Wednesday, March 27, 2013

Password management and personal data security


Lots of passwords, lots of security, right?

We can not avoid passwords, they are everywhere:

  • Online banking
  • Online shops
  • Email accounts
  • Social networking sites
  • Credit card pins
  • Mobile phones
  • Laptops and PC's
  • Forums, news websites, blogs
  • ... and of course great web applications like teamstinct.com :-)

Wrong.

So all these passwords must mean all of our personal data is super safe, right? Well 'potentially' yes, but unfortunately the way the vast majority of people manage their passwords actually means the opposite.

Three common behaviours that make our lives much less secure:
  1. We use the same passwords for many different applications and web sites.
  2. We choose insecure passwords, for example derived from family member names and memorable dates.
  3. We do not frequently (or ever) change our passwords.
When the above three behaviours are combined, our personal data is definitely at risk and makes life much easier for hackers and criminals. 

It gets worse.

And to make matter worse, lots of people are members of the same set of common websites (it would be quite normal to expect somebody to an active account in any of the following: Amazon, Google, Yahoo, Facebook, PayPal, Skype, eBay) .

Things could get ugly

Let's look at an example, suppose "Mr Smith" uses the same password for many sites, and their password is "Buster75" (possibly derived from a pet name and year of birth). Firstly, the password is 'relatively' easy to guess, especially as dates of births and pets are often publicly plastered all over social networks. So if a criminal were to guess the password, they could then attempt to gain access to a number of other websites with the assumption that the same password maybe used again and again - this process is made even easier if the password is never changed.

And of course, if somebody does gain unauthorized access to email accounts, they will very likely find a gold mine of very valuable information - official document scans, social security numbers, invoices, bank details, further passwords to other websites and of course an enormous amount of personal information of friends and family.

Password manager to the rescue

The good news is that good password security is really easy. By using password management software like 'Password Safe' for Windows or 'Password Gorilla' for Linux and Mac OS all of the three bad behaviours listed above are easy to prevent. Both 'Password Safe' and 'Password Gorilla' are completely free and both securely store passwords in the "psafe3" file format - a very secure, encrypted file format.

Just a single password?

Password managers work by allowing us access to all of our passwords by only having to remember a single password.

So the only password we need to remember is the password that opens our password 'safe' file. And as we only need to remember one password, we can choose something obscure, longer and far more difficult to guess, for example "MarzipanLadderFrog1604" (something I just invented).

For all of our other passwords - the ones we actually use to access websites etc, we can use our password manager software to generate a very long and very secure password for us, for example "7KDLW5EgvkFKXZHb". And because we no longer have to remember these individual passwords, we can generate a new unique password for each website we use. So using a password manager, we have now prevented the first two of our three bad behaviours (above).

The last behaviour we want to stop is that of not changing our password frequently. And actually a password manager makes this process much easier too - we no longer have to scratch our heads trying to think up 30 new passwords that we will be able to remember, we go to the website 'change password ' page and when we are asked to enter a new password, just use the password manager to generate a new secure password. So regularly changing all your passwords is now a quick and secure process.

There are more benefits?

So now that we have wonderful strong passwords for all our online accounts and we are changing them frequently, when we are using a trusted device (our own laptops etc), we can use the feature of modern web browsers to store our website passwords for us - which makes our lives easier again. Of course, if you are concerned with laptop security, you should use something like 'TrueCrypt' to encrypt your hard disk.

And as psafe3 files are securely encrypted and software independent, you can use file sharing and synchronization systems you can share your password safe files between computers of different operation systems.

Another benefit of using a password manager is that you also have a complete list of all the places you have accounts - which is often a surprisingly long list. It's just nice to know exactly who has your data.


And if you forget your master password?

If you forget your master password safe password, yes - you're in trouble. But there are many ways to prevent this - If you have an actual physical safe installed at home, you could store the master password here (on a memory stick for example). Another/additional technique is to use two password safe files with different master passwords and each password safe file contains the master password to the other password safe. One password safe is mine, and the other is my partners'. So if either one of us forgets our master password, the other person can unlock it. And if you don't actually want to store the master password anywhere else, you could store a 'password hint or reminder' instead.

So there it is - Use a password manager to manage your passwords and help keep your personal data secure.

4 comments:

  1. Hi there to every body, it’s my first go to see of this web site; this weblog consists of awesome and in fact good stuff for visitors.
    EDI Compliant

    ReplyDelete
  2. Wow, it's dangerous to lost any passwords. That's why I always use VDR providers with 24/7 support center. 100% security.

    Best regards
    Toby, virtual data rooms for mergers and acquisitions

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This approach of tokenization has turned out to be extremely prominent as it is a perfect approach to expand security of Mastercard and e-trade exchanges while minimizing the cost and many-sided quality of modern controls and measures particularly the Payment Card Data Security Standard (PCI).
    https://goo.gl/T1KELS

    ReplyDelete