A clever meme hit the Internet this week:<\/p>\n
\u201cStop asking me to change my password. I can\u2019t keep on renaming my dog.\u201d<\/em><\/p>\n If you (or the employees you support) aren\u2019t using a password manager, clear off your calendar for the rest of the day and use the time to set one up.\u00a0 It\u2019s easy security.\u00a0 Password managers make it simple to create good passwords, to change your passwords when required, to use different passwords on every site, and to avoid reusing old passwords.<\/p>\n The upside to using a password manager:<\/em><\/p>\n The downside to using a password manager:<\/em><\/p>\n Generally speaking a password manager works as follows:<\/p>\n (For deeper details, see\u00a0KeePass\u2019s FAQ<\/a>\u00a0for a brief technical explanation or\u00a0Dashlane\u2019s whitepaper<\/a>\u00a0for a detailed technical explanation.\u00a0 For example, in the KeePass FAQ the authors describe how the KeePass product derives 256-bit Advanced Encryption Standard [AES] keys from a user\u2019s master passphrase,\u00a0how salt is used<\/a>\u00a0to protect against dictionary attacks, and how initialization vectors are used to protect multiple encrypted files against known-plaintext attacks.\u00a0 Other products likely use a similar approach to deriving and protecting keys.)<\/p>\n Password managers often also perform useful convenience functions for you\u2014inserting stored passwords into your web browser automatically; generating strong passwords of any desired length; checking your usernames against\u00a0hacker-released lists of pwned websites<\/a>; evaluating the strength of your existing passwords; leaping tall buildings in a single bound; etc.<\/p>\n The root of security with password managers is in\u00a0protecting your master password<\/strong>.\u00a0 There are three main considerations to this protection:<\/p>\n (A) Choose a good passphrase.\u00a0<\/strong><\/p>\n I\u2019m intentionally using the word \u201cpassphrase\u201d instead of \u201cpassword\u201d to highlight the need to use strong, complex, high-entropy text as your passphrase.\u00a0 (Read my guidance about strong passphrases in TCS\u2019s\u00a0Better Passwords, Usable Security<\/a><\/em>\u00a0whitepaper.\u00a0 Or if you don\u2019t read that whitepaper, at least read\u00a0this webcomic<\/a>.)<\/p>\n Your master passphrase should be stronger than any password you\u2019re currently using\u2014stronger than what your bank requires, stronger than what your employer requires.\u00a0 (However, it shouldn\u2019t be onerously long\u2014you need to memorize it, you will need to type it every day, and you will likely need to type it on mobile devices with cramped keyboards.)\u00a0 I recommend a minimum of\u00a016 characters<\/a>\u00a0for your master passphrase.<\/p>\n (Side note:\u00a0 For similar reasons, another place where you should use stronger-than-elsewhere passphrases is with full-disk encryption products, such as\u00a0TrueCrypt<\/a>\u00a0or\u00a0FileVault<\/a>, where you enter in a password at boot time that unlocks the disk\u2019s encryption key.\u00a0 As Microsoft\u2019s\u00a0#7 immutable law of security<\/a>\u00a0states,\u00a0encrypted data is only as secure as its decryption key<\/em>.)<\/p>\n (B) Don\u2019t use your passphrase in unhygienic environments.<\/strong><\/p>\n An interesting concept in computer security is the\u00a0$5 wrench<\/a>.\u00a0 Attackers, like electricity, follow the path of least resistance.\u00a0 If they\u2019ve chosen you as their target, and if they aren\u2019t able to use cryptographic hacking tools to obtain your passwords, then they\u2019ll try other approaches\u2014perhaps masquerading as an IT administrator and simply\u00a0asking you for your password<\/a>, or sending you a malicious email attachment to install a keylogger onto your computer, or hiding a pinhole spy camera in the light fixture above your desk.\u00a0 So even with strong encryption you are still at risk to social engineering attacks targeting your passwords and password manager.<\/p>\n One way to reduce the risk of revealing your passphrase is to avoid typing it into computer systems over which you have neither control nor trust, such as systems in\u00a0Internet cafes<\/a>, or at\u00a0airport kiosks<\/a>, or at your Grandma Edna\u2019s house.\u00a0 To paraphrase public-service messages from the 1980s, when you give your passphrase to an untrusted computer you\u00a0could<\/em>\u00a0be giving that passphrase to anyone who used that computer before you.<\/p>\n For situations where you simply\u00a0must<\/em>\u00a0use a computer of dubious provenance\u2014say, you\u2019re on vacation, you take a wrong turn at Albuquerque, your wallet and laptop get stolen, and you have to use your password manager at an Internet cafe to get your credit card numbers and bank contact information\u2014some password managers provide features like\u00a0one time passwords<\/a>,\u00a0screen keyboards<\/a>,\u00a0multifactor authentication<\/a>, and\u00a0web-based access<\/a>\u00a0to help make lemonade out of life\u2019s little lemons.<\/p>\n (C) Make regular backups of your encrypted file.<\/strong><\/p>\n If you have a strong passphrase [(A)] and you keep your passphrase secret [(B)] then it doesn\u2019t matter where copies of your encrypted file are stored.\u00a0 The strong encryption means that your file won\u2019t be susceptible to a brute-force or password-guessing attack even if an attacker obtains a copy of your file.\u00a0 (Password management company LastPass had a\u00a0possible security breach<\/a>\u00a0of their networks in 2011.\u00a0 Even so, users with strong passphrases had \u201cno reason to worry.<\/a>\u201d)\u00a0 As such you are safely able to make backup copies of your encrypted file and to store those backups in a convenient manner.<\/p>\n Some password managers are designed to store your encrypted file on your local computer.\u00a0 Other managers (notably LastPass) store your encrypted file on cloud servers managed by the same company, making it easier to synchronize the password file across all devices you use.\u00a0 Still other managers integrate easily with third-party cloud storage providers (notably Dropbox) for synchronization across multiple devices, or support direct synchronization between two devices over a Wi-Fi network.\u00a0 (In all remote-storage cases I\u2019ve found, the file is always encrypted locally before any portion of the file is uploaded into the cloud.)<\/p>\n Whichever type of manager you use, be aware that\u00a0that one file holds your only copy of<\/em>\u00a0all of your passwords<\/em>\u2014it is\u00a0critical<\/strong>\u00a0that you not lose access to the contents of the file.\u00a0 Computers have\u00a0crashed<\/a>.\u00a0 Password management companies have disappeared (Logaway<\/a>\u00a0launched on May 4, 2010, and ceased operations on February 2, 2012).\u00a0 Cloud services havelost data<\/a>\u00a0and have experienced\u00a0multi-day disruptions<\/a>.\u00a0 Protect yourself by regularly backing up your encrypted file, for example by copying it onto a USB dongle\u00a0(whenever you change or add a password) or by printing a hard copy every month to stash in a safe deposit box.<\/p>\n If you maintain a strict separation between your home accounts and your work accounts\u2014for example to keep your employer from snooping and\u00a0obtaining your Facebook password<\/a>\u2014simply set up two password managers (one on your home laptop, the other on your work PC) using two unique passphrases as master keys.<\/p>\n Password manager software is easy to set up and use.\u00a0 The biggest problem you\u2019ll face is choosing from among the cornucopia of password managers.\u00a0 A\u00a0partial<\/strong>\u00a0list I just compiled, in alphabetical order, includes:\u00a01Password<\/a>,\u00a0AnyPassword<\/a>,\u00a0Aurora Password Manager<\/a>,\u00a0Clipperz<\/a>,\u00a0DataVault<\/a>,\u00a0Dashlane<\/a>,\u00a0Handy Password<\/a>,\u00a0Kaspersky Password Manager<\/a>,\u00a0KeePass<\/a>,\u00a0Keeper<\/a>,LastPass<\/a>,\u00a0Norton Identity Safe<\/a>,\u00a0Paranotic Password Manager<\/a>,\u00a0Password Agent<\/a>,\u00a0Password Safe<\/a>,\u00a0Password Wallet<\/a>,\u00a0PINs<\/a>,\u00a0RoboForm<\/a>,\u00a0Secret Server<\/a>,\u00a0SplashID<\/a>,\u00a0Sticky Password<\/a>,\u00a0TK8 Safe<\/a>, and\u00a0Universal Password Manager<\/a>.\u00a0 There is even a\u00a0hardware-based password manager<\/a>\u00a0available.<\/p>\n Your top-level considerations in choosing a password manager are:<\/p>\n I don\u2019t recommend or endorse any particular password manager.\u00a0 I\u2019ve started using one of the \u201cpremium\u201d (paid) password managers and am astonished at how much better\u00a0any<\/em>\u00a0of the managers are over what I\u2019d been using before (an unencrypted manual text-file-based system that I\u2019d hacked together last millennium).<\/p>\n","protected":false},"excerpt":{"rendered":" A clever meme hit the Internet this week: \u201cStop asking me to change my password. I can\u2019t keep on renaming my dog.\u201d If you (or the employees you support) aren\u2019t using a password manager, clear off your calendar for the rest of the day and use the time to set one up.\u00a0 It\u2019s easy security.\u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/968"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=968"}],"version-history":[{"count":1,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/968\/revisions"}],"predecessor-version":[{"id":969,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/968\/revisions\/969"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n