Monday, April 1, 2013

One password to rule them all


Last week I blogged about my walmart.com account getting pwned and used fraudulently to make purchases using my credit card. Since I caught it within minutes, and Walmart acted very quickly to void the transactions and suspend my account, I avoided any real damage.

It could have been much worse. Password management is one of the great nuisances of the Internet world. I have email accounts, social media accounts, bank accounts, online shopping accounts, blogging accounts, music service accounts, streaming video accounts, even accounts with news media sites. Most if not all of these are accessed by using a username and password (some of the more risk-averse sites ask for additional information to verify my identity the first time I log in from a given location, but by and large username and password are the Internet’s way of authenticating my identity). For that matter, the PIN on my debit card is essentially another form of password. Not only do I have dozens if not hundreds of password-protected accounts, but in some cases I am required to change these passwords periodically.

There are lots of conflicting studies, but prevailing opinion is that the average person’s working memory can hold around 3 to 7 things at any one time. That’s where the 7-digit (in the US) phone number originated. So, dozens of passwords to remember, and mental capacity to remember perhaps 7. What’s a person to do?

The two most common ways people deal with this are writing passwords down, or using the same password everywhere. And therein lies the reason my walmart.com experience could have turned into a nightmare. If my walmart.com account is compromised, and I used the same password for my email, or worse yet, for my bank, then whomever pwned my Walmart account would have access to my entire digital life. Ask Mat Honan how painful it can be to unravel that sort of mess.

Here is where “one password to rule them all” comes in. In the last few years I have begun using a password manager to keep track of all my online accounts. I only have to remember one “master password,” which unlocks the “vault” containing each of my individual account credentials. As long as I have access to the Internet (which is not a real limitation since this only applies to online accounts anyway), I will always have easy access to my passwords.

There are quite a few options in the market, but I am partial to LastPass. With LastPass, I install a plug-in for my browser (it supports IE, Firefox, Chrome, and Safari), and it automatically enters the username and password when I browse to a site in my vault. There is also an app to extend this support to Android or iPhone mobile devices. LastPass even has a built-in password generator (which I can tweak to fit the password rules for any site) that will generate a completely random password - and then store it in my vault so I don't have to remember it.

As long as passwords are the method of choice for granting access to online services, there will always be bad guys seeking ways to steal those passwords - whether through malware on my PC, or through data breaches on the server side. By using a password manager and unique passwords though, I can ensure that if one account is broken into, only one account is broken into.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen