Keep Your Passwords Secure

Repeat after me “I resolve to keep my passwords secure”. “I resolve to keep my passwords secure”. I resolve to keep my passwords secure”. etc

There is no doubt we conduct our lives online more and more, including shopping, banking, social media, email, chat and games. At last count, I have over 100 apps installed on my smartphone and I am not alone. All this online activity inherently presents greater risk; thus, we need to take an active role to keep our personal information secure and private.

Take a moment and reflect on how you manage your passwords today. Do you use the same password on more than one account? Do you write your passwords down on scraps of paper then lose them? Are your passwords easy to remember, like your children names or family pet? Did you know that the two most common passwords in 2015 were “123456” and “password”? Can you guess which ones the hackers will try first? It is estimated that 10% of all cloud service accounts (Dropbox, Google Drive, OneDrive, etc.) use one of the top 20 most common passwords, making them instantly vulnerable. An estimated 30% of users store personally identifiable information within files in cloud service accounts such as birthdates, social security numbers and bank account numbers?

Password Protection

One of the most effective first steps help protect ourselves online is to develop secure password habits. We know we should use a different password on each web site or app and change them regularly for highly sensitive accounts such as online banking. We know that passwords should be strong and difficult to guess. A strong password can resist a brute force attack where high powered computers are used to check all possible passwords for some period until they move onto the next password to attempt to crack.

A strong password is a combination of uppercase and lowercase letters, numbers, and symbols. Creating a different one for each account and changing them regularly, while good advice, is simply not practical without some assistance. That is where password manager programs can help. Many are available for free or at low cost. The end of this post contains links to product reviews that will help find a password manager that works well for you. Note Disclaimer: I have no affiliation with any password manager company and do not benefit financially from any selection you may make.

Password Manager

A password manager serves as a database of all your passwords and helps you create strong hard-to-crack passwords. You only need to remember one strong password to open the database, the rest can be copied and pasted from the database when you need them. The database is typically protected with very strong AES-256 encryption, and the application needs to be available on all your devices so you use it for every account on every device.

There is no doubt we conduct our lives online more and more, including shopping, banking, social media, email, chat and games. At last count, I have over 100 apps installed on my smartphone and I am not alone. All this online activity inherently presents greater risk; thus, we need to take an active role to keep our personal information secure and private.

Take a moment and reflect on how you manage your passwords today. Do you use the same password on more than one account? Do you write your passwords down on scraps of paper then lose them? Are your passwords easy to remember, like your children names or family pet? Did you know that the two most common passwords in 2015 were “123456” and “password”? Can you guess which ones the hackers will try first? It is estimated that 10% of all cloud service accounts (Dropbox, Google Drive, OneDrive, etc.) use one of the top 20 most common passwords, making them instantly vulnerable. An estimated 30% of users store personally identifiable information within files in cloud service accounts such as birthdates, social security numbers and bank account numbers?

SafeinCloud

Figure 1 shows the main screen of SafeInCloud which is available on iOS, Android, Windows, and Macintosh.

 Figure 1.png

Figure 1. SafeInCloud Main Screen

Listed below are the features of SafeInCloud (http://safe-in-cloud.com) and how it can easily and conveniently help you use strong passwords for all your online accounts. I am not promoting this product as the best one available, it is simply the one I use and am most familiar with.

To use a password that I have stored, I type a few letters of the name in to the Search box, “rock” and it instantly filters to the card(s) matching “rock”. The login name, as well as the password are hidden; the password is estimated to be strong enough to take centuries to brute-force crack. If I need to see the password, I just click the eye icon to the right, but I rarely do that. To copy the password to the clipboard, I click on the “…….” under Password, then paste it into my login screen. One interesting aspect of having a password manager is that I have complex passwords that I have never seen since I created them; thus, could not reveal the password.

The password manager helps me ensure I have excellent passwords. You can see in Figure 1 that I have 235 password cards total. Six have been automatically flagged by SafeInCloud as having weak passwords and two use the same password (oops!). I have favorited twelve cards for easy retrieval, and noted three as credit cards with annual fees that I may want to cancel at the end of their free-trial period. The website glyph is automatically included on the card to help make it easier to find visually. I can click the web icon to the right of the Website field to go directly to the website, or click the link to copy the website address to the clipboard. Not shown in figure 1 is the capability to add general notes, attach images, or attach files to the card as needed.

Adding a New Card

Adding a new card is flexible and easy. After clicking the Add card button on main screen and choosing the Web Account template, I see the card on the left of Figure 2. Should I click “Add another field”, the middle dialog box allows me to add and rearrange fields as I choose, saving any information. The add field dialog on the right allows adding many types of fields, one of my favorite is “Secret” which hides the text even though it is not a password. You can see I used the “Secret” field type for the Login field of the “.Net Rocks” card in Figure 1. I do this to keep it hidden as well, in case someone can see my screen.

 

Figure 2 – Adding a New Card Screen

Figure 2.png

 

Generating a Strong Password

Secure password management workflow is simple. I have the same password manager software running on every device I use. The password database automatically synchronizes whenever I open it. Whenever I create a new login, I always add a new card in my password manager and generate a strong password. No exceptions. If a website provides a starter password or emails me a password, I immediately log in and replace it with a generated strong password from the database. When logging in, I copy the password into the application without ever looking at it.

By now I am sure you have one burning question, “If this database has ALL my passwords, how do I keep the password database from getting hacked?”.

First, use a strong password to open your password manager database. Make it as long and as complex as you can bear. The length of the password is critical; I recommend making it at least 16 characters long. Use the password generator to keep generating strong passwords until you see one you can remember and is rated centuries to crack as shown in Figure 3. You will not be able to open your password manager without it, so write it down and physically store it somewhere secure. DO NOT save it to any computer, online account or electronic media that a hacker could eventully access. Physical security is best in this case.

Figure 3 – Generating a Strong Password

Figure 3.png

 

Second, the database is typically shared among the various devices as a file on a cloud file service such as Dropbox. Be sure to use a very strong password for the cloud service that holds the database and enable two-factor authentication (TFA) which requires the entry of a special code emailed or texted to the cloud drive owner whenever a login from an unknown device is attempted. TFA is available for each of cloud services used by SafeInCloud: Dropbox, Google Drive, One Drive and Yandex. Unfortunately, TFA must be manually set up for your cloud service, it is not enabled by default. Google or Bing the instructions and be sure you enable it.

Third, check the settings in your password manager software to help keep the passwords private. In Figure 4 you can see that I have my password manager configured to automatically lock if I close the window or have not used it for one minute, to remove the password from the clipboard after one minute, and to permanently erase the database if 50 consecutive incorrect passwords are used to try to open the database. I’d rather erase the passwords than have a hacker open the database with a brute force attack.

Fourth, restrict access to your password database. Never send it via email or put it on a removable storage device. Get in the habit of locking your computer or laptop whenever you walk away from it; Windows users can press the <Windows Key>-L combination to instantly lock the computer.

Figure 4 – Password Manager Security Options

Figure 4.png

In summary, everyone can and should do more to protect their personal information and privacy on the Internet. Effective security requires multiple layers of protection. Strong password habits are a necessary and important first step toward fully protecting yourself online.

Joe Kunk is an application architect and security aficionado. Prior to joining Dewpoint, Joe was a five-time Microsoft MVP, a columnist for Visual Studio Magazine, Pluralsight course author, president of the Greater Lansing User Group for .NET, a SAP Procurement training and testing lead, application developer, and a network manager of both Banyan and Novell networks. Joe has been developing and managing software projects for over 30 years in the education, government, financial and manufacturing industries. Joe co-authored “Professional DevExpress ASP.NET Controls” and served as technical editor for “LINQ Unleashed” by Paul Kimmel. In his spare time, Joe likes to deliver technical presentations at conferences and user group meetings. Joe can be reached via email at [email protected]

References:

“You Won’t Believe the 20 Most Popular Cloud Service Passwords”, Cameron Coles, https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most-popular-cloud-service-passwords/

“The Best Password Managers for 2015”, Neil J. Rubenking, November 13, 2015, http://www.pcmag.com/article2/0,2817,2407168,00.asp

“The Best Free Password Managers for 2015”, BY Neil J. Rubenking, November 16, 2015, http://www.pcmag.com/article2/0,2817,2475964,00.asp

LANSING
Knapp's Centre, Suite 200
300 S. Washington Square
Lansing, Michigan 48933
Phone: (888) DEWPOINT
Local: (517) 316-2860

GRAND RAPIDS
333 Bridge Street NW
Suite 505
Grand Rapids, Michigan 49504

SOUTHEAST MICHGAN
805 Oakwood Drive, Suite 108
Rochester, Michigan 48307
Phone: (248) 413-6108

CONNECT WITH US

https://www.facebook.com/DewpointInc/   https://www.linkedin.com/company/dewpoint/