How to create, maintain and manage a secure password system |
A non-destructive password cracker reminds Wordpress founder Matt Mullenweg — and the rest of us — how important it is to use secure passwords. The cracker, who indicates that he’s not really a password cracker and was just “curious,” guessed Matt’s insecure photomatt.net blog password, logged in and changed the password and made a self-congratulatory post on a newly created blogspot blog. Matt explains:
*ahem* If you missed it, someone guessed my not-at-all secure password to this blog and posted an entry and changed the “siteurl” setting.
Not that I want to draw password crackers — or even those interested in these activities — to our sites and services but I will share some of the ways we manage passwords and while I’m not going to say our system is completely impenetrable, it would be extremely difficult (and believe me this is not being offered as a challenge):
1. password length varies and is *not less than six characters, usually significantly longer but in some cases some sites actually don’t allow passwords longer than six characters. It’s rare, but true.
2. strong passwords are randomly generated saved in a master list encrypted database offline only containing mIxEd cAsE, numbers, symbols and accessible from one computer and one portable device (also encrypted and requiring password acccess).
3. each website/service/FTP/mail/account contains a completely different random strong password
4. any website which doesn’t allow us to change the password or (*)uses less than six characters is flagged as ‘insecure’ and I’m extra cautious about what information is shared with that site and its partners
5. for lost password retrieval question/challenge information do not use facts that can be Googled
6. financial and other extremely important passwords are changed at random intervals, using the same methodology above.
7. Don’t forget about physical computer breach. EXAMPLE: an intruder simply sitting down at your computer and accessing your password list that way. Have some sort of auto-logout system in place so that if you leave your computer, password access is required.
8. setup systems to log and detect password hurling programs. Password hurlers are cracking programs which throw tons of random passwords at a system trying to break in.
Now is a good time to review your password management and make sure it’s secure. Is it? What other tips can you offer for creating and maintaining an ongoing system of password management?
Related info elsewhere
Tool: Check password strength
Secure your passwords
Secure your saved passwords in Firefox
Did this post make you go hmm?
(1 votes, average: 1 out of 5)
Loading ...Maybe Related Posts (plugin generated)
- Check your password strength
- Add non alphanumeric characters to your passwords
- Predictably, Gates misses spam prediction and password prediction outlook not good either
- Thanks for showing us how NOT to ask for comments, Scifi.com
- How to access MySQL from Windows Command Prompt
- Giving G.ho.st a spin and reminded of FTP in Windows Explorer
I’m glad you include the link for securing passwords inside Firefox. For a long time that has been one of the biggest “killer features” for me of that browser.
People often don’t realise how insecure their OS passwords are, and that if they have saved all their passwords unsecured (ala IE) in their browser then they are just asking for trouble.
Comment by iiq374 — June 8, 2006 @ 6:30 pm PST
And for those Linux heads that think they are above the “insecure OS password” threat, with physical access to the box I have been able to get into all but one Linux system in under 30 seconds.
Lookup the wonders of “Linux single” then go put a password on your boot loader. (Won’t stop someone but hey at least it will slow them down some).
Comment by iiq374 — June 8, 2006 @ 6:36 pm PST
[…] - Speed doesn’t kill that much after all according to a new finding that roads are getting safer, despite higher speed limits. Texas just raised their speed limit to 80 in some places. - the unfortunately named keePass is an open source password management program for Windows. We’ve been using the commercial program eWallet (see handango) for years as it’s convenient to sync with Pocket PC. Related: tips on creating a secure password system - create fake magazine covers for Playboy, Playgirl and Time. Probably won’t last as Playboy is well known for fiercely protecting their brand. - can you choose the correct urinal in this short break game? […]
Pingback by Make You Go Hmm: » Hmm quickies #31 — July 7, 2006 @ 7:46 pm PST
I’m surprised you didn’t mention using a Password Manager to keep yourself safe from password crackers. Having a randomly generated password is super-secure, but damn hard to remember - esp. for 101 websites! Using a Password Manager will allow you to have *one* password that will unlock access to all your passwords. Since you only have one password to remember, you can create a secure one.
Try using RoboForm for Windows or 1Passwd for Mac OS X. Both of these tools allow you to login to web sites without ever leaving your browser. RoboForm works in IE and Firefox, and 1Passwd works in Camino, Firefox, Safari, and Flock.
Comment by David — July 7, 2006 @ 10:30 pm PST
That’s what #2 is above, David and see comment #3 above also. I only have to remember one password and that unlocks the encrypted database. I notice your sig is to 1passwd.com. Are you are representative of that site (should have disclosed that, if so).pas
Comment by TDavid — July 7, 2006 @ 10:43 pm PST
I guess I just misread comment #3; it seemed to be spam to me:
> Speed doesn’t kill that much after all according to a
> new finding that roads are getting safer, despite higher
> speed limits. Texas just raised their speed limit to 80
> in some places.
I don’t drive much in Texas, so I moved on. Once I followed the link, however, I saw you mention keepass, which is a good first step towards creating a secure password system. Keepass doesn’t go far enough, IMHO, to make your online life secure because it is not convenient.
Re: point #2, and indeed all the points, is that it makes you more secure but at the same time they sacrifice convenience. The problem with secure systems that aren’t convenient is that users will inevitably fall back to poor habits to make their lives easier. That is why I mentioned the Password Managers - if you pick the right ones your life becomes *easier* and more secure. The reason I mentioned RoboForm and 1Passwd is they both integrate directly with the browser - users can login to sites without ever leaving their browser.
Case in point, Matt of WordPress fame, would rather use an easy to guess password than protect himself. He choose convenience over security, and got burnt for it. He has likely lost several customers because of the stigma. If he didn’t view security measures as inconvenient, he would have used a generated strong password.
As for 1Passwd, I helped write it so I am biased towards it. However, I didn’t post a self-serving comment, I mentioned RoboForm, a competitor of 1Passwd, in order to be as objective as possible.
Comment by David — July 8, 2006 @ 12:17 am PST
David - the part in comment #3 above that I wanted you to read was “we’ve been using the commercial program eWallet (see handango) for years as it’s convenient to sync with Pocket PC.” That was the trackback from another related post here. The rest of the post (Texas speed limit) is obviously unrelated to our discussion here.
It’s interesting that you criticized keepass for not being convenient and ignored that I actually don’t use keepass (an open source program) and do use eWallet, a commercial program that deals specifically with convenience in making both our online and offline lives easier. I have other things stored there besides web-based information. Things I might want to have when out and about and unconnected to the web. Your product doesn’t solve those needs.
This also adds more information to point #2 above (emphasis mine): “strong passwords are randomly generated saved in a master list encrypted database offline only containing mIxEd cAsE, numbers, symbols and accessible from one computer and one portable device (also encrypted and requiring password acccess).”
We have ultimate convenience with eWallet which is an excellent Password Management system that I had absolutely zero to do anything with (complete objectivity). I own a Pocket PC that I can take anywhere to any machine with any OS; whether one I own, rent or use a friend’s PC and regardless of whether they are using a Mac, Linux or Windows. It contains every password for every website, every FTP password, everything I need to gain access and I only have to remember one pass. Even more convenient, more portable and I don’t have to rely upon something written only for the Mac or for Linux or for PC.
For other portable solutions, I don’t have to rely on USB port capability to plug into anything in another computer (like a thumbdrive/USB keychain) or worse have my passwords being transferred over the web. When I get back to the office it will automatically sync up with my machine so if I added any new passwords they are automatically on my primary work machine.
The only inconvenience is carrying the PDA, but then I’m sure you carry around devices (smartphone?). It would be even more convenient if I added biometric access to it, like I have on the Tablet PC (which incidentally doesn’t require the Roboform-like functionality, it will automatically fill forms after I’ve used a biometric signature).
The professional edition of eWallet cost me the same as your program which it doesn’t appear I could use on my Pocket PC and couldn’t run on multiple OS machines (yes/no?). Sorry but if that is the case then that makes the program you worked on less valuable to me. As for Roboform-like functionality? That is a benefit but once the passwords are stored into Firefox they can be secured (see the link in the main post above and comment #2).
Frankly, a password management and digital wallet system is the best use I’ve found for a PDA, next to being an address/phone database. I’m not opposed to trying other systems — and have — but none so far have been as strong security-wise, flexible and convenient as the solution we are currently using. I continue to be open to new ideas, products and services though, but I’m not seeing how your product would be better. In fact, I’m seeing the opposite. Good luck with your product. I might download and try for my Mac blog.
Comment by TDavid — July 8, 2006 @ 10:04 am PST
Thanks for taking the time to clarify. I know you could have used that delete button
> eWallet, a commercial program that deals specifically with convenience
> in making both our online and offline lives easier.
I understand where you’re coming from now; if your PDA is an integral part of your life then of course eWallet is one of the programs you need. Where I’m coming from, however, is that I personally spend more time online than offline, so I want to optimize my online experience.
The reason I say eWallet & keepass are not convenient for me is that they don’t integrate directly with my online world — the browser. If I was on a sales trip and didn’t bring my laptop, then I would say the opposite
Assuming you are using your browser on your PC or Mac, then to login to a site using eWallet you need to:
0. Sync your pda with your system. You do this once in the morning and once at night with your home machine.
1. Browse to a web site you’re interested in, lets say your banking site.
2. Switch applications to eWallet. You navigate some menus & lists to find the entry for your bank.
3. Highlight the entry and select “Copy password to clipboard”
4. Switch back to your browser, highlight the password field, and paste your password.
5. Assuming your website remembered your login id, you can now click the login button.
With a password manager that is built directly within your browser, this process is greatly simplified:
0. Sync your passwords (varies by platform - on Mac you can use .Mac which makes it automatic — everything is synced in the background and in most cases you do not have to worry about sync).
1. Browse to a web site you’re interested in, lets say your banking site.
2. Click “fill form” to select the entry you want (the list is automatically filtered by the current websites domain).
3. If you used the AutoSubmit feature, then the form will be submitted automatically.
It may seem like it is “only” 2 or 3 less steps, but the fact that you never need to switch applications and things are done automatically for you makes a big difference.
But we are not just talking about convenience here, security is the main issue that sparked this conversation. With direct browser integration, you are protected from Phishing attacks and Keyloggers. Since you are only shown forms that match the domain of the current website, you are protected from accidently entering your bank login credentials into a phishers site. As for keyloggers, direct browser integration protects you from that too since they do not use the keyboard nor the clipboard.
I hope I clarified why I said RoboForm & 1Passwd are more convenient for me.
BTW - I really like the “Subscribe to comments via email” feature you have here. I’ve been looking for a better blog software for my site - what are you using?
Comment by David — July 8, 2006 @ 1:02 pm PST
It’s all good, David, I like conversations like this.
Actually steps #2,3 and #4 in your PDA example are not always the case. Some of those passwords are saved automatically in Firefox/Opera/IE/Safari (on the Mac sometimes), depending on which browser I’m using (Firefox #1, then Opera and IE). Again, see the post above and my comments. I don’t mind entering my credit card details on forms. I would never save that kind of sensitive information into a digital wallet.
You wrote: “BTW - I really like the ‘Subscribe to comments via email’ feature you have here. I’ve been looking for a better blog software for my site - what are you using?”
Thanks
This blog uses a customized version of Wordpress (free, see wordpress.org). The link to the subscribe to comments plugin (free) is linked below with the hyperlink under the question mark (it’s linked on every comment on this blog too). You can also subscribe to comments via RSS or subscribe to any discussion by keyword on this blog (that is part of the customization I wrote). Just do a search by keyword and look for the orange XML RSS icon to subscribe. This way if you wanted to follow any post where we used say the word “password” in a post [subscribe via RSS] you could. Geeky, but I think this is a pretty cool feature too.
Have a nice weekend! Sunny and blue skies here.
Comment by TDavid — July 8, 2006 @ 3:58 pm PST