April 2014 – Password Security

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Filter by Categories
Newsletter

Password Security
There’s never been such a good time to talk about Password security as there is now, even more so after the news this last month of the major security flaw that had been exposed in OpenSSL by the name of Heartbleed.

heartbleed

 

Heartbleed, very briefly: 
Heartbleed was an exploit in OpenSSL (makes data secure of the net – you’ll see HTTPS or the little lock in the address bar) that means anyone that knew of the exploit, may have been able to grab bits of information including user names, passwords, credit card info etc..

Software websites and services have moved very quickly to patch this exploit and have implored their users to change their passwords for affected services AND any other service that may have used that same password.

The internet went crazy with advice and opinions many of which, at the time, may have been incorrect. It didn’t affect the entire web. There’s no point changing a password unless the website or service is patched and most likely you haven’t been targeted.

In any case, for precautionary reasons, users of the affected services are definitely best to change their passwords, in all affected places, as above. Now’s a good time to use a good password.

Oh btw, affected services included, but weren’t limited to:
Facebook, IFTTT, Instagram, Pinterest, Tumblr, Google/Gmail, Yahoo, Amazon, Dropbox, Soundcloud, GoDaddy, Etsy, Minecraft.

 

What is a good password? 
Tell you what is not a good password.. password. This is obvious. Also not good? your date of birth.

A good password is typically featuring mixed characters, numbers and symbols, and is 8 characters and longer. It’s also unique to the service or website.

For example, this is a good password: k*zTYjhI$440
Not easy to remember though right?

Most likely you’re familiar with websites increasing their password settings over time; Apple is a good example here. Often these requirements for change alone force us to make something that is suitably secure, and potentially unique at that point.

Good Password policy:
Many of us are prone to using one password across many websites and services – it’s simply easier that way, but secure? No.
If one of these services were to be compromised, just as many have due to the Heartbleed exploit, then the rest are too.

Therefore the suggestion here is to diversify. The more passwords you have, the more difficult it is to be affected, or rather for an attacker to use of set of credentials.
An ideal scenario would be a suitably secure password unique to each website or service however it’s easy to imagine how this would become unmanageable quickly. Read on..

Password Manager
Something to consider here may be the use of a password manager. Indeed this Heartbleed dilemma may well motivate you to get one more than ever – it has done so with some of our staff.

A password manger helps to keep track of all those complex passwords you should have or are about to change, and can even make the process of changing them easier. They serve as a password repository with very secure encryption and typically local-only decryption. This means only you can access the data on your machine with your password.

The one key thing though – that machine, and your password needs to be secure. That’s to say that you need passwords on your machine, in fact all devices (but you were doing that right?) and the one password for 1Password, Lastpass etc, is a secure password, again, that is unique to this service. The sell here is that this is last password (or one password) you need to remember. Get it?

There are a few option out there, but we’ve narrowed it down to three you may want to consider: 1Password, Lastpass and iCloud Keychain.
We will try to keep it short here also, so if there’s any more questions, we’re happy to field them, but you may want to check out the vendors website.

1P4 Mac icon

1Password

1Password is a great and very popular example of a Password Manager done right. It has droves of features all neatly presented in a tidy application for Mac OSX and even iOS. For the price of the application you get local password encryption and browser integration. Likewise for the price of the iOS App you get syncing across devices providing access everywhere.

1Password is a pay per App per version model which doesn’t require an annual subscription. Some may like the pay once model and only time will tell if it works out being more dear than those below, but 1Password certainly is the cream of the crop here in terms of password managers.

More: https://agilebits.com/onepassword/mac

 

LastPassLogo329x40

LastPass

LastPass has most of 1Passwords features but is bundled differently; there’s no specific app but there is the browser integration that makes the service so easy to use and responsive. It’s a also free for it’s basic features which for many cover your needs, but if you’re after iOS compatibility, then you’re after their premium service which is $12 a year.

More info: https://lastpass.com

 

iCloud Keychain 

iCloud Keychain means to provide the same kind of solution as 1Password and Lastpass including having multiple devices in sync. Keychain has been around for a decent while now (introduced in Mac OS 8.6) and is well known in the Mac world, however iCloud Keychain was only announced last year and released as part of iOS7 and Mavericks. In other words, it’s a free service for those who have compliant devices.

 

If you use, or switch to a password manager then read this, 

Cult of Mac ran an article on how you can use 1Password to simplify the password changing process in the wake of the Heartbleed exploit. Similarly they continue on to show how you can use iCloud Keychain to do the same thing.

Click here to read it:
http://www.cultofmac.com/274110/10-minute-password-update/

 

Finally, if you have any questions or concerns then get in touch. We’re using a combination of the above tools within this office and are more than happy to help with the change of and rollout of new passwords, or the implementation of a password manager.