Big Tin

Big tin: IT infrastructure used by organisations to run their businesses. And other stuff too when I feel like it…

Solving the ‘too many passwords’ problem

Recent events at Evernote, which was hacked and whose file containing users’ passwords could have been stolen, reminds us that, despite the insistence of the IT security industry that passwords offer poor security, that’s what we all continue to use. But there is a way to make remembering passwords easier.

As ever, there’s a trade-off between convenience and security and, it would appear that most of us, especially at the small business and consumer level, don’t want the hassle that stronger security involves. Usually, it involves some form of two-part authentication – something know and something you have – and the banks have gone furthest in implementing this. You know the drill: give us a number and then tell us something else you know.

I reckon most people can cope with this – even I, with my appalling memory, can handle it.

And then there are the burgeoning numbers of passwords we need to remember for the rest of our lives which, whether we like it or not, we are increasingly being forced to conduct online. And this is my point.

I’ve been accessing online services since 1992, so I’ve used a lot of passwords. To start with, there weren’t that many, and it was easy to remember them. The numbers of services grew and I started using the same or similar passwords for services that fell into the same category.

That’s not great security – so after hunting for a solution, I discovered a free, lightweight password generator which I used for over 10 years – until about three years ago.

What happened? The generator worked fine and produced unique passwords tied to the name of the service, but it had a number of limitations.

First of these was its inability to tune passwords to the requirements of some sites – the ones that demand a specific password length and/or format – so many digits and capitals, and no repetitions, for example.

The second was more serious: it was Windows-only. That was fine at first as I still run mainly Windows, but as mobile devices have become more capable, I now access multiple services on tablets and smartphones too – they don’t run Windows.

At that point, the answer was clearly a password safe. After some research I lit on KeePass. As the product’s website says: “KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”

Even better, it’s cross-platform – as well as Windows, there are versions for iOS, Android, MacOS, J2ME, BlackBerry and Windows Phone 7 – and it works. You can drive it using hotkeys so, for example, Ctrl-Alt-K brings up the database containing your passwords, which you can import from pretty much any file format you like. Other hotkeys will auto-type passwords and/or usernames into your web browser, or you can cut and paste them, in which case the software removes them from memory after a short while to enhance security.

There’s a host of other features but it’s a very easy application to set up and to use – you can get into the more advanced stuff when you’re good and ready. For example, Evernote asked all users to reset their passwords as a following the hack. KeePass generated a new password for Evernote to a security standard I’m happy with, and that was it – no dramas.

So if you ever find that you have too many passwords to remember, take a look at KeePass: free, easy to use, and does the job superbly, in my view.

UPDATE 7 June 2017
Since writing this blog post, I’ve continued to use KeePass and have not changed by positive opinion of it. I’d say though that it remains head and shoulders above an oft-touted alternative, LastPass, which is cloud-based. This means that your password and other data are not always under your personal control – and that if the company is hacked, (as almost all large targets at some point are more likely to be), then your database could be vulnerable.

Far better to stay in full control, using your own resources and two-factor authentication (2FA) to sync the password database: the combination of 2FA and encryption is mighty tough (you can never say impossible but it’s as good as in practical terms) to break.

On the other hand, I’ve stopped using Evernote, having found that Microsoft’s OneNote does it better – and remains free to use.

Filed under: Security, ,

Manek’s twitter stream