On password breaches and security processes

Today it was reported LinkedIn had a password breach. This is the most frustrating sort of security problem, because even if you’re using all the security available on the longest most complex password you can generate, that doesn’t help if someone else gets ahold of it. As more and more services are offered online, and then connected to other logins you already have, it’s not just a minor password change when something happens to, for example, your Facebook password. Now you have to worry that whoever got access to Facebook now has access to all those other things. Do you even remember what ALL those other things are?

As part of the “security is a process, not a product” philosophy we use here at AgileBits, there are a variety of things to consider when you want to secure your online activity. One such thing is what I mentioned above: those other apps and services you authorized to use your login on Facebook or Twitter, or in today’s current example, LinkedIn. It’s a good idea to review those permissions periodically, and one handy way to do that is with a site called MyPermissions.

You can think of MyPermissions as a dashboard for reviewing and controlling your preferences across many of these sites at once. It’s like cleaning out your closet and getting rid of all those things you have no more use for. Hopefully you won’t have too many “I authorized THAT!?” moments, but if you do, revoking access is usually pretty easy.

On the upside, one of the nice things about 1Password is the extra layer of security it provides with the Strong Password Generator. As long as we see that “Password1″ is still one of the most popular passwords in use, you, dear 1Password and Strong Password Generator user, are already way ahead of most people when it comes to securing your data.

If you still have friends, family, or coworkers who just don’t get why strong passwords are more important than ever, here’s an analogy that might help: Using a really common easy password (password, Password1, 123456, etc) is the equivalent of leaving the windows down and the keys in the car. Using 1Password is locking the car, rolling up the windows, and having an excellent alarm system. Why would a thief bother with your car when there’s one right next to it just begging to be stolen? Particularly when we are talking about logins that store credit card data (Amazon 1-click, anyone?), a nefarious person will be happier with the hundreds of numbers they can snag in less time than it would take to crack your password.

I know it’s frustrating to have to keep track of all of this, but it’s really no different than real life. I always think of the Public Service Announcement on television where a guy walks up to people in a coffee shop and starts trying to convince them to let him use their bank account for a wire transfer. Everyone turns him down and the ad says “If you wouldn’t fall for it in real life, why fall for it online?” It seems like more work because most of us haven’t been doing this our whole lives, so it’s not second nature like “don’t wave around the money you just got from the ATM” and other life tips we now consider common sense.

Having said all that, here are some useful information and steps to find your weakest links and strengthen them.

You can start by opening 1Password for Mac and selecting View > Layout > Traditional. Once there, then go to View > Columns > Password Strength, and make sure it’s enabled. Now you can see, and sort by, the security of all your passwords. If you want to collect the weakest passwords, create a Smart Folder to show those. Go to File > New Smart Folder, and a search dialog will pop up in the top of your window. Make sure you set the search criteria in the bar at the top to search “Everywhere” and “Everything,” and below that select the following:

  • All of the following are true:
  • Password Strength
  • is less than or equal to
  • Select a number here. It doesn’t matter what number you use. Start with 40 and if that looks overwhelming, switch to 20. Once 20 is done, then go back to 40. This is your first pass at updating passwords.
  • Click Save, and retitle your New Saved Search something else (Mine is just called Weakest).
  • When you have time to devote to updating these weaker passwords, you can use the Password Generator within 1Password to update them. As you increase the strength, they will no longer show in your Smart Folder.
  • Now you’ve updated all of the ones that were the weakest. Hooray! Now right-click (or ctrl-click) on your empty Smart Folder and choose Edit Smart Folder… and bump up that number. Now if you have a few more showing, get those updated too.

Of course, I don’t expect you to drop everything and blow your weekend on the exhilarating task of updating your passwords. But when you have a little time to spare, knock off a few here and there. The next thing you know, your weak passwords are history.

Other posts in this series

  1. More than just one password: Lessons from an epic hack (August 19, 2012)
  2. Password reuse strikes again, and a bit closer to home at Dropbox (July 31, 2012)
  3. Friends don't let friends reuse passwords (July 12, 2012)
  4. On password breaches and security processes (June 6, 2012)
  5. Two thirds of web users re-use the same passwords (June 7, 2011)
  6. Tips: How to Find Duplicate Passwords (April 29, 2011)
  7. When websites are breached, 1Password saves the day! (April 14, 2011)
  8. Security firm falls victim to password reuse (February 17, 2011)
  9. xkcd Hits Nail on Head (September 14, 2010)
1 reply

Trackbacks & Pingbacks

  1. [...] the food, but the cryptology. Before you dive into this article, you should certainly review the practical advice that Kelly has posted first. Also Kelly’s article has more information about the specific [...]

Comments are closed.