Skip to content ↓ | Skip to navigation ↓

I’ve been enjoying Bob Covello’s recent posts on passwords and password managers – A LastPass Hack with a Happy Ending shows how idiot simple it can be to find someone’s “hidden” password list.

A surprising interchange on passwords came up in November, during a Chertoff Group Security Series panel entitled “Enough with Getting Pwned Through Passwords: Time for Stronger Identity Solutions.” One of the panelists asked the audience to raise their hand if they required user IDs and passwords for more than 10 accounts, and to keep their hands up if they used 15, then 20.

He stopped above 20 because most of the hands had started to go down, but he used the opportunity to talk about how difficult it is to maintain that many unique, adequately lengthy and complex passwords.

Most of the panelists agreed that passwords pose a really problematic security challenge that must be addressed but, unfortunately, will continue to be with us for many  more years.

What shocked me about the interchange was seeing most of the hands dropping after 20 accounts. I expected the speaker to have to jump to 50 or 75 before he started to lose us. What! Aren’t these people using the Internet? Either people are embarrassed to admit the truth, or most people have NO IDEA how many user accounts they are maintaining.

The number of accounts I have is very apparent to me. I’ve used a password manager for many years, Password Safe – a free, open source software originally created by Bruce Schneier. I suspect It’s fairly crude compared to newer ones.

Using Password Safe, I get a pretty good idea of how many unique accounts/user IDs/passwords I have; they’re presented in a folder/list format – and in my case it’s way over 50. I refuse to count… and it doesn’t matter… they’re easy to manage.

How many accounts do you have? If you’re not using a password manager, how do you track them?

I can go to one place and find all of those annoying accounts that I only have to log into once or twice a year – the URL and my user ID are both there; the program generates appropriately complex passwords,  and best of all, I don’t ever have to type the password. That’s pretty important if they are all long and have lots of odd characters, and also useful if you are worried about keyloggers.

Yes, passwords are inherently flawed and provide inadequate protection. And yet, most of the risks are introduced by using passwords that are too simple and by reusing passwords across multiple accounts. If you don’t use a password manager, START NOW.

There are a whole host of password managers, inexpensive or free, many of them quite elegant and more transparent to the user than mine. The other week, PCMag reviewed 10 password managers, all between $12 and $40, and another 8 that are free.

By the way, Bob’s second post on this topic “On Password Managers, Perspective and Patience” considers some reasons our non-technical friends may resist using a password manager. He raises good points.

Another reason is that we typically advocate password managers because of their security benefits – as I just did. But at this point, I would never do without one because of the convenience.  Let’s make sure to talk about that too!

I’d love to hear from others about what products they like and what they don’t. I should probably think about trading up for greater convenience. But for now, I know I’m getting the best security I can for the security technology that we all love to hate.

Please share your thoughts in the comments section below.

Also, for the lighter side of the password conversation, take a look at this video asking people about passwords:

Title image courtesy of ShutterStock

Tripwire University
  • visomvet

    I use Lastpass. I have something like 200+ logins, so having a password manager is unavoidable. I always generate different passwords for each site. I have tried a few other pw managers, but I find Lastpass to be the best. And it costs next to nothing. I wonder if that will change now that they’ve been bought up by Logmein. I hope not.

  • SgtHalf-Mast

    As it has been alluded to, there is a trade off between security and convenience. I tend to stay more on the side of security. While I have not counted the number of logins I have, I suspect it is well over 50. Some are trusted sites others are public sites with a lower level of trust but are necessary for other conveniences, like online account access, etc.
    Perhaps I’m a freak in this regard, but I routinely have 17 to 48 character passwords. However, when I first sign up for a service, I always use the same 9 character password and then I perform a password reset, when available. I want to see if the service is going to e-mail me my password or not. I want to know what verification steps are needed and whether I get a link to reset my password or just get logged in (where I can then reset my password – or not). I’ve seen services that will go through some simple verification steps (they almost all seem to be the same list of standard questions) and then send a link to the e-mail address on file (plain-text) where I can click and be logged into my account. If it’s me, I probably change my password. If it’s not me, changing the password might tip-my-hand to the actual account owner that someone else has been there.
    I’m concerned and suspicious whenever I can’t seem to remember a password to a service for this very reason. Before I select a stronger password, or even continue using a service, I want to know (to the best of my ability) how well they are protecting my account. For example, on sites that allow you to enroll in auto-pay or save credit card or bank account information, I expect a higher level of protection. However, I don’t need the convenience of my credit card number being stored or my bank routing number and account number being “on-file” I have all of that data both memorized or accessible through another service ;-)
    The idea of storing all my critical account information into a single storage location (other than my brain) seems oddly less secure to me, especially when the tool used is free. Who has vetted this tool? How do we know there are no back-doors into the tool? That it’s not e-mailing off the data in it to the author? That it’s still being maintained and is not based on Java 1.6 with all of its built-in vulnerabilities? etc.
    I think that forcing yourself to change your passwords too frequently, just because of security and not because of any signs of a breech, is also less secure. The more times the password is typed or flows across the network, the less security it is. Some of these cannot reasonably be prevented if we are to be subscribed to the services. Having a long password, while painful to remember by some, is much better than having shorter passwords that are changed more frequently.
    I also find that I end up using different devices periodically throughout the day to access various services and sites. Sometimes it’s my personal computer, sometimes a tablet, other times my cell phone or a work computer. The idea of having a credential safe on all of those devices not only severely restricts the options (assuming I would want to use the same tool everywhere) but also increases the attack surface too much for me.
    When possible I prefer to use two-factor authentication, even when it’s provided by Google or some other free service, because it’s no worse than my long password but can provide another level of protection from brute-force attacks and even from attackers who have some knowledge of me or my password from other services and sites.
    One of the age-old foundations of authentication breaks it down into the standard three categories:
    1. Something you know
    2. Something you have
    3. Someone you are
    Taking the passwords (from category 1) and putting them into a credential safe (which is closer to, but is not, category 2) is not two-factor – it’s just reducing the two-factors into one. The credential you use to access all the accounts is now the weak link for all the services. In my experience, it is also the password most like to be the weakest as it tends to lack any special controls or aging criteria.
    We will likely always have some need for authentication based on something we know. The speed of technology may have pressed us into using category 1 for things that really should be category 3 but until we can secure biometrics data, I don’t see category 3 gaining large scale adoption in any real security areas.