news / tech talk

Password Management

by Lee LeClair
As seen in Inside Tucson Business

If you are like many “Internet-aware” folks today, you probably have several email accounts. One with gmail, one with MS Live, maybe Yahoo or AOL, and so on. In addition, you probably have accounts on multiple for banking, shopping, and social networking sites like Apple’s Itunes, Facebook, Linked-in, etc. Each of these accounts and sites requires a userid and password. As a result, most people have multiple accounts and several passwords to track and the number and complexity of these can be daunting to recall.

People and companies have developed different methods and tricks for keeping track of all these accounts and passwords. One way is to use a password management utility to help. Examples include Keepass, Password Vault, Password Safe, and so on. I do not use them but I understand they work fine though you need to be on a computer where you have them loaded or you need a portable solution. Since I work from a variety of computers of varying security levels, I started using applications from a long time ago. These apps are portable versions that can run from a USB drive and do not require administrative privileges on the systems they run on. In addition, they allow you to keep your applications and preferences with you on whatever system you are working on.

I do not recommend using public terminals or computers that you do not trust since you cannot determine whether they have password loggers or other malware on them. I use a variety of computers but I have enough trust in them to run my portable applications. These include an email client, browser and various utilities. That way, my preferences and bookmarks travel with me. Other folks use Google, Microsoft Live, and or similar online free sites and utilities to achieve the same effect though my admonition about using public or completely untrusted systems still applies.

Getting back to password management, I do not use a portable password management utility even though one is available. Perhaps I am a Luddite but I still rely on a system of about 4 password levels I use for different types of sites. At the lowest level, I use a userid and associated email account with a low-level security password for sites I do not deem particularly trustworthy and even fairly suspect. If the password is compromised by some evil staffer at one of the sites, then they could potentially use the credentials at a few other sites but none of them would yield much value. I use a different password for slightly more trusted sites and social networks. A level 2 password for shopping sites like Amazon where my credit card might be stored and finally my highest level password for online banking.

A recent online article discussed an analysis of compromised passwords from a major site. The results were interesting. Some passwords were as bad as you would expect being “password”, “God”, the userid, etc. Others were more interesting to me and consisted of keyboard patterns like “asdf1234” or “159357” which is actually a numeric keypad pattern. These appear tough because they have multiple character types as is commonly recommended, but with acknowledgement of keyboard pattern use, expect attack dictionaries to begin incorporating common keyboard patterns into their arsenal.

However you store your passwords and as inadequate as passwords may be, they will be around for a long time yet. Therefore, consider using passphrases consisting of short sentences incorporating numbers and punctuation somewhere towards the middle (e.g., 15 or more total characters). Use a utility if it is convenient and helps you but be careful about using systems you don’t know.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business.