The other day we were having a family meal (that doesn't happen too often) and the conversation turned to passwords (and that never happens! :-).
Of course, everyone in the family has accounts on various social media sites as well as other sites. I've given the parental/security advice about passwords. In particular, we were discussing not reusing passwords among websites.
We've all heard about the LinkedIn password breach. Basically, the LinkedIn hashed password file was stolen via a SQL injection attack. LinkedIn did not do a good job salting (to add randomization) or hashing the stored password files. So with the encrypted password file in hand, the attackers can throw all their computing power at cracking passwords. Included in the value of cracking these passwords is the high odds that many users have reused these same passwords on other sites, such as their online banking.
The dilemma is... if you use a different password on each of the many (many, many) sites on which you have an account, and these should be "strong*", then how can you possibly remember or record them all?
(*a password is often considered strong if it is at least 8 characters long, contains upper and lower case letters as well as numbers and symbols, and isn't the same as your login ID or similar to a word. I'll have more to say on that subject in a future post.)
The answer is... an encrypted password vault.
A password vault or password manager is a program that stores a strongly encrypted copy of all your userid's and passwords (and other associated info). There is a "master password" that allows you to decrypt and use your passwords. Of course, this master password needs to be good (strong)!
A vault can also hold other kinds of information that you may need but can't always remember. Most vault programs can run on a PC or Mac, and many have mobile apps for your tablet or smartphone.
Here are a few of my favorite/recommended password vaults (there are many other good ones out there):
- KeePass - http://keepass.info/ - a free open-source password manager
- Password Safe - http://passwordsafe.sourceforge.net/ - another free open-source manager; created by well-known security expert Bruce Schneier
- LastPass - http://lastpass.com/ - this is my favorite. LastPass integrates with your browser. The base program is free. There is a $1/month charge for the mobile version (android, iPhone, Windows Phone, Blackberry).
There are similarities and differences among these products. All can generate random passwords and use strong industry-standard encryption. LastPass can also fill forms, hold secure notes and synchronizes online.
The "key" to your password vault is a (preferably very) strong master password. Of course, you must protect this password because it's the gateway to all your passwords, and you must not lose it because then you will lose access to all your (likely not memorized) passwords! There are various techniques for protecting your master password, but I favor either simply remembering it or writing it down and keeping it in a secure place as Schneier describes.
Do you use a password vault? If so, which one? If not, how do you keep track of your passwords?