Posts Tagged ‘Password Safe’

As I’m sure many of you have heard, the popular, business-oriented social networking site, LinkedIn.com, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?

In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article  below:

http://www.newsobserver.com/2012/03/19/1935703/passwords-are-still-securitys.html#storylink=misearch

Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…

Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.

All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.

I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.

IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from SourceForge.net. Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.

As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.