How are your passwords doing?

Quick survey:

  • Is any of your passwords repeated somewhere else?
  • Do two or more of your passwords share a common root?
  • If I had a few information on you (what's on your Facebook timeline for instance) and maybe knew one of your passwords, could I guess some other ones?

Being the family-geek, I had some fun during Christmas-time talking with relatives about security, online theft, information loss and identity theft. The major output was mostly that very few persons take the security of their online accounts seriously... but they would tend to freak out if you told them that their <insert a mail provider here> account was suddenly removed from under their feet.

If you belong to this category too, you should think about it again. Here's a very interesting, long and really worthwhile article from Troy Hunt on password security.

Go read it, I'll wait!

TL;DR: it basically describes with lots of examples how messed up password security is. How bad our passwords are, how fast it is to crack what you might think is a good password and the biggest problem of all: password reuse. With the increase of accounts we have, we tend reuse passwords (or variations of it) in order to be able to remember them. If an attacker got your email & password for a service, he simply has to try to log in other services and find out where your email is used. If you happened to use the same password or an easy variation of it, you're screwed.

The only way to prevent that is to use strong passwords. In order to do this, you have few options: either you want to remember it and then you need to use a mnemotechnic sentence like in this XKCD comic strip, or you don't want to remember it and you should use an auto-generated random string like 3BumARUPdPxe0xtbVYk. While you can remember the first one, you will need a password manager to save the other. At the end of the article Troy describes a password manager called 1Password. I've been using it for more than a year now it's been a life saver.

You basically create a "safe" where you passwords are saved. That safe is encrypted and you can only access it with a monster-password ; basically the only password you really have to remember from now on. Instead of typing your passwords, you copy/paste them from that safe (or use browser extensions to simplify that).

All my important passwords have been auto-generated by 1password since ; and I'm changing my passwords little by little as I log back into those less important accounts.

But today I discovered a feature of 1password that does exactly what I need to track down those "old" passwords: "view duplicated passwords".

{<1>}

When you click on this menu, a small entry appears on the left pane of the software which lists all the passwords that share a similarity with another one. And it apparently does not only perform an equality check since it also recognized that many of my passwords share a common root. That's so damn useful. Most of those 56 passwords of mine were purposefully done so, but I still found a couple ones I thought I had already changed and were in fact still weaknesses in my "online identity".

All in all, among the 137 logins 1password saved for me, only 56 of those have "weak" passwords sharing a common root and 81 have randomly generated passwords ranging from 10 to 25 characters... that I could never (ever, EVER!) remember otherwise.

What does the safety of your online accounts looks like?
How do you protect yourself?