How should I manage my passwords?
Heartbleed. The end of XP. Zero-day Internet Explorer attacks. April was a tough month for security on the Internet -- are the days of safe browsing over?
Probably not. But it is time to make sure you have good password management processes -- or learn how to do it if not.
Most of the recommendations in those posts are still quite valid -- the one important thing that has changed is it's really no longer safe to use the same password across a bunch of sites. Every day we hear about new sites that have had their password database compromised, and if an attacker can figure out your password on one site, they will almost certainly try it on others. So that means it's time for just about everyone to start using a password manager.
These days I use KeePass for my passwords, mainly because it's open source, completely free, and available for all my computers and phones. There are several variations of this, for each system:
The first thing is to do just a touch of planning. You can see from the download page that there are two major versions of KeePass, a 1.x and a 2.x version, and the file format has changed. So first make sure that you get programs for each of your devices that share the same version.
I've been really happy with KeePassX on Linux, which uses the version 1 database format, and that's supported on my Android devices just fine.
Download and install to each of your devices.
Password managers keep track of all your passwords in a single encrypted file, which you need to decrypt whenever you want to use it. Your master password is used as a secret key to encrypt your password database, and without it, it can be virtually impossible to crack -- unless your master key is short and guessable.
My earlier post on Hard Passwords Made Easy has some very good tips on creating a memorable strong password. I still hear security professionals recommend my favorite approach after all these years: Diceware.
KeePass has a number of ways of importing passwords from other formats. I was able to import directly from my previous password manager, but you can also load from a CSV file if you want to get organized in Excel. Be sure to delete your source files when you're done!
Now comes the glue that makes your passwords available wherever you are: save the password database into Dropbox or some other file sync service. Dropbox has software for all operating systems, and will automatically copy the password databases to all your other devices.
For mobile devices, be sure to mark the file as a "Favorite" so Dropbox keeps a copy up to date you can use even if you go offline.
This will take you maybe 1/2 hour to get set up. Do it now. Once you have your master password, you can forget all the rest of your passwords, and simply copy in from your password database.
I particularly like how I can open up a web site, make sure the cursor is in the username field, find the entry in KeePassX, and use Ctrl-V to auto-type the username, password, and hit the login button. You don't even have to see the password -- it stays hidden the whole time, so you can even do this while doing a presentation in front of a group!
It will also generate strong passwords for you with a couple clicks.
Think you're not a target for an attacker? You could always amuse the rest of us by becoming the next Internet experiment, like Woody Brown. He posted his passwords to a comment on the Washington Post web site to show how little security can matter. Sure enough, his Twitter, Facebook, and blogs all got taken over by pranksters. He does make a great point about this not really affecting him all that much -- but that's probably because he has not developed much of an online reputation that was worth anything.
If you have a business, your reputation counts -- more and more business comes from being online. If you're ever going to search for a job, any future employer is going to be looking at your online footprint for any warning signs. Being careless about Internet security might be fine if you do no online banking, never shop online, are at the end of your career, and are not trying to sell anything to anybody.
For the rest of us, it's time to start using a good password manager. Now.
As usual, lots of changes at Freelock. One thing that hasn't changed is our commitment to deliver the best results we can. One major part of that is getting very clear with our customers exactly what results we all want to achieve.
To faciliate that role, Rob Mathewson joined the team at the beginning of March. Odds are if you work with Freelock, or want to work with Freelock, you’ll be talking to Rob. With over 20 years in sales and marketing management roles, we think he’s more than qualified and we’re excited to have him on board!
Rob has managed numerous development projects in Ruby on Rails, Drupal and iOS. He's accustomed to commanding the role of customer advocate, ensuring that dev teams deliver clean, highly usable UX that meets user needs and exceeds product owner expectations. Rob is an accomplished public speaker and is a past president of Emerald City Toastmasters. Rob holds a B.S. in Manufacturing Engineering from Boston University and a MBA from Seattle University.
That's just the beginning, there's lots more in store. As always, if we can help with your web project in any way, please drop us a line or give us a call, we'd love to help your business or organization succeed!