Something I have been playing with quite a lot recently is a password keeper. It sounds really boring however it has really changed how I think about online security and the difficulty that many web companies have with data theft. The simple fact of the matter is that most of us either remember our passwords in our heads or we have some kind of text file on the computer somewhere with our passwords and secret questions written down. I’m not here to tell you how bad these systems are because lets face it they work, yes they are probably insecure but they do work.
A bigger problem is that the passwords you make up are pretty bad. Ok some of you probably took Edward Snowden’s advice and started memorising unusual phrases to use as passwords and this is a very good thing but there are easier ways to do things. There is some very simple software you can download and while it will take some learning to get used to you will find that it will simplify all of those password fields you enter in daily. It’s called Keepass 2 and its opensource. While I don’t really want this blog to become software suggestions, installing and using Keepass made me think about how we treat web security and how just a few simple changes can make your online life easier.
First let’s take a look at how passwords are at the moment. Most people make a few decent passwords and then recycle them for just about everything they register for. The problem with this approach is that if someone gets one of your accounts particularly email account it is often possible to jump from one account you made to another. The real problem is that if they get one of your email addresses often it then is possible to ask other services to send a new password request to the email address and then overwrite it with their own.
So what makes a good password? The best passwords are very human unfriendly, Upper and lower case with the occasional number and special character thrown in there for good measure. Remember their isn’t a certainty that it cant be cracked just that it would take someone with a powerful computer a very long time to do so. So what do you do? Make a password that is so long that anyone who looks at the possibilities will give up on trying to crack it. As a general rule If a password is upper and lower case with non consecutive digits and special characters and is fifteen characters long it is basically safe at the moment. Until Quantum computing rolls around this is probably sufficient.
So why has Keepass made me think differently about all of this? The simple reason is that it has made keeping track of many passwords very easy for me. The hard part was going though all of my accounts online and for local programs and changing them from my terrible and derivative passwords to newer secure options. Keepass has a password generator built in and by default will make secure 20 character passwords automatically so you don’t have to mash your keyboard and count characters. The idea is you get Keepass to create the passwords and you enter them in everywhere you need them.
There are a few advantages of Keepass over systems, One you can save passwords for things that are not online. Unlike using your web browser to save all your passwords you can use Keepass for other things like if you have a steam login or Github. Some other solutions can only work for websites and this can be a limitation. Secondly you can back up your passwords to the cloud or for anyone else like me who is sick of hearing about cloud computing you can back up your password to dropbox or google drive and thus access the one database of passwords from many computers even your phone. Once you start learning how to use it you will find it easier to use Keepass and its keyboard shortcuts then it was typing in passwords. There is an included auto typer where it will pretend its a real keboard entering int <alt+tab><username><tab><password><tab><enter> so you can literally open up the page, open Keepass find the password hit CTRL+V and watch it auto type.
Finally the real brilliant application of this kind of software is if you work for a company. Imagine that your boss wants to check on the server with its new email client inbuilt. You can create their account and save the credentials to a shared password database this way they don’t have to ask you for the password or worse create a bad password that is easily hacked. But yet another advantage is if you are asked later by your boss “what is my email password” you can safely reply with “I have no idea it was randomly generated, open the password program and look it up.” This will save hours of time over a few short years and thus worth the effort.
So check it out, if Keepass isn’t your thing that’s ok but you really should look at some sort of password manager and let some poor web administrator sleep a little easier by having a stronger password.