Tuesday, August 13, 2013

More Problems with Passwords???

   While I like to write about a variety of security-related topics, it seems that issues with passwords
keep coming up again and again.

   Passwords, and in particular their use for online authentication, is a mess.  I've written about this a number of times including here, here and here.  My advice for online use of passwords has been the same all along.  I've always said:
  1. choose good long passwords (long sentences are just fine)
  2. use a password vault, and
  3. use a unique password at each online site.
  4. (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!) 
   But... I had missed something!  There is another key thing that everyone needs to do to protect their online passwords... Don't Store Passwords in Your Browser!

   This past week we learned about a new "feature" in Chrome.  If you choose to allow the browser to save site passwords, presumably to make it easier to log in next time, then anyone else using your computer can potentially access these credentials.  You can read the details in articles here, here and here.  These articles reference the original online conversation between developer Elliott Kember, who discovered the issue, and Google Security Lead Justin Schuh.  Schuh claims, correctly, that if someone has physical access to your machine then that person can own your data.  However, as Kember and others have pointed out, many users were unaware of this "feature".  There are many situations in which people share computers.

   Some have suggested that having the browser protect stored passwords with a master password, like Firefox does, will solve this problem.  That might help, but the browser's job is to display web pages.  Browsers have security features, but when it comes to something as important as your passwords, you are much better off using a password vault - which is specifically made for this purpose and has only one job... protecting your information!

   The bottom line is that people should not store passwords in browsers.  So, going forward, I will augment my advice for using passwords online:
  1. choose good long passwords (long sentences are just fine)
  2. don't store passwords in your browser,
  3. use a password vault, and
  4. use a unique password at each online site.
  5. (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!)
   Thoughts?  Do you think this is an issue?  How do you protect your online passwords?  If you are a security professional, how to advise others to protect their passwords?

No comments:

Post a Comment