Security Tip Series: Use a Password Manager (Guest Post)


reliquary locks

Online Security Tips

A big thank you to  Dave Raffensperger and Andrew Chi for this series of security tips! I’ll add links at the bottom of each post to the other posts in the series as they’re published. Here’s the first of several tips to keep your digital life secure.

Security Tip: Use a Password Manager

Have you ever been spammed by a friend’s email or Facebook account? A hacked online account is embarrassing at best and costly at worst.

One strategy hackers use is to break into a site and steal its password data (a number of known attacks have occurred at big names like LinkedIn and Evernote). This spring, the “Heartbleed”  bug, which left secure servers open to data theft, brought another reminder of just how vulnerable many online sites can be. According to Wikipedia, the bug affected 17% (around half a million) of the world’s secure web servers and, even over a month after the attack became known, 1.5% of the world’s top 800,000 sites were still vulnerable.

When hackers steal passwords from a site they try those stolen logins in other web email, social media and bank sites to find people who used the same or similar password there. So, to be safe, your passwords should be different for every site and unguessable – like a random string of 16 characters – i.e. something unrememberable… even for you, unfortunately! (Web browsers like Chrome and Firefox can “remember passwords”, but they typically do not save them securely by requiring a master password to access them).

You Just Need to Remember Two Passwords

A secure password manager will require you to know one longer password that allows you to access the rest of your passwords. Web/mobile managers include LastPass, PassPack, 1Password and RoboForm, or you can use an offline one called KeePass. However, you should memorize your email / work password in case you need to access your email without your password manager.

Security Questions

Some websites ask you security questions like “What’s your father’s father’s first name?” or “What’s the name of your first pet?” and then they’ll allow you to reset your password in the future by entering that information. So, if an attacker knew the answers (which they could possibly find or guess), then they could access your account. Prevent this by entering random information for those questions and then storing these random answers in your password manager as well. Doing your answers this way, a hacker can’t guess your information to get into your account and also you  won’t need to remember lots of different passwords and security question answers.

This may seem like a lot of work, but you can ease into it gradually. Start by getting a password manager set up and change the password for just one site. Then as you visit other sites, make a habit to reset their passwords to something long, random, and secure (often password managers can automatically generate such passwords for you), and store each unique password in your password manager.

What’s your strategy for keeping your passwords secure? Are you using a password manager that you’d like to recommend?

dave_and_erin

Guest Post by: Dave and Andrew

Dave Raffensperger is a Cru staff in Boston. He and his wife Erin are expecting a baby in November! Follow Dave at @draffensperger or check out his blog at davidraff.com.

Andrew Chi is a Ph.D. candidate in Computer Science at UNC-Chapel Hill.

NOTES:

5 thoughts on “Security Tip Series: Use a Password Manager (Guest Post)

  1. I have been using the free KeePass tool for many years. I LOVE IT. I have more than 400 web sites, bank accounts, airline/travel sites, etc. in there. I keep every password and login, as well as every bank account number, utility account number, etc.

    There are 3 things I find helpful about KeePass:
    1. The random password generator. I can select the requirements for the site (# of characters, alpha/numeric/symbols) and then KeePass will generate a password that meets those requirements.
    2. Automatic password entry. In KeePass I select the username/password I need, and KeePass will then Alt+Tab to the browser, fill in the username and password for me, and press Enter to login; this means I am not typing *anything* for the site.
    3. Sharing it with my family. It’s one thing to keep my *own* passwords; but my spouse needs them too. I keep my KeePass database in Dropbox, so my wife can open the same file and get the logins she needs.

    The main drawback with a password software, of course, is that with these random passwords even *I* cannot get into my sites without KeePass open. I just got KeePass on my iPhone, but I haven’t used it yet.

    Like

  2. Thanks for this great (and thorough) review, Bob. Mike has security software, Splash ID, that he wants me to start using, too. Now that I read Dave’s advice to start small, I think I’d better begin using it and be secure!

    Everyone, when Bob mentions he didn’t physically enter anything (his software entered the information), that is especially useful because you don’t want someone to track your keystrokes on a public computer or if your computer was stolen. This may be a rare scenario, but is still a great extra measure of security.

    Like

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s