The trouble with passwords…

… Is that there is never a happy medium. Ether you have to enter in (at least) a 32 character password that contains multiple capital letters, numbers and symbols that you have no chance to remember or if you do enter one that is memorable, chances are it’ll be hacked in five minutes. On top of that many companies insist that passwords are changed on a regular basis which is just asking for those passwords to have an incremented number for each change of your ‘ilovecats1’ password or it is written on a sticky-note on the monitor.

It is estimated that one in four users in the UK use weak passwords and that same weak password is used for every service signed up for… Well, let’s face it, it is either that or you will be hitting the “forgotten password” link the next time you access it. Hotmail, this week rolled out a feature to stop users from choosing very common passwords when signing up for an account or changing your password and quite right too… Gone will be the classic ‘password’ or ‘123456‘.

So, what’s the answer to allow people the ability to create secure passwords but still keep them memorable? Here are two possible suggestions that I use myself.

The first is called haystacking and involves taking a default, reusable stock phrase and then obfuscating that with something unique but memorable for each site or service. The key to the masking needs to be something that you will also remember say for example:

Hotmail is 7 characters long so you type 1234567ilovecats7654321

No, it’s not what I do, not going to tell you that… Nor do I recommend just using numbers, it’s still too simple. Even saying that, the length of it does extend the length of time it would take to brute force it.

The second suggestion is to use a password vault. You can either use a locally installed piece of software like 1password or an Internet service such as LastPass. With either of these, you only need to remember one master password which autofills your login details to sites on successful master password entry. The advantages of each are obvious, with 1Password you keep everything local so unless your machine is compromised, your other passwords are safe. With LastPass you can access your vault wherever you have access to a wireless network. Of course with both, there is the risk here that if a weak master password is used, all your login details are compromised whether the items inside are local or Internet based.

WordPress.org forces users to change passwords

On Tuesday (June 21, 2011) WordPress.org announced it was forcing users to reset their passwords after several popular plugins were compromised by hackers. AddThis, WPtouch and W3 Total Cache were identified as being the plugins affected. These new versions were rolled back and pushed them out as updates very quickly.

Read more of this post

Dropbox password glitch leaves user accounts open

On Monday 20th June a programmer’s error in a code update at Dropbox caused a temporary security breach that allowed any password to be used to access any user account. Between 21:54 on Sunday and 01:46 on Monday a bug that affected the authentication mechanism and allowed open access to users Dropbox data.

Read more of this post