, but we can share some log ins, like to my work Stock account, so that if I get hit by a bus, she can access all my accounts.
And for me, 1Password's browser plug in also works on Linux, and since I do some goofing around with that, I can access all my passwords.
Now the downside:
They are not free. I think I spend $80 a year for our family account, and that seems fair.
There is a little bit of a learning curve. I've been using it so long, it is second nature, and since I can use my fingerprint reader on my Mac to unlock (every two weeks you have to use the longer passphrase) it is convenient. Also, I can use the face unlock on my iPhone.
If you ever lose your passcode, you are screwed.
I know for 1Password, when you create your account, there is a PDF file of the details (you have two codes needed to connect, and one of them to unlock. If you lose either of them, it is unrecoverable. A lesson my wife learnt the hard way!)
I printed the PDF, I saved it on a secure area on my OneDrive storage, and one is in my wife's filing cabinet.
You really should use a passcode, that is a 4 word combination strung together that you can remember, instead of a short easier to type password. Remember, easier to type and short = vulnerable to attacks!
What about Apple's Passwords service?
The last major update to MacOS brought Apple's own password manager. Apple has long had a built in password keeper in the Keychain that was OK, but very unfriendly to use.
They have a service that is closer to LastPass and 1Password, but I do not recommend it. First, it really seems to only work with Safari and the apps. Lame.
Second, if you have a Windows box as well as a Mac, well, I wasn't able to figure out how to use it (and I refuse to install iCloud on my Windows PC).
I would just recommend ignoring the Apple solution. Alas if yougo to the Genius bar, they will try to browbeat you into using the Apple solution. Ignore them.
Final Thoughts:
One of the benefits of a good password manager besides the sense of security is that if you use a different, unique password on every site you access, when a data breach happens, you can rest assured that that leked password isn't going to help people get into your other accounts. And you then have only one password to change to feel better.
And I get a new breach announcement weekly it seems.
I hope this was helpful. If you are a LastPass user, and want to help people, please post your experience in the comments.
Next installment will be the importance of multifactor authentication, and what to avoid.
1 - "root" is a very important concept in computers that dates back to the early days of the UNIX system. Root is the "super user" who can do anything, including destroy the system. As such, it is usually not an account that is used. If you are interested, look for a basic training course on Linux and it will explain this well.
