The solution to paper passwords

I know your passwords are either written down or insecure. I know it just as surely as I know New Year’s Day is January 1.

I know because passwords have to be incredibly complex to be secure, and I know because the typical person has to juggle half a dozen of them, or more. Think about it. Your work account. Amazon. Ebay. Paypal. Facebook. Your bank. Your personal e-mail. Your credit card. Your online billpay service.

I know you’re not going to memorize a half dozen gibberish passwords that look like 5E%c2.3730pK$0/.

So you have them written down somewhere, which is OK, or you have them all set to the same thing (hopefully not “popcorn”), which isn’t OK. Even if you’re using 5E%c2.3730pK$0/ as your password.

A secured piece of paper works fine until you lose it, or you’re out somewhere and don’t have it.

The solution is a product called Lastpass. Software legend Steve Gibson talked about it at great length at http://www.grc.com/sn/sn-256.htm.

Basically it’s a program, which can run standalone or as a browser plug-in, that stores passwords securely. It mathematically slices and dices the data so that all that’s stored on LastPass’ servers is undecodable gibberish, but, given your e-mail address, your password, and a printable grid you can keep in your wallet, you can decode your password database from any computer, anywhere you happen to be.

There’s a lot of nasty math involved in cryptography, and I won’t pretend it’s my best subject. Gibson goes a lot further into the details than I want to get into. As someone who knows enough about cryptography to get CompTIA Security+ certification, and someone who’s read the official CISSP book chapter on cryptography twice, it sounds good to me.

An additional feature is the ability to store things you need rarely, but when you need them, you need them desperately. Things like your credit card numbers, driver’s license number, and your kids’ social security numbers.

There’s a free version of Lastpass, and a premium version that works on mobile phones and mobile software like Portable Firefox, which costs $12 per year.

The free version runs on Windows, Mac OS X, and Linux, which covers more than 99% of the computers out there today. And it runs in every major browser.

When you go to run Lastpass, it will import your stored passwords from your web browser(s). And it will give you a rating, based on how secure your passwords are and how often you re-use them. It will generate secure, random gibberish passwords for you and help you visit sites and change your passwords. Along the way it grades you, helping you to increase your security.

It can synchronize too. So if something happens and I have to change my Amazon password and I’m at work, my wife gets the changes, so if she needs to get into Amazon, she doesn’t have to do anything different.

It makes good security an awful lot less painful. I can pretty much say, without reservation, knowing nothing about you except that you use a computer, that you need this.

If you found this post informative or helpful, please share it!

5 thoughts on “The solution to paper passwords

  • October 15, 2010 at 11:20 am
    Permalink

    LastPass is a great tool, and I use it on all my computers for ease with sites I use all the time. I’ve also configured a password system that allows me to create a unique password for each site, and have a good chance at remembering what that password is. I would be interested in the thoughts of experts on how the system works. It does create strong passwords, according to password testing websites.

    I always use the same user name, except in those situations where you need a card number (banking) or the system uses email as the user name. That’s one less thing to remember.

    Then I pick a standard sequence that I always use, which is based on initials and a significant date (marriage, birth, favorite holiday). Let’s say my name is Jack Smith, and I was married on April 10th, 1995. My initial sequence could be ‘js10’ or ‘js95’. Then I add part or all of the name of the website I’m logging in to: js10silicon, and then I add in capitals, use numbers for vowels and perhaps punctuation (if it’s supported) in a consistent order: js10S1liC0n! In this example I’m capitalizing or number switching every other consonant or vowel and adding in an exclamation mark for good measure. Thoughts?

    • October 15, 2010 at 7:33 pm
      Permalink

      Bill, what I don’t like about that formula is that it mixes personally identifiable data with the site name, which makes you vulnerable to a targeted attack. One of the things WhiteQueen told me he would do, if he were targeting me specifically, is that he would build a custom dictionary based on whatever he could find out about me. Which, potentially, is a lot. My mother found a distant cousin and saw his personal family tree, and the guy knew a LOT about me. He knew how many siblings I had, when all of us were born, even when some of us got married. None of us had never met this man. He got evasive when she asked how he got this stuff. But if he can find that out, so can someone who really wants into my network or bank account. So I wouldn’t want to use any derivative of my birthday, anniversary, or anything publicly recorded anywhere. I’d be a little less reluctant to use something like the date my wife and I first met, or a child’s baptismal birthday, or something like that. But I’d prefer to use something not connected to me. I have a couple of formulas I use sometimes, but they involve people not connected to me in any way.

      As for the symbols, the trouble with that is that lists exist iterating those “l337” substitutions, so while the password strength finders love them, a good hacker’s going to try all of those because they’re a lot easier to remember than gibberish, so they’re more likely to be used.

      Thanks for the question!

  • October 15, 2010 at 8:06 pm
    Permalink

    I certainly see your point about using personal data. I use a date that has no meaning to anyone but me, and the initials I use are based not on my given name, a license plate I once had, but next time I feel the need to suggest my system I will modify it to eliminate personal data and reconsider the l337. One quick thought would be to mix up the personal data and eliminate a certain letter, say the third one in the site name: 1s0jS1c0N3!. Or do the hacker lists also consider dropped characters? Thanks for the feedback!

    Likely the cousin got his information from the Mormons, they have a lot of data on genealogy. Why they have it would be an interesting thing to hear…

    • October 15, 2010 at 8:48 pm
      Permalink

      If it’s somehow meaningful to you but gibberish to anyone else, mixing it with a “leet” word related to the site to make it memorable will be OK. The main thing is getting enough gibberish in there to make it long enough to give you sufficient entropy. 14+ characters will keep you safe for a good while. I think Steve Gibson says a little less than that is OK. I’m told the Department of Defense uses 14, so if the DoD likes 14, I like 14. The DoD may know something.

      The cousin had information the Mormons don’t have; what he had could only have come from state records. Which is fine, it’s public record, but how did he know enough to even ask those questions? I don’t want to get too far into Mormon beliefs, but they believe they can baptize the dead and advance them in the afterlife. So they build massive genealogical databases in hopes of not missing anyone.

  • October 17, 2010 at 9:15 pm
    Permalink

    Dave,

    If you want the current, unclassified “official” implementation guides that the DoD uses, you can grab them at http://iase.disa.mil/stigs/

    Regards,
    Bobby Kuzma, CISSP

Comments are closed.