Tuesday, February 9, 2016

How To Vault (part 1)

   I was recently asked to provide more information on vaults.  I think this is a memorable one :-).


  Well, to be more precise, the question was about password vaults...
you've talked about password vaults and it seems like something should do, but I'm not sure how to start and it still seems a bit scary.
   That is a great question.  We've talked about passwords and password vaults a number of times in the past including here, here and here.

   But why do we even need something like a password vault.  There are a few reasons, and they have to do with the problems passwords pose:

  1. Most passwords are too guessable - the most popular password for the past few years is 123456
  2. Most passwords are too simple - words or the name of your favorite team are vulnerable to guessing or "dictionary attacks".
  3. Most passwords are too short - when it comes to passwords, size matters!
  4. People reuse passwords - a study (now a few years old) found that the average person who uses online services has 25 different accounts but only 6.5 different passwords.  That means that the passwords are being reused - breaking a password on one site yields a password that can be used to break an account on another site.  And, by the way, who as only 25 online accounts these days?!
   That means a good password is:
  • not based on anything related to you
  • long
  • complex
  • unique
   And if you have all that, unless you have a pretty amazing memory, then you'll need something to keep track of your passwords.

   Now, there's more than one way to do that.  You could write your passwords on paper.  Many
security pros are probably cringing when I say that but it's all in how you do it.
   When we say "writing your passwords on paper", most people think of a sticky note stuck to you monitor or under your keyboard.  Guru Bruce Schneier suggests that you can write your passwords on paper and then put that paper in something you usually protect like your wallet.  Of course, it's important that you don't write the site and userid along with those passwords.
   That's a reasonable way to balance risk, but you can take one more easy step to make this even stronger.  If you add fake characters to your written passwords, your choice that only you know, anyone who tries one will get it wrong!  For example, if your real password is 1jx09eKM, and you choose "N" as your fake character, then you could write down 1jxN09eKMN, leave it in plain site and anyone who tries it would be unable to log in.
   That seems simple enough.  But you might not always have your wallet with you when you need it.

   You could also put your passwords into a spreadsheet.  I don't like that idea, but if you wanted to do that, you should use the same measures as with paper - no sites or userids, and add fake characters.  One issue though... you need to make that file available wherever you are.  So you'd need to encrypt it (well), then maybe store it at an online filesharing site.  This is getting complicated and possibly not safe.  If you do a search on "password.xls" you're bound to find an actual file of passwords!

   So that leads us to using a password vault.  But is a password vault safe?  The short answer is yes. The longer answer is that, with most vaults, your password storage is encrypted separately, and in a different manner, from other people's.  That means going after a set of password vaults just isn't cost-effective for an attacker.  Unfortunately, there is much easier prey.  I wrote about this in a post last year with links to more detailed information.

   Hopefully now you're convinced that using a password vault is the right thing to do.  This post has gotten long enough so next time I'll talk about the products, costs and how to get started.

No comments:

Post a Comment