World Password Day 2014

It’s back! Today is World Password Day. The day where websites and organizations world wide urge people to change their passwords. I was asked to cover world password day by one of the organizers about a month ago and while I was happy to do so, I did express some concerns. One of my concerns was the recently discovered heartbleed bug. Urging people to change their passwords everywhere may not be a great idea since a lot of websites are still vulnerable to this bug. I asked if they would take this into account and today I’m happy to see they did. Their website, https://passwordday.org, shows a big heartbleed warning along with other useful tips.

The only thing I don’t like on their site is the password tester. While this particular password tester may be safe to use, I do not recommend using any online password testers in general. Getting people in the habit of using these online testers can and probably will backfire one day as there are a lot of malicious ones out there. I mentioned it last year when I covered world password day:

Password strength checkers.
They pop up all over the place, specially on days like this. Some reputable companies will host one on their website and of course there are a lot of fake ones appearing that are controlled by folks with malicious intent. No matter where you find a password strength checker/tester, do NOT use it!! Yes the company hosting it may be reputable but come on, every major corporation has been hacked or compromised in the past so there is no reason to think a password checker hosted by Intel or McAfee is safe. (Intel didn’t even bother securing their password check site with https so everything typed there is sent in plain text!!) On days like these, if i was a hacker, i’d go after these reputable sites with everything i got and try to compromise their password checker so it sends all the information to me. If that fails i’ll build my own and send people to it using social engineering / advertising. “The strongest password wins a new MacBook Air!”. As folks want to either test their current password and/or prove their password is uncrackable, these online password checkers generate enormous amounts of traffic. Though the legit ones warn not to use your actual password, most do (what’s the point of checking a fake password that you don’t use?), and most will pick the wrong website to do it on. Don’t use online password checkers!

Instead, use the tools that are built in to OS X:

If you want a safe, secure method of checking your password strength, use the tools built into your Mac OS. Go to Applications > Utilities and open Keychain Access. Once open, go to the File menu and select “New Password Item”, this will cause a small window to appear in which you can type any password and check it’s strength. Ignore the ‘Keychain Item Name’ and ‘Account Name’ fields as you won’t actually be adding anything to your keychain but do use the ‘Password’ box. Type in a password and it will tell you in real-time if your password is any good. You want the strength to be “Excellent” at least and the bar to be 70% green.

If you use 1Password you can also use their Password Generator. This can be accessed straight from the menu bar, browser extensions or the application itself.

In closing, I’ll just mention what I said last year (slightly modified):

While days like these are a good idea, it often ends up to be a fail for the user and a win for the hackers. If you changed your passwords today please do the following:
– Make sure the site/service is not vulnerable to the heartbleed bug.
– If you used any online password strength checkers, permanently discontinue any password(s) you have entered in them. If the checker was compromised it means your password is now in the hands of a stranger.
– Do not re-use old passwords.
– Do not cycle passwords between services.
– Have a look here.