But I’ve been thinking beyond passwords lately to the broader subject of authentication, which I think is where the real issues are. Take online finance. I use Quicken, which I hate. However, I have more than 15 years of data in Quicken that won’t easily move elsewhere, so I have few choices as to where I can go. One popular alternative finance site is Mint.com, which has a pretty strong following online. It allows you to pull in data from all of your banks so you can have a centralized view of your finances, much like Quicken. Unlike Quicken, it’s web-based, and it can send you alerts based on balances, fraudulent activity, and so forth.

To get this information, Mint obviously needs to be able to access your banking information. They do they by storing your bank login credentials, although they say that they only have read-only access to your banking data, so even if your Mint account was compromised, criminals couldn’t move your money anywhere. Of greater concern is that they (or, more accurately, a third party) has that data. Mint claims that it is super-secure, encrypted, all that jazz, and I have no reason to doubt them. All the same, though, it makes me uncomfortable, which is one of the reasons I won’t use it and instead rely of credentials stored securely just on my computer instead of in the cloud.

The problem is with authentication, and frankly, it’s with the banks themselves. Mint shouldn’t need to have access to my all-powerful banking logins. I should be able to create additional logins with my banks with differing privilege levels that are completely unrelated to my “superuser” account. That way, I could expressly create a read-only login and use that with Mint, Quicken, and wherever else necessary. I shouldn’t have to rely on the proper storage of my credentials at Mint or anywhere else to protect me; I should be able to limit rights directly. Sadly, as far as I know, few if any banks allow this, even though technologies are available to allow this.

So yes, change your passwords. Stop reusing them. But unique, strong passwords are not enough. We need more granular control over the access we have online, so we can put up stronger firewalls around our data while still allowing it to be used.

• Current Mood: Healthy
• Currently Listening To: "Ship of Fools", The Doors

There are a few things still not known about the Zappos breach, such as how they were compromised and, more importantly, whether the password hashes (it’s presumed that “scrambled” means hashed) were salted. Important questions, true, but I am not worried in the least. Why? Because I used a password manager, and so I don’t care about the password being compromised. In fact, here’s my old Zappos password: “TaH8pcEloWsb8R1nrol2”. It’s useless now, because it’s been changed, and more importantly, it’s unique and random.

Hackers can do a lot of things with this data. They can take the email address and do phishing attacks against you, such as sending out an official-looking email purporting to be from Zappos asking you for your password, credit card number, and so forth. What they really hope for, though, is to get the plaintext password and see if it works on other sites. Even if passwords are hashed, they can sometimes be recovered, especially if they aren’t complex enough. And once they have that password, they’ll try to log onto banking sites, credit card sites, and anything else they can think of. Because so many people reuse their passwords, it sometimes works, and now that Zappos breach has drained your bank account.

A password managed (I use KeePass) stops this in two ways. First, it can generate very complex, random passwords. It is orders of magnitude harder to figure out a complex password from a hashed value than something like “password”. More importantly, though, even if they do somehow get the password, perhaps because the website has broken every security rule by storing the password in plain text, it’s unique. They may be able to log onto that website, but that’s it. The password is not shared with a banking website, or any other website.

Using a password manager is a bit of a chore. It’s somewhat cumbersome and inconvenient. However, the extra 30 seconds it takes to use a password manager is well worth the peace of mind I get from knowing that even if the password to a website I use once a year is compromised, the damage is limited only to that site.

• Current Mood: Meh
• Currently Listening To: "Under My Thumb", The Rolling Stones
• Just Watched: True Grit

Why did I switch? Well, essentially because I like the interface and functions better in KeePass. The UI looks a bit better, and there is a graphical representation of how strong a password is. Other than that, though, it’s almost identical to Password Safe. Password Safe is even a bit easier to use for the novice, as it doesn’t have quite as many options to fiddle with as KeePass. One issue with KeePass 2.x is that is requires the .NET architecture, which isn’t always available, especially if you plan on using it on a computer that you don’t have control over.

I’d unhesitantly recommend either of the two for your password manager needs. Play with both of them and decide which one you like better. But pick and use some kind of manager. Using strong, random passwords is an important part of security, and password managers help make doing so simpler.

• Current Mood: Cyber-educated

One alleged benefit of such a system would be to “eliminate the need to memorize a dozen passwords”. To me, that’s like saying that carrying around a dozen keys is a problem, and instead I should just have one key for my car, home, office, safe, and everything else. A single point of failure, such as using one key for everything or one ID for everything, is very poor security. Especially when there are no details as to who would control such an ID, where it would be required (don’t think that “opt-in” means that the largest e-commerce sites like Amazon wouldn’t soon require them), and most importantly, how it can be revoked in case it is compromised.

Supposedly, e-commerce is hampered by people feeling insecure on the internet. I’m not sure I follow this. By creating separate, complex passwords for every site I visit (and then keeping track of those passwords in a password manager), I feel much more secure than if I had just one “Internet ID” I had to protect. If somebody gets my Amazon password, for example, they won’t have my banking password because they are different. I also feel fairly confident about my online activities because I check my credit card activity on a daily basis; personal finance software like Quicken makes this easy, as does a website like Mint. In all the years I’ve been buying things online, I’ve had a problems on maybe two occasions, and the day I found the fraudulent activity I called the card and took care of it immediately, before it spiraled out of control.

You may argue that using a password manager, and checking your credit card activity every day is an inconvenience. And yes, it is. So is locking your door and having separate keys for everything. Once you get used to taking these steps to protect yourself, though, they become pretty inconsequential. What would really be inconvenient is having a single ID for everything you do online, and waking up to find that somebody has stolen it and now has access to everything. That’s not my idea of improving e-commerce.

• Current Mood: Monday
• Currently Listening To: "The Crunge", Led Zeppelin

Short passwords and passwords with words in the dictionary are two things to avoid when selecting passwords. Mixing in numbers and uppercase is always a good idea to make a stronger password, but you can go further. To really randomize things, and ensure that the password you choose doesn’t have any easily-guessable words, a very good trick is to take a line from your favorite song and string together the first letter of each word to form your password. It’s much easier to remember than random jumble of letters, and odds are that it will form a nonsense word that won’t be in any dictionary.

If you still can’t remember a strong-enough password without help, write the password down on a piece of paper and put it in your wallet. You are probably doing a pretty good job of keeping track of your wallet and making sure it doesn’t get stolen, so why not put your password in there? The risks are very low, especially if you use something like Password Safe: if they steal your wallet and get that master password, it’s completely useless to them unless they steal your password file from your computer as well.

These tricks will help you avoid getting your online accounts broken into, and who doesn’t want that?

• Current Mood: Meh