Thursday, December 30, 2010

It's time to change the passwords!

If you've been looking at the news recently, you know about the fact that Gawker Media was recently hacked and a number of usernames and passwords were exposed. Gawker contains sites I love like io9, Lifehacker, Consumerist, and others so I was very mindful of this.

Especially since I tend to break the cardinal rules of passwords.
  • Use a different password for every site
  • Use a password that contains letters, numbers, caps, lowercase and a special character
  • Use a different username for every site
While I don't publize my usernames/passwords, one good hack in one place would leave me vulnerable.

This raises the question, "How can I fix this?" Any solution I come up with needs to fit the following criteria:
  1. Access everywhere
  2. Very complex passwords that I don't have remember
  3. Facilitate remembering username
I did some research and come up with what I consider to be a rather nifty solution.

First, the password/username manager.

After doing some research on Lifehacker and watching Tekzilla I stumbled over Keepass.

Keepass is a wonderful username/password manager that is available on Windows, Linux, Mac, iPhone, Android, and more. It allows you to create special password generation rules, saves different usernames, AND even has an "autotype" feature. You can read a full list of it's features here. There are even versions you can save and run off of an USB drive. The Android version provides a simple method to place the username and password to the various applets on the system. If they don't support it, you can copy/paste.

After using Keepass on a system you find you have a database FILLED with passwords and userids that are encrypted. Now what? You need to keep the version on your PC and the version on your phone (I use the Android version too) and other platforms in sync.

If you have an Android phone, it's trivial to copy the datafile from the computer you are on to the exact directory on the phone.

What if you don't have a smartphone or you don't want to copy files the hard way?

Look to tools like "Dropbox". You can place the password database on a tool like this and it will ALWAYS be in sync between different systems. Alternatively, you can save the DB in Google Docs. Just be sure you have a hardcore password! These solutions also allow you to sync the DB to your phone as well.

I always have an up-to-date version of the password DB whereever I need.

I hope this helps everyone to keep their online identies safer and hacker resistant...


Matthew said...

What gets lost in these sorts of discussions is the level of security needed.

I post on various forums and bulletin boards. I also blog. I use facebook, which I keep unconnected from everything else.

Then there are the online financial and personal data transaction sites.

For the first group, I'm pretty complacent. FOr the second group I use good security practices. There is never any crossover between the two groups.

Knowing that I used 'South' over on the City of Heroes bulletin boards doesn't even get you access to my old characters. You can hack my bulletin board account, but that's the damage you can do. There are other user names that I've used across platforms. Some even share passwords. But knowing them only grants the hacker the power of spam.

I know it's not best practise, but it is a lot easier for me to stay on top of stuff.

Rachael Storm said...

"What gets lost in these sorts of discussions is the level of security needed."

You are very correct. I wasn't attemping to evaluate different levels of security needed, as that it up to the specific individual.

I was more concerned with the fact that if I ever need to change my my favorite password (which is fairly secure), I'd be stuck. Furthermore, I use it everywhere.

This post was more to handle the "What's an easy way to do this?"