It’s time to talk about passwords again

06. November 2013 Security 0

As you may have heard, Adobe was kind enough to give attackers access to over 2.9 million user names, passwords and other details. No wait it’s more, 38 million. No wait, turns out the actual number is over 130 million. Since then a few things have happened: the entire list of stolen records have been published online and naturally a few folks have started decrypting the password hashes. The results are saddening. Here is the top 10 of most used passwords and how many accounts used them:

  • 1. 123456 – 1,911,938
  • 2. 123456789 – 446,162
  • 3. password – 345,834
  • 4. adobe123 – 211,659
  • 5. 12345678 – 201,580
  • 6. qwerty – 130,832
  • 7. 1234567 – 124,253
  • 8. 111111 – 113,884
  • 9. photoshop – 83,411
  • 10. 123123 – 82,694

The list goes on but the passwords don’t get any better. I, for one, was not surprised to see this list. There are millions of people out there that use these passwords, I see it in my work environment too. Some people will never learn no matter how often you try to make them see the light. To make things worse, those people use the same passwords for many or all of their accounts/services. And while I am all for those folks getting hacked to hopefully teach them the hard way, it’s most likely not them that will suffer from a breach. Instead, their beyond-weak passwords will allow someone access to a system or service that affects many, many other users, even those that do use strong passwords.

Anyway, I’ve said all this before. You can read about it in thee following articles:
Password Strategies – Part One
Password Strategies – Part Two
Change Your Password day, oh no…

Instead I want to spend some time talking about a way to manage your passwords. With even average computer systems being able to break long and complex passwords and software that helps with this becoming better and better, passwords need to become more and more complex. A few years ago an 8-character password with a special symbol in it was enough, now it’s nowhere near enough. 24+ characters or more, capitals, numbers, symbols are all needed to stand a chance (a decent one) against effective password crackers. Ofcourse whoever stores your password (companies and services) need to do their part to add the proper salts and encryptions algorithms but the first step is you, the creator of the password. Longer passwords, even those that are somewhat easy to remember like the famous “correcthorsebatterystaple” will become hard to remember once you have a few hundred of them (because you use DIFFERENT passwords for all your accounts right?!) so it’s time for a password manager.

A password manager I have been keeping an eye on for a long time is 1Password. I’ve tried it a few times in the past but found it’s browser integration was buggy and caused more frustrations than anything else. So I’ve had it in use as a storage vault more than an easy way for me to log in to websites etc. However their latest version, 4, works really well. In all the time I have been reading about and testing 1Password I have not read anything that puts the integrity of the company or product in doubt. Now I’m actively using it to save my passwords, sync between my Mac and iPhone and on some occasions generate passwords for me.

1Password also makes you aware of weak passwords and duplicate passwords. Pre-set lists can show you passwords that are a certain age so if you prefer to change your passwords every few months, 1Password can help you by showing the ones that meet the criteria. You can save credit cards, software licenses, Identities and more. For a full feature set check out the link at the bottom of the page.

1Password generator
1Password generator

To sync between your Mac and iPhone you can use iCloud or Dropbox but if you do not want your encrypted password vault to sync over a 3rd party service you can use Wi-Fi sync as well. This requires a little bit of interaction from you but your vault will never leave your trusted network.

1Password Wi-Fi sync.
1Password Wi-Fi sync.

You can read more about 1Password here. Get it from the Mac App Store or their downloads page, it’s available for Mac, Windows, iOS and Android. If the only reason you use ridiculously weak passwords is “else I can’t remember” then that excuse is now invalid. If you were/are an Adobe user you can see if your account was one of those compromised (it probably was) here. Also, if you frequent MacRumors and/or have an account there you may want to read this.


Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.