In the Blogosphere: Xconomy Reviews Blogtoberfest
Thought Crime Bill Video

Pass The (Password) Salt, Please

The Working Assets data breach reminded me of one frustration computer users experience: how to securely manage the sign-in information (e.g., ID and password pairs) for all of the Web sites and databases we access. The company's breach notification included this about  its stolen sign-in information:

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

Managing sign-in information for several web sites is a chore. Experts advise us not to use the same sign-in information at multiple web sites. The obvious reason: an identity thief can use your sign-in information for one site to easily access and steal at the other sites you use... and quickly drain your financial accounts. So, varying your sign-in information for each site makes sense.

Experts also advise us not to write down our sign-in information on paper. The obvious reason: once a thief gets your printed information, they have access to all of your accounts. Plus, the thief can copy your printed list and you may never know it was stolen.

So, what's a computer user to do? Writing it down is risky and memorizing it is impossible.

If I had the answer to this dilemma I'd patent it, sell the answer, get wealthy, and retire to my own private island in the Caribbean. But, there doesn't seem to be a silver bullet for this dilemma. Some people suggest password salting, but that solution is not 100% secure either. To learn more, try DailyKos or Digg.

Some suggest password manager software. To me that seems even less secure and foolhardy. If somebody steals your computer (and laptops are very vulnerable), they have all of your passwords. Plus, you won't even know the passwords to your accounts since the password manager stored that information. That like storing telephone numbers in your cellphone. After a while, you don't remember the phone numbers of the people you call frequently. For these reasons, I do not use the password manager features in my web browsers.

Others suggest a combination of password salting and password manager software. To me, that still doesn't solve the problem if you your laptop gets stolen. The dilemma is worse if you consider password rotation... how often Web sites require you to change your sign-in information. Since different Web sites require users to change their passwords at different intervals (e.g., some every 30 days, others every 90 days, and others never), whatever solution you choose must be flexible enough to accommodate password rotation.

If you have any solutions to this sign-in information security dilemma, I've Been Mugged readers want to hear your suggestions.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Andre

Excellent points on the subject. My approach is to have a non-secure identity and a secure identity. I use the non-secure identity to register for fluffy stuff and sites I don't transact business on (e.g. flikr) and a secure identity that I only use for trusted sites that I do transact business on. Its not perfect, but it reduces the risk you cite.

Electro Gypsy

Pick a phrase ... any phrase will do, but the more words in it, the better

Take the first letter of each word in the phrase

Example
-------

Jack and Jill went up the hill to fetch a pail of water = jajwuthtfapow

Leet / L337 it - j4jwu7h7f4p0w

Capitalise / Upper-case certain words in the phrase J4Jwu7h7f4p0w

This makes for a very strong password indeed that is easily remembered and not prone to brute-force dictionary attacks

George

Electro Gypsy:

Good suggestion! Thanks for sharing it.

George
Editor
http://ivebeenmugged.typepad.com

The comments to this entry are closed.