Password Management

With the latest internet security failure, Heartbleed, everyone’s talking about protecting their accounts. Here are my tips. Keep in mind, there are many ways to keep your accounts safe. Also, and I can’t stress this enough, if someone wants your information badly enough, they will find a way. You’re only defense (besides staying offline) is to make it as hard as you can for people to crack.

First some history. Since the beginning of computers, people have used usernames and passwords to access systems. Back in the day, the easiest way to hack someone’s account was to use either brute force or dictionary attacks. In brute force, you specify the number of characters, and the program tries every possible combo. (0000001, 0000002, 0000003, etc.) until it found the password. In dictionary attacks, you’d have a list of the 5000 or whatever most common passwords, and try each one, and hope to get lucky.

As these attacks became more common, database designers came up with a simple, but super effective defense: max login attempts. After 5 or whatever failed attempts, your account would be locked, and you’d have to prove your identity to unlock it. Another defense was the captcha system which, while a pain in the ass, worked for a time. Then attackers just wrote programs to bypass captchas.

So now the most common ways to access a system is to skip the user interface, and go straight to the database. People can use SQL Injections, or side loading to try to gain access to the database where the information is stored. This introduced a new problem. Now, instead of just gaining access to one user’s information, they get it all. They don’t get one account, they get thousands of usernames and passwords.

Another method used is packet sniffing. When you connect to a wireless point, you send a request to go to a website. The server then sends that site to your screen. In the process you send packets, and the server sends packets back. Well with sniffing, an attacker can access those packets. They won’t get your password, but they won’t need to. If you’re logged into Facebook, so are they.  The solution is to use HTTPS. Sniffing doesn’t work against HTTPS. It’s like your packets are sent in a tunnel, and the attacker can’t get in.

So here are my tips. First, use HTTPS as much as possible. Some sites, like Facebook use HTTPS by default. If you look at the address bar, it should say “https://…” instead of “http://…” For other sites, there might be a setting somewhere. There are also extensions for your browser that will force HTTPS.

Next, use dual authentication. This is probably the best way to protect your accounts, but only a few sites offer it. I use it for Google. Basically, you log into your account, then it asks for a numeric code. You install an app on your phone that creates a new code every 30 seconds. You enter that code, and you get in. Thus, the only way to get into your account, is to have both your password, and access to your phone. Again, you have to play with the settings to set it up, but I know that Google, Twitter, Facebook, and Dropbox offer it.

Finally, we get to password managers. A third type of attack that I didn’t mention was keyloggers. They are basically applications that are installed on your computer and stay hidden. They record every key you type, and then save them to a log, or email that log to the attacker. On the plus side, they are caught as viruses in almost all antivirus programs 98% of the time. Still, it is a threat.

I use a program called 1Password, though there are many others, like LastPass. The only reason I use 1P, is because I found a “free” version online. Arrg, if you be wantin’ the frrree version too, ya must hoist yer mainsail and travel the 7 seas. If you know what I mean.

1Password saves your passwords as an encrypted keychain that is stored either locally on your computer or on Dropbox. There’s a mobile app, a desktop app, extensions, and you can even open the keychain in a browser, via Dropbox. You create a master password that is used to open the keychain. Once in, you can find all of your usernames and passwords. While you’re at it, the program can create randomly generated passwords, like “asfdsaDVBew76”. You will never remember this. But neither will anyone else. So you go through and change all of your passwords to randomly generated ones. You save them in 1P.

To log into a site, you can either open the 1P app on your phone, or use the 1P extension for your browser. Enter your master password, then just click on the site you want to log into. It enters your username and password and logs you in. At home, I use the Extension. At work, or anywhere else, I use the phone. Without the master password, no one can access my other passwords. And even if they somehow got access to my keychain, it’s encrypted, so they still can’t get in.

That’s all you can really do. Just be diligent. I know a password manager or dual factor authentication adds some extra steps, but it’s better than losing access to… your banking account… your Facebook… your email… etc.