Dailydave mailing list archives
Re: Don't use vowels in passwords!
From: dan () geer org
Date: Thu, 11 Dec 2014 00:48:04 -0500
This Old Thread seems as good a thread as any to hang something else on. First, a reminder: William Arbaugh writes:
According to the Defense Finance and Accounting Service (DFAS), you shouldn't use vowels in your password!
So here's the scoop; a password wallet & changer all-in-one and in the cloud. Your move; ==================================================== A Quick Fix for Poor Passwords Geoffrey A. Fowler, WSJ, Dec. 9, 2014 3:24 p.m. ET Changing passwords is like flossing: You know it is important, but you always put it off. Keeping the same password for everything is bad. If one site gets hacked, you're vulnerable everywhere. A program called Dashlane has figured out how to automatically create strong, unique passwords for a bunch of different websites, all at once. Think of it as digital hygiene. This new service, available Tuesday in an update to Dashlane's excellent password manager on PCs and Macs, changed 34 of my passwords in less than five minutes. Letting Dashlane tackle this drudgery saved me hours. Though this means committing to Dashlane's password management across all of your devices, I recommend it. Rarely does tech make our lives easier and safer at the same time. As hacks at Yahoo, eBay, Adobe and many others have shown, anyone who reuses passwords is asking for trouble. But who can remember a different, unguessable password for each site, let alone change them regularly? According to Pew, only 39% of us changed our passwords or canceled accounts after we learned about the Web-wide Heartbleed security hole last spring. Dashlane is like a butler for your passwords. It can alert you to ones that are at risk, create really good new ones and now also tackle the chore of logging in and filling out all the forms to change them. It can automatically change passwords on more than 50 major sites, and its makers say they plan to keep adding more. Shortly after I published this review online, Dashlane rival LastPass announced its own beta that lets you easily change one password at a time. Inside the Dashlane program, you just select the accounts you want it to change, press the change button and wait. Some sites require additional information, such as the answer to a security question or a code sent via text message, which Dashlane will prompt you to enter. So far, it doesn't work on programs that only exist as mobile apps. And bank websites aren't yet included in the service. Behind the scenes, Dashlane has studied the security settings on all of these sites and written programs to simulate manually changing a password via the Web. But it can do it much quicker on Dashlane's servers. Since sites could adjust their pages at any time, Dashlane has to constantly monitor them for changes that might break its system. (It failed once in my tests, when it was unable to change my OpenTable password. But no harm was done.) To change your passwords, Dashlane also needs to know your old ones -- which means you have to use it as a password manager. Some people don't like the idea of keeping all their passwords in one place. I think a password manager has become a must for modern digital life, as most noggins just can't recall dozens of codes that are good enough to foil hackers. The alternative is writing them all on a piece of paper, and in the smartphone era, carrying that paper around with you. (Probably not a good idea.) There are several decent password managers, but as I wrote in May, Dashlane is one of the simplest and safest. Dashlane encrypts your trove of info behind a master key that only you know, so there's very little risk that a hacking attack on Dashlane's computers could expose all your passwords. It's free to use on one computer, or $40 a year to keep passwords automatically in sync across all your devices, including phones and tablets. The password changer is a beta service, so you'll have to sign up on Dashlane's website to get access. The company intends to roll it out free to its customers, and add the function to its phone and tablet apps, too. The software is still experimental, and there were a few bugs in an even earlier version that I tested, but nothing that put my accounts at risk. Using Dashlane will require a shift for folks used to going it alone with passwords. The password changer will invent new ones that you'll never be able to remember, so you'll have to rely on Dashlane to fill them in on your Web browser. For apps on iPhones and iPads, you'll have to keep the Dashlane app handy to copy and paste passwords -- Apple's software doesn't allow Dashlane to interact directly with other apps. On Android, Dashlane can manage app passwords fine, though. In short, you have to totally trust Dashlane with the keys to your digital life. Is that a good idea? Dashlane says its security has been audited, and its record is pretty solid. (Its biggest problem was a bug in its iOS 8 app update that left a small number of users temporarily unable to access their data.) But since the new password changer is only now reaching the public, it hasn't been battle tested. It's also possible some websites won't like Dashlane changing passwords on behalf of their customers, and will seek to block it. What does a hacker think? I discussed the idea of a password changer with Marc Rogers, the head of security for DefCon, the large hacker conference, and a researcher at security firm CloudFlare. He thought it could be a very useful service for consumers -- if designed correctly. But he questioned why the actual password changing needs to happen on Dashlane's servers. Running the software there, as opposed to on the user's computer, could expose our new passwords while they're being changed. The risk, he says: "Someone hacks their server and sits there harvesting passwords." A Dashlane spokesman says passwords are encrypted going to and from its servers, and that it deletes them immediately. He says its password-changing programs require more processing power than an average PC (or, in the future, phone) might be able to deliver on its own. Dashlane's best defense against hackers may be that its password changer isn't a lucrative target. Most hackers are looking for vast reservoirs of data, not a trickling faucet. If that still makes you nervous, the LastPass password changing system does all its work locally on the user's Web browser (though it won't work on Internet Explorer). But for now, that means you can only change one password at a time. It isn't hard to imagine where this kind of tech could take us next. I'd like it to automatically change all passwords on a rotation, like once a month. (Once a day? An hour?) The only password that we should have to memorize is a master one, perhaps made super-duper secure with a scan of your finger or eye. One of the most important things I did in 2014 was take control of my password safety. Dashlane is a great fix for folks who recognize it's important to improve their passwords, but just don't have the time to do it themselves. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Don't use vowels in passwords! dan (Dec 15)