Password Management in 2013

By Tips and Tools

type keyboard
Have things changed in the realm of password management in 2013? The recent Evernote hack may have done so.
This week, for the first time ever, Evernote had to announce that they were hacked. Evernote is one of the few online services that has thrived without giving away user information, with the privacy itself being the service.  Evernote is a freemium service, thriving thanks to the power users who have found the service infinitely useful.
Now, the recent Evernote hack is not particularly noteworthy in itself. Every website is going to get hacked one way or the other.  Many times, the hackers only want to test around a given website’s security measures and there is no actual ill intent involved. Kudos should also go to the Evernote team for identifying the security breach on their own, without even knowing who was responsible, as well as for acting to immediately to shut the breach down.
You can also rest assured that Evernote has been able to keep your data itself safe from prying eyes. Evernote makes use of SSL encryption to keep the data in its servers from being hacked into. SSL encryption worked in this instance, although there are no guarantees in the future.  Existing Evernote desktop users should also be aware that you can backup data both locally and in the cloud, and choose to keep some data locally, adding another password layer yourself.
However, hackers were able to collect Evernote users’ passwords. Evernote was protecting user passwords with a  process called salted hashing. This process encrypts the data even further, breaking up individual passwords into chunks, so that it would be harder to get that data. Unfortunately, this was a situation where Evernote’s precaution failed. Given the age of the internet, password as a security solution seems less useful now than it did years ago.
Google’s current workaround uses two factor authentication, which many IT experts point to as a highly protective security measure. To be brief, two factor authentication requires using not just one, but two authentication factors to verify a user’s identity.  Those of you who remember the ordeal of Wired editor Matt Honan will also remember that he failed to make use of this safeguard, which could have protected him. Google remembers Honan’s problems quite well, and is now proposing hardware based authenticators, such as smartchip enabled USB drives, keyrings, or potentially NFC devices.
In the meantime, many still argue that passwords are not going away soon. If a replacement for passwords is emerging, whether from Google’s proposals or through some other system, it will take a while before it gets widely adopted.
For the online worker, passwords may be something that’s easily taken for granted, but it shouldn’t be. Your livelihood, your payment channels, all of these are vulnerable to attack at any time by malicious hacks. This is not to say that any one hacker should single you out, 98 per cent of us should never have to worry about that. However, most online workers use the same systems and services, and when those get attacked, you are adversely affected.
Many tech blogs currently recommend you use Lastpass to secure your passwords, and it’s certainly come a long way from when it launched for Firefox and Internet Explorer. Lastpass now supports a broad range of browsers, and can also be installed as a separate desktop program. Lastpass is not the final word in security, but it will make your passwords more secure.
Basically, Lastpass is a browser add on that takes your passwords, encrypts them, and saves them to Lastpass’ servers. This approach keeps your passwords from being accessible in your device, and Lastpass does the work for you so you won’t have to worry about it. Lastpass also has advanced tools that will allow you to check how strong your passwords are, and you’ll want to use that feature to keep your data safe.
If you think your security needs go to the other end of the spectrum, Keepass is what you want. Keepass is an open source desktop program that stores your passwords locally. It can also generate safe passwords for you and keeps a good record for everything. Many Keepass users make backups of their password records, and upload them online. Although some people would argue that this much work is unnecessary, it’s not stuck to one browser and could serve higher security needs.
Both Keepass and Lastpass use encryption at its core, so in that sense, they are equally secure. Done the right way, encryption can keep your data absolutely safe. However, if you wanted to add to that security yourself, you can always add a human element. This may sound contradictory, since many hacks are often traced to human instead of computer errors, but there are some things you can do better than encryption programs can.
For one, you can change your passwords randomly.  Switching between autogenerated passwords and passwords you make yourself could add to the randomness, as well as switch up how often you make changes. Take one of the autogenerated passwords and add letters or numbers in between, or remove letters or numbers. Increasing randomness makes things harder to predict, and your passwords harder to crack.
Another thing you can do is to prioritize passwords for certain accounts. This should be common sense, really; some services need to be more secure than others, and in many cases access may be more important than security. If you put more focus on securing accounts you need security on, it’ll make those accounts that much safer.
One final note; the old security questions used on email accounts, asking the name of your high school teacher, or your favorite color, are potential security risks. One way to mitigate that risk is to randomize your selected answers, writing b1u3 instead of blue. If you’re allowed to put your own question in, you can randomize that as well, even put in gibberish if you wanted to, and just make sure to keep a record of the password handy. Whatever you do, you can’t use these security questions as is.
What do you think about passwords in the year 2013? Should we be looking at replacements? What security measures and best practices do you use to keep your passwords safe?

Tagged under: