Aug 012016
 

Passwords are rubbish.

They are an inherently flawed method of securing your information.

Don’t believe me ?

If your password is less than seven characters long, it can be cracked in minutes using cheap off-the-shelf computing hardware.

If it is longer than seven, but still a word that appears on a word list, even if you substitute e’s with 3’s and sprinkle capital letters in there, again it is rubbish.

There are wordlists out in the real word that have  60 billion words on it, while that number might seem high, a dedicated pawed cracking machine that costs less than $5000 will check 6 billion combinations per second.

If virtually any combination that you can think of is a part of that list, it can be cracked in seconds.

Recently hundreds of millions of accounts at LinkedIn were dumped to the Internet.

The dump contained email addresses and a lightly encrypted version of the password for that account.

The vast majority of the passwords were cracked within hours.

If you had a LinkedIn account and you used the same email address and password elsewhere, the elsewhere accounts are now open to the world.

Any reuse of that password needs to change. Now.

But, remembering multitudes of passwords and creating easy to remember but tough to type passwords is very difficult.

Additionally you need to enable two factor authentication.

Two factor authentication is a very good tool. If a bad person tries to login to your account, they will need jot only your login and password, but also a secret, ever changing code that in theory only you have access to.

Which leads me back to the passwords.

2FA is great, but 2FA and a decent password with zero password reuse is better.

But this is really, really hard.

Zero reuse means that no aspect of the password should be the same.

If you used password1 as your password, you should not use password2 or Password1 or p455word1 and any of the tens of combinations.

A password manager is a great improvement the.

Lastpass is really rather awesome, but so is the Apple iCloud one.

Except.

In general password managers use a password to protect the vault. Additionally if someone gets access to any device that has access to the password manager, they can go anywhere and use your login and passwords with you know it.

If, for example, your phone has the imaginative PIN of 1234, because ‘hey it’s convenient’ then a malicious actor, or a law enforcement officer can get to all of your login/password combinations.

So, here is the problem.

Few humans can generate and remember passwords of sufficient variety and complexity to make them very hard to crack.

Two factor authentication only adds a single layer to the security of an account.

Password vaults : generators are only as secure as the password that is used to guard them and we all know how bad humans are at this sort of thing.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)