Thursday, October 6, 2016

How do you choose your passwords and keep them secure?

By Steve Endow

I've had a mini discussion on Twitter recently about passwords.  There was some joking about the stereotype of the password written on a Post-It Note stuck on a monitor, and about how common passwords tend to be re-used.

I noted that I preferred P-Touch labels for my monitor passwords, as they worked better than Post-It Notes.

I occasionally have calls with Dynamics partners who store all client information in a central system, such as MS CRM Online.  In addition to the standard customer information, they store VPN connection information, Windows logins, and SQL Server sa passwords in plain text in the CRM customer records.  Logistically this makes sense, as it allows all of the consultants to quickly access login info and assist customers.  But it poses a potential security risk, as a single compromised CRM login could expose all customer connection information, and full access to customer Dynamics GP SQL Servers and databases.

I'm not a computer security expert, but I try and stay informed about current computer security best practices and I try and use the best practices myself when possible.

Many years ago, when I was a young lad and "wireless networking" was a new fangled cutting edge technology, I used to re-use similar passwords across computer systems and web sites.  So I might have used a password of ninjaturtl3s for my email, and NinjaTurtl3s for my online banking web site.  Probably better than average back in those days.

Then I started doing consulting and got tired of trying to remember so many different passwords.  Lots of passwords went into Excel, which made management easier, and made it easier to use completely different passwords.  But obviously not secure in the least, and because the Excel file was a centralized pile of passwords, not ideal.

Eventually it became clear that Excel was a security risk, and I evaluated a handful of password managers.  This was many years ago, and back then there were only a handful of good options, so I ended up choosing RoboForm as my password manager.

I now have over 1,100 encrypted credentials and notes stored in RoboForm, from email logins, banking passwords, client information, car insurance, health insurance, Microsoft partner account info, airline miles account numbers, and even my library cards.  Absolutely everything goes into RoboForm, even if it doesn't necessarily need to be encrypted.  It's like my personal database, available on any of my computers, my iPhone, and iPad.

So that's good that I started using a password manager to store my logins more securely, but what about my actual passwords?  I still had many simple passwords that I used across sites, like chocolate1, chocolate2.., chocolate3..., etc.  I thought I was clever by adding those periods at the end, you see.

So then I started learning about password strength.  RoboForm has a built in random password generator, so I tried that briefly.

If you have ever used one of these random generators, you know that they are a nightmare. While the password is theoretically more secure than password123, the passwords are absolutely impossible to manually type.  There are situations where you can't copy and paste a password, and after trying to manually type such a random password, you will quickly give up on them.  Which is exactly what I did.

But then I came across two popular references to passwords.  The first is the famous XKCD cartoon.

The random character passwords are nearly impossible for a human to remember, but to a computer, it's just a short password that can be brute forced.  He makes the case that a password comprised of multiple real worlds is much longer, much easier to remember, and much harder for a computer to brute force.

Then Steve Gibson of GRC published his 'password haystack' article, discussing a similar concept he called "search space".

If brute force password attacks are the concern, he makes a reasonable argument that "D0g....................." is more secure than "PrXyc.N(n4k77#L!eVdAfp9".  (I suspect there are potential crytpographic attacks where this argument may not be valid, but for us mortals, I think it's good enough.)

So based on these items, I started using "passphrases" rather than "passwords".  Passphrases were something I could reasonably recognize and type without too much effort, even if they were long.  I then tried to create similar "word based" passphrases.  PizzaForLunchToday8.  TaylorSwiftRocks!.  RainbowDashIsBlue*.  That worked for a while, but got annoying trying to think of new random passphrases.

Being a software developer of sorts, I realized I could just create a passphrase generator.  I pulled together a list of 105,000 English words and created a .NET app that would assemble random words, numbers, and symbols.

With a single button click, it generates a new pseudo-random passphrase based on my preferences and automatically copies it to the clipboard.  (It's quite surprising how many weird words are in the English language that I've never heard of.)

I now use this passphrase generator for all of my new passwords, and those passwords are then stored in RoboForm.  I now don't know most of my passwords, but RoboForm can fill them in for me 99% of the time, and in the rare case where I need to type one in manually, it's easy for me to type "Strutted1Layaways4#".

So now I have finally, for now at least, solved the problem of storing my passwords securely and creating new reasonably secure passwords.  Great, problem solved!

Well, there is a bigger challenge, which I alluded to earlier.

What if you are an organization that needs to have a shared password database, like a consulting firm with 10 consultants who all need access to client login info?  That is a little trickier.

One obvious answer is to use a multi-user password manager designed for teams and organizations. I've never used one, but I've seen several partners use them, and they appear to work well.  I would guess that a well designed corporate password manager is an improvement over storing passwords in plain text in CRM Online, and probably has features that allows for improved security, such as master password resets, logging, alerts, etc.

But in practice, in these days of malware and phishing, I don't think even a password manager is a panacea.  If an attacker is able to compromise an MS CRM Online account, or compromise an employee's laptop, one could argue that the master password for a corporate password manager is no more secure than the CRM Online password.  So is the additional cost and maintenance of a corporate password manager actually worth the benefit over just storing things in CRM?  I don't know, but I would hope so.

And that's where the discussion becomes much broader, involving several other layers of security, endpoint protection, etc.  And that's a full time job.

So those are just some thoughts on where I'm currently at with regard to passwords, passphrases, and password managers.  If you have experience with corporate password managers, leave a comment and let me know what  you use and what you think of it, and whether you think it's better than storing info in CRM.

You can also find him on Google+ and Twitter


Beat BUCHER said...

Hey Steve,
Interesting thoughts... I recognized the cartoon that I've seen in the past :-), and yes eventually I got tired of trying to come up with new password.. One technic I used for a time was a mnemonic trick to combine something from the site and a number associated with it.. About 6-7 years back I started using LastPass and never looked back :-).
Our IT dept uses a pwd store, but I don't how safe / secure it is.

password manager said...