The secret to online safety: Lies, random characters, and a password manager

[nsane.forums]

Or how to go from "123456" to "XBapfSDS3EJz4r42vDUt."

It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.

Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.

Why you can’t just wing it anymore

A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Why bother? The algorithms and tools hackers use to crack passwords are becoming ever more sophisticated and powerful, as we explained last year in "Why passwords have never been weaker—and crackers have never been stronger." Even people with no experience cracking passwords can do so with the tools available today. And as Wired's Mat Honan discovered from personal experience, the interconnectedness of online accounts coupled with insecure password reset mechanisms creates gigantic risk. Once a hacker gets into one of your accounts, all of them may be vulnerable.

Too often people reuse a password across even their most important accounts, or use a base word and add a number or symbol for different sites. A weak password can be exposed by so-called "brute-force cracking," in which computers try all possible passwords until the right one is found. “Dictionary attacks” are more common, however. These use lists of millions or even billions of previously cracked passwords. Even worse, there have been numerous examples of vendors practically gift wrapping password information, storing users' passwords in plain text or suffering security breaches that expose cryptographically hashed password data for millions of people.

Even if your password is exposed only in an obscured, "hashed" form, it's vulnerable to hackers converting it to plain text. This is especially true for weak passwords, although we've seen that even relatively strong passwords can be cracked. If a password you use across many sites is exposed in this way, you could see hackers take access of your e-mail, financial accounts, and social networking profiles.

"Passwords are a terrible system. I mean, passwords are awful," said Jeffrey Goldberg, Chief Defender Against the Dark Arts (yes, that's his real title) at AgileBits. His company makes a password management software called 1Password.

So why does Goldberg spend his career helping users manage passwords? As bad as passwords are, no one has come up with anything good enough to replace them across the whole Internet. Goldberg hoped for some 15 years that client certificates (digital signatures to identify users and Web services) would do the trick, but the technological and implementation barriers proved too great.

Two-factor authentication systems combining passwords with a second verification method (like one-time security codes sent to your cell phone) are improving matters, but while they've been adopted by the likes of Apple, Google, and Microsoft, you won't find them on every site you care about. PayPal's top security chief is working on a plan to "obliterate passwords from the face of the planet," but that won't realistically happen any time soon.

"People have been trying to replace passwords for a long time, and they all run into the same handful of fundamental problems," such as challenges in setting up a network of trusted third parties to handle authentication, Goldberg said. Thus, the need for passwords and for users to practice good password security "isn't going to disappear over the next few years." Password managers make a terrible system less terrible in Goldberg’s view.

We recently gave three hackers a list of 16,000 hashed passcodes, and they cracked nearly 90 percent of them. To stay in the safe zone, we recommended that passwords contain a "minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern." Password managers will help you create truly random passwords that go well beyond 11 characters.

1Password is one of numerous password management systems. Others include LastPass and KeePass. Now, password managers aren't perfect—there is no such thing as perfect online security in 2013—and they aren't necessarily right for everyone. But if used properly, they would undoubtedly improve security for a large population of people using weak passwords. There may be dozens of websites that you have to log into; without a password manager or some other system, creating strong passwords for each one and remembering them would be a nightmare.

"The way our brain works, most of us, you won't be able to remember completely unique passwords for each and every site," Per Thorsheim, a security expert who organizes the annual PasswordsCon conference, told Ars. "We need some logic, we need something to make our brains able to remember those passwords."

Thorsheim is a user of LastPass. He notes that password managers often rely on cloud-based systems to sync logins across devices, introducing a small risk that criminals could target a single point of weakness by hacking into your password service. But the benefits of a system that creates ultra-strong, unique passwords for each site you visit outweigh this risk. And this risk is small. Your data is encrypted on your own computer before being sent to cloud servers and your master password is never stored by any cloud service. "I trust their encryption scheme," Thorsheim said of LastPass. "I also trust in what I see from AgileBits and others."

Making a password manager part of your routine

I bought 1Password for myself several years ago to help me strengthen my security, particularly for banking and other financial accounts. So let’s look at how to use a password manager with 1Password as an example. Note that this is not an endorsement of 1Password over other systems, as we'll talk about how different password managers offer different approaches.

1Password comes in two parts, a desktop application and a browser plugin that automatically fills your passwords into Web forms such as your e-mail, Facebook, or bank site. 1Password stores all of your passwords in an encrypted file, which can only be accessed with a master password. The first step is choosing a master password that's ultra-strong and that you're capable of remembering. Tips on how to choose a master password are coming (on page 3) but for now, let's look at how 1Password and other password managers integrate into your workflow.

Each time you use 1Password, you'll type in your master password to get started:

Article continued at source link below...

View: Original Article

[Sonar]

15 years of using the same email & password and never been touched by anything but annoying spam emails!

For got to mention: LastPass <

The internet is no longer a safe place!

[OrioNeXus]

We might need to have Eye Scan , Fingerprint and Blood test for extra protection :unsure:

[stylemessiah]

15 years of using the same email & password and never been touched by anything but annoying spam emails!

For got to mention: LastPass <

The internet is no longer a safe place!

Agree

Ive never been compromised and my passwords on most sites arent heiroglyphics

Id feel LESS safe using LastPass etc, as breaches there, as there have been over years, reveal ALL your passwords in one hit

Im happy to let script kiddies try and hack one of my passwords on a single site

The argument that a password manager is safer is retarded