The importance of good passwords

Chances are you’ve been told time and time again that there are a couple of rules of thumb for generating a strong password for any of your accounts:

  • Don’t use any words found in the dictionary
  • Don’t use personal information (i.e. Your birthday, your pet’s name)
  • The longer the password the better

These suggestions hold true, but thanks to the recent Gawker password compromise a lesser known rule of thumb has gained attention:

  • Don’t use the same password for all your accounts

First, a little background in case you don’t follow security goings on: Gawker, a blog network which includes Gizmodo, Lifehacker and others, recently had their servers compromised. Hackers gained access to all the emails and passwords of registered Gawker network commenters. The passwords were encrypted (i.e. stored in such a way that one can’t simply read the password without a lot of effort), sadly the encryption method used was out of date and fairly easy to “crack” (or decode). The hackers managed to decrypt a number of passwords, and given enough time they will be able to decrypt all of the passwords in the file.

Obviously, this is a black eye for the Gawker organization but it could also spell bad news for those folks whose password is included in that file. By this time you should have received an email from Gawker if your email address was included in the file, but just to be sure you can search the file for your email address here.

I’m on that list, what now?

First off, change your Gawker password. If you use that same password for more than one account then you should change your passwords on any account which uses the compromised password. You should also consider toughening up your passwords.

Hardening your passwords

Security professionals, like myself, would love it if people created unique and complex passwords for each of their accounts. That’s the ideal, but we live in the real world where the ideal and the practical hardly ever meet. There are some ways to “harden” your password security though:

  • Group your accounts together, like with like. Financials accounts each get unique, complex passwords and lesser accounts (like blog commenting accounts) use a different (complex) password.
  • Use a password manager (see the section below).

Password managers

I have a horrible memory, and yet just yesterday I created an ecommerce site account with a password 50 characters long. Am I crazy? Slightly, however, I don’t need to remember that super long password (nor did I need to come up with it myself) thanks to my password manager.

A password manager is an application that securely generates and stores passwords for you; allowing you to create unique, complex, and strong passwords for all your accounts. Some of these apps will even detect that you’re on a Web site on which you have an account and log you in… neat, huh?

The benefits of using a password manager are pretty clear:

  • Complex password generation and storage in a secure manner
  • No need to remember all those wacky passwords
  • Many of these applications will also store your credit card information for you, so you can fill in order forms and the like with a single click instead of manually filling them out.

Sounds great, doesn’t it? The only downside to using a password manager comes when you’re on a computer that doesn’t have the password manager installed and you need to log into an account with one of your crazy long passwords. I was a little nervous about this situation myself, but I’ve been using a password manager for a couple years and only encountered this situation a few times.

There are a plethora of password management applications and services out there, so a little research to find out which one works best for you is required. That being said I can point you to the applications that the security team here at Wharton use:

1Password

1Password is my favorite password manager, and it runs on OS X, Windows, the iPhone, and the iPad.

1Password costs $39.95 and it is well worth every cent.

Password Safe

If open source and free is more to your liking, check out Password Safe. Since it is open source there are a number of variants of Password Safe which run on a variety of platforms.

Password Safe is free.

LastPass

Finally, LastPass is a browser extension which keeps track of your passwords for you. I haven’t actually used LastPass myself, but this LifeHacker article outlines how you can use it to audit and secure your passwords.

LastPass has a basic account that is free, and a premium version with costs $1 a month.

This entry was posted in Mac, PC, Security Tips and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post.

About Scott McNulty

I'm a writer in a technologist's body.

2 Responses to The importance of good passwords

  1. Timothy Allen says:

    I’ve become a huge fan of Password Safe. It makes life so easy, and allows us to share an encrypted password file amongst the development team that can be imported after password changes.

  2. Jamie Ly says:

    KeePass user here! I use a method Lew suggested, synching a TrueCrypt file via Dropbox to my various devices, although I don’t think there is a mobile client.

Leave a Reply


University of Pennsylvania Logo
Copyright © 2014 The Wharton School, University of Pennsylvania