Good password habits don't have to be a chore

May 2, 2011

If you've been anywhere near the Internet over the past couple of weeks, you've probably heard about the Playstation Network Hack, including the theft of millions of account details, including passwords. PSN users like me need to have a think about security right now, but it doesn't have to be all that hard.

Why was the PSN hack such a big deal?

Protecting any large network is very hard. But the nature of the data stolen shows Sony isn't taking some pretty basic precautions. No service should ever store someone's passwords in a way that thay can be read by the provider (or a third party).

For decades now, it has been standard practice to one-way hash passwords when storing them on disk, so the original password is never stored and only you will ever know it. Sony clearly didn't do this.

Sadly, some nations (such as France) require that passwords be recoverable in response to government requests. So I blame France. Bad France, bad!

Why should I care? And what can I do?

I admit it, I've been a fool. For the past 10 years, I've been using the same password for pretty much all my services. If you're like me, you should probably have gone into a frenzy of password changing already.

Granted, with 77m accounts compromised, you could say the odds of you personally being targeted are pretty remote. But there are loads of botnets out there to crank through the data, and as the old adage says, it's better to be safe than sorry. A bit like taking backups. You do take backups, don't you?

But let's face it, coming up with and remembering a bunch of passwords for god knows how many accounts is a bit of a fag. Here's a few handy tools to make it a little easier:

GRC Perfect Passwords

A brilliantly handy, free tool from Steve Gibson (possibly one of the smartest guys in the field of security, and likely others). Every visitor to this page gets three big random strings: one hex, one printable ASCII and one alphanumeric. Copy a chunk from any of these and you've got a pretty decent random password right there. I find that 10 characters is pretty easy to remember with some repetition.

But what if you've got a terrible memory? How does Leonard from Memento remember his passwords?

SplashID - A password safe wherever you are

There are loads of applications out there for storing your passwords on your phone, but I've been using SplashID for a while now. They have apps for most mobile platforms and a handy desktop application that will sync them all, so you can get your passwords where and when you need them. Not only that, but it's dirt cheap.

Similarly, there's:

LastPass

I've not tried this one, but it comes highly recommended. LastPass, like SplashID, synchronizes your web passwords and auto-fills them whenever you go back to the sites (through an unintrusive browser plugin). There are also features for auto-completion of web forms for contact details and the like. Event better, the basic features are free!

Your data is stored remotely at LastPass' servers, but it is first encrypted with your master password so only you can access it. This means that, like with SplashID, you cannot reset your password if you forget it. Also, if someone manages to guess your LastPass password, they can get into all your accounts from anywhere in the world (rather than needing access to your local copies, as with SplashID), so make your master password a darn good, randomly generated one.

These tools also provide password generation facilities.

UPDATE: LastPass may have recently been compromised!

There's more out there

This is just an example of some of the tools that can make choosing and remembering passwords a bit easier, there are many more available elsewhere. Hopefully this will make you think a little bit about how you're protecting your online accounts, and pick a solution that's right for you.

Would you like to know more?

If you want to keep up to date on security issues, there are loads of great blogs and podcasts out there:

And in case you're still thinking updating your passwords will be a nightmare, it took me 10 minutes to update all my accounts. I think it was more than worth it.