Our lives are full of passwords, lots and lots of passwords… for everything. These necessary evils protect our personal information from thieves, but how do our trusted instruments of security become agents for hackers? When we are betrayed by a much loved userid and password pair.

Passwords have become a necessary part of our lives; many websites, from the mundane coupon-clipping site to your bank, use passwords for account tracking, and of course every credit card, bank account and ATM transaction requires a password or PIN code. Daunted by the option of creating a new userid and password when signing up for a new service, many people take the easy path and use the same userid and password for all of their online activity. This is like using the same tissue over and over, yuck!

Recent data breaches at national retailers have exposed millions of userid and password combinations. Hackers take these userid and password combinations and try them at other popular websites, hoping a reused combination will work so they can steal user information (SSNs), financial information (checking account numbers, or money, in the case of ATM PINs) or personal information (useful for blackmail). The easy answer is to use unique userid’s AND passwords in every instance, but it would be a herculean task to keep more than a handful of passwords straight. Thankfully, there is a way to keep hundreds or even thousands of unique userid’s and passwords organized and safe. Enter the password manager.

Password managers are de rigueur for the computer geeks among us, but are still a new concept for the majority of users. This category of software applications replaces the bevy of Post-it® notes surrounding our computer displays, looking like little yellow flags for the country of Jibberish. I would be willing to bet that you have at least one note on your computer display either at home or work with some sort of hard to remember bit of information on it. It’s okay to write down passwords until you can remember them, but it’s not a good idea to keep them on the notepad under your mattress forever nor store them right next to the computer for any length of time. What do you think would happen if someone broke into your home or place of work and stole your computer, taking that special little Post-it with it? Right, it would be very bad.

How bad? See these links:

http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/

http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/

Password managers have a number of unique features: the ability to generate complex passwords, create a rank ordered list of passwords by age, show you how many times a password has been used, insert the password for a website directly into the field on the webpage, self-destruct if someone enters the wrong password too many times, sync the password file across multiple devices, and automatically backing up the password file. Oh, and before I forget, Microsoft Excel® is NOT a password manager, it doesn’t do any of these things automatically; stop using a spreadsheet to manage your passwords... immediately!

So how do password managers work? They are, basically, database applications that allow the user to create categories of sensitive information and then create records, or entries, within those categories for credit cards, websites, Social Security Numbers, or other classes of sensitive information. The password manager then locks all those bits of sensitive data with a password that then encrypts the entire database using strong encryption. The file that contains this sensitive information is then stored in a location accessible by all your devices, usually a cloud service like Dropbox or iCloud.

The most important rule for using a password manager is to use a very long and complicated password to protect the password manager itself, so even if a hacker gets their hands on the file containing the encrypted passwords, they will not be able to crack it in a short amount of time. You will have to memorize this password. The second rule is use the password manager to routinely change all your passwords (usually every 3 months), so even if a hacker tries to use brute compute force to find a password, the passwords will all be changed before they can unencrypt the file. Let’s be very clear, ALL passwords can be broken. The third rule is to use the password manager to create complex, hard to crack passwords, this will give you time to change your passwords before the hacker can finish his dastardly work.

So to sum up, 1) use a password manager, locking it with a complex password, 2) create unique, complex passwords for EVERYTHING, and 3) change your passwords on a periodic basis. Remember, passwords are like Kleenex, they are one time use.

To illustrate the use of unique userid's and passwords, here is an example of a random userid yuT4pAj9iC7N@email.com
… and complex password riB@Veej^heer>yal*Rirr)uG.

Yes, you can use random numbers and letters for an email address and yes, you really do need a 25 character password, especially for cloud storage and financial accounts. PLEASE DO NOT USE THESE EXAMPLES! As complex as they look, these userid and password examples are no longer secret. I created both of these examples using the password generator built into 1Password.

Here are some good examples of password managers:

Next post I’ll take a look at online cloud storage and how to protect your information from theft.

Kevin