In the past few days, Twitter have announced that some user’s passwords were stored in an unsecured format.
If this had gone undetected, it could have led to user data being compromised.
Whilst there was no breach or misuse, they still recommended that users change their passwords.
We are the problem
The problem is, many of us use the same password for many different services.
This means that a breach of that password could affect tens if not hundreds of other services, creating a nightmare situation.
The obvious answer here is, of course, to use unique passwords for every service we use.
There is also a law of diminishing returns here too – the more complex we make it for the user by enforcing more stringent passwords, the more difficult we make it for the user to manage their passwords.
Some users will write them down in a notebook, or will store them in an Excel spreadsheet on their computer – whilst this is better than having a single password, it is not secure as this data is not encrypted and is only stored on one device.
Enter password management tools….
There are a number of password management utilities available that assist in managing passwords, I am going to focus on one commercial application called 1Password, as this is the application I use on a daily basis, other applications such as Keepass and LastPass also perform similar functions.
These applications create a single encrypted “vault” which contains all of a user’s passwords.
It allows the user to set one secure, complex password that they can remember to open the vault.
The application allows the user to manage and generate unique passwords for each website.
Once setup and in use, there is a plug-in for each web-browser.
The user then logs in once to the password management application with a single password that they can remember.
The plug-in then automatically enters the username and password from the vault when the user clicks the button within their web-browser.
The user can also copy the user name and password and paste it into the logon box on non web-based applications.
The data file containing the passwords is encrypted locally on the user’s workstation.
The vault can be synchronised between devices using cloud storage services such as iCloud and Dropbox.
Whilst it is still possible that the 1Password vault could be cracked by an attacker trying to gain access to a user’s password data, it’s significantly more secure than using the same password for everything.
Question : If you are still using the same password for everything, what needs to happen before you stop?