Posts

Tips: How to Find Duplicate Passwords

We have talked a lot about the issue with password reuse but we haven’t mentioned on how to find them in 1Password for Mac.

The best way to do this is to first know the password you’re looking for, enter it into the search field of 1Password and press the enter key. You’ll get a bar that drops down to let you set the parameters for the search. For the duplicate passwords, set it to search everywhere and in the password fields only.

1Password Mac - find duplicate passwords

Tip: If there are more than one or two Logins that you’d need to change, save this list as a smart folder. On far right of the search bar, press the Save button to save it. This will let you come back to this list anytime and it’ll be updated after you update each Login with a stronger and distinct password.

After locating the other Logins with the duplicated password, you can tap on the arrow next to the URL in the Login item to visit the site  in your default browser and change the password on the site. 1Password will then prompt you to update the Login. Now, you have one less duplicate password to worry about.

I’ll talk about how to use the search field to locate all of your logins with weak passwords in my next blog post.

When websites are breached, 1Password saves the day!

If you are anything at all like me you have accounts on scores – or hundreds – of different websites. The sad fact of the matter is that the chances are high that several of those sites will suffer a serious security breach over the course of a year.

WordPress.com, which hosts a large number of blogs, recently reported that they had been breached. I’d really like to complement the people at WordPress for their clear disclosure of the breach and for recommending that users make use of a good password management system. They include 1Password at the top of their list. Wordpress torn icon

We may never know the numbers, but it is a fair guess that many breaches go undiscovered and that many of those that are discovered are not publicly disclosed. So what we see reported may just be the tip of a very large iceberg of web server break-ins.

It isn’t clear whether attackers were able to capture user passwords (encrypted or otherwise) in the WordPress breach, but we should assume that at least the encrypted passwords stored on the server are in the hands of the bad guys. If you post or comment to a wordpress.com hosted blog, it’s time to change that password.

Breaches like this are very bad news for people who use the same password in multiple places. If your password gets discovered at site A, but you use the same password for sites B, C, DX, Y, and Z then all of those logins are vulnerable. That is the problem of “password reuse.” But if you have been using 1Password with its Strong Password Generator, you are not only getting strong passwords for each site, but, more importantly, unique passwords for each site.

I know that many of our regular readers may be getting tired of me rattling on about password reuse. I promise that my next blog post will be about something else. But for those who haven’t seen it yet, please take a look a our tips for finding and cleaning up duplicate Logins.

While we do use WordPress (and we love it), our blog isn’t hosted on wordpress.com, so logins here aren’t affected by the breach.

Security firm falls victim to password reuse

There is a great deal of discussion at the moment in the security community about the conflict between a group calling itself Anonymous and the security firm HBGary Federal. I just want to highlight one technical aspect of this, the role that password reuse played in the take over of HBGary Federal and rootkit.org. Password reuse is the common practice of an individual using the same password for more than one account.

A member of Anonymous have been very forthcoming to the technical press about how they broke into HBGary Federal’s servers. In particular, there is a fascinating article by Peter Bright at Ars Techhnica providing many of the technical details.

The first step was to go after a lower security system on the victim’s network. From that they captured the encrypted passwords of many users of that system. The way those passwords were encrypted allowed weaker passwords among them to be discovered. In this case, two employees had passwords that were merely six letters and two digits long. With those passwords for that system the attackers could have done some damage to that lower security system, but instead they checked to see if those passwords got them into something more useful. As the article says,

Still, badly chosen passwords aren’t such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com website — admittedly embarrassing – but since everybody knows that you shouldn’t reuse passwords across different systems, that should have been the extent of the damage, surely?

Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places […]

The article continues to show how they were able to leverage those passwords (one which allows shell access to an important server and the other which allowed the attackers to get into everyone’s email accounts and masquerade as various people).

We can’t say that HBGary Federal would have been safe if only they had used strong unique passwords for every separate account. They faced highly motivated and skilled attackers who may have found another way in if exploiting password reuse weren’t an option. But this high profile case does show us once again password reuse does get exploited in the real world.

The case also shows that if you are still reusing passwords you are in good company. Even security experts sometimes slip up in this regard. Cleaning these things up can be a chore, but to make this chore easier you look at these tips about identifying duplicate passwords in your 1Password data. If you have a lot of passwords to update, don’t feel obliged to do it all in one sitting. Just make a dent at it every now and then.

xkcd Hits Nail on Head

Via our awesome Twitter friends, we bring you a very apropos comic from xkcd.com:

xkcd - Password Reuse

xkcd.com

Homer says it best:

Don’t be the victim of unsavory online practices. Use a different, secure password on every site, and protect yourself from a world of potential trouble. Of course, the easiest way to do that is, you guessed it, 1Password!

With the “Strong Password Generator,” strong passwords are a couple of clicks away. Click the “1P” plugin icon—or just right click on the page where you need a password—and select “Strong Password Generator.” Set a few sliders and click the “Fill” button, and you’ve got an unguessable password and a new 1Password entry to store it for future use. Now there’s no excuse for password reuse! (excuse the rhyme)

Stay safe out there!