In a way, us computer security people allowed it to happen. We allowed credit card databases to get hacked, phishing emails to fool users, and magstripe ATMs to get skimmed. However, our greatest mistake was that we stayed quiet when PHBs decided that, rather than fixing the actual security problems, instead decided on a false sense of security by forcing users to create ridiculously complex passwords, then forcing users to change passwords almost constantly.
The frequently-changing gibberish passwords with numbers and symbols actually made things far worse. XKCD explains the information theory behind why crazy number and punctuation rules actually make for weaker passwords. Forcing users to change the password frequently just makes said gibberish passwords even harder to remember, ensuring the users will have to commit the cardinal security sin of writing their passwords down. Even worse, with so many services requiring passwords, you either need to maintain a whole list of passwords, or use the same password (or pattern of password) across multiple sites. This can lead to the nightmare of one of your passwords getting exposed (especially if you wrote it down), then having to go through and chaotically change the password to almost every service you use.
I am hoping that the increasing ubiquity of mobile computing will help solve the problem, since it makes two-factor authentication essentially free. The idea being that having two separate levels of security (a simple password, plus a physical item you possess), when done right can be far more secure than any password. Blizzard has already demonstrated this with the Battle.NET Authenticator devices and apps, and I can only hope others go this route. Google is finally trying this too, though still has a lot to learn.
Sadly, until the world catches up, we’re stuck with passwords.
I found a piece of software that I’m actually really liking to help manage the insanity. 1Password is an application for Windows, Mac, Windows Phone, iPhone, and Android; currently $30 for the Windows version. It stores an encrypted list of all your passwords, locked by one “master password”. This means you can have unique, complex, and changing passwords for each service, but only need to remember one strong password. While I’m not often one to pay premium prices for software from random small vendors off the Internet, I’ve found this software to actually be quite worth the investment.
When on the road, you can look up a specific password (or even other data such as a passport number) from a mobile app synced to your desktop. Even if you lose your device (and don’t have remote erase capability), the data is encrypted with your best password.
While on the desktop, 1Password integrates with your browser. After typing your master password, it can automatically log you into most websites. If creating a new password, it can generate a strong (high entropy) password – such a password is almost impossible to remember, but you don’t need to ever remember (or even type) it.
Across computers (or to certain mobile devices like Windows Phone), the list of passwords is shared via the Dropbox cloud file replication service. Admittedly, I had never used Dropbox before using 1Password, but I’ve grown to like it. Plus, it’s free for the first 2GB of space. There’s not much security risk here – even if you don’t trust Dropbox’s security, they only ever handle the encrypted version of your passwords, and never have access to your master password.
Admittedly, from a security standpoint, password repositories can be dangerous, as the repository and master password is a single point of attack. Realistically though (and I’m sure all the security experts are cringing as I say this), anyone capable of capturing your master password is just as capable of capturing a bunch of separate passwords. So, given an equivalent level of risk, why not take increased convenience and improved password habits?
