How I ditched my reused password

Image from XKCD: http://xkcd.com/792/

It’s common to reuse passwords. Everyone does it. Don’t be one of those people. I’m a firm believer that security is indirectly proportional to convenience.  In other words, the more “secure” something is, the less “convenient” it is to get access to.  Naturally, the opposite applies.  It’s very convenient to say that you only have to use one password to login to every website you visit.  Is it secure?  Nope.

How insecure is it?  Well let’s say that you are a typical user who has an easy password.  It’s all lowercase, maybe with some numbers added at the end (because some mean website made you add them).  First off, it’s easy to crack.  Second, all someone has to do is take the hash of your password and look it up and see if it matches what they have in their list of passwords (unless they already know your password without having to do any work).  If someone has that password, they have access to everything.  Your social media accounts, your bank, credit card, etc.  That is, if you’re like most people and reuse passwords.

Some people have the mindset of “what do I have to lose?”  That’s the true colors of what risk is all about.  If your accounts get compromised, what do you have to lose?  I’ll let you be the one to decide.

This used to be me.  I had 3 passwords I would use and depending on the varying password requirements of the website in question, I would choose which password to use.  If the website asked me to change my password, I would just use one of my other passwords.  Easy peasy.

So, how did I ditch my reused password?  I took it off the grid, or should I say, the cloud.  I used a program called Keepass.  Keepass allows you to store all of your passwords in one place: a secure, encrypted password database.  The database is encrypted with a master password using the Advanced Encryption Standard (AES, Rijndael).

Keepass allows you to lock down all of your passwords with one master password.

Keepass allows you to lock down all of your passwords with one master password.

With Keepass, I was able to go to every website I had a login for, change the password to something more secure, and never have to worry about having to remember it.  Keepass also allows you to use the program to auto-type the passwords for you when you visit the website.  You never know how many logins you have until you start using a password manager.  Can you count them all on one hand?

  1. Bank account login
  2. Credit cards
  3. Paypal, Stripe, etc.
  4. Social Media (Facebook, Twitter, LinkedIn, Pinterest, Foursquare, Myspace, Whatsapp, Vine, Reddit, the list goes on…)
  5. Email accounts (Google, Yahoo, Hotmail, Work emails…)
  6. Shopping websites (Amazon, Best Buy, Bed Bath & Beyond, etc.)
  7. Forums
  8. Online Games (WoW, EQ, EVE Online, Second Life, etc)
  9. Online Storage accounts (Dropbox, box, Google Drive)
  10. Admin accounts (Router, Modem, Web hosting, Godaddy)
  11. I bet you can name some I didn’t list.

What Else is out there

There are other services that offer the same functionality as Keepass, such as Dashlane, Lastpass, and 1Password, but they have fees associated with them.  Personally, I prefer to use a free service, but your mileage may vary.  Keepass is open-source, which means for you, as the consumer, that the code used in making the software is widely scrutinized.  Whereas, with the other services I mentioned, they are proprietary, so you have to put your faith in the fact that they know what they are doing.  The only thing that Keepass doesn’t offer out of the box that the other services do is database syncing.  Dashlane and 1Password both offer the ability to have a local copy of your database, which the option to sync to the cloud…for a price of course.

Some people have the mindset of “what do I have to lose?”  That’s the true colors of what risk is all about.

For some, syncing your passwords between multiple locations is a must, especially since this is 2014 and people have more than one device.  You can easily get around this by loading your Keepass database into a service like Dropbox or Google Drive.

Keepass can hold passwords for everything.  Banking, Social Media, Forums, etc.

Keepass can hold passwords for everything. Banking, Social Media, Forums, etc.

Flexibility

You can put into Keepass every password you’ve ever used on any website.  While Keepass is great for keeping website passwords, you can keep other things as well.  One of the great ways I’ve used Keepass is storing software keys.  You know, those sequence of letters, numbers, and dashes you get from companies like Microsoft.

What I like about Keepass is its plugins.  I’ve no need to browse the source that makes up the program, but unlike the other services I listed, Keepass has plenty of plugins to make it into the database you need it to be including the ability to add your own templates.

Does your organization have crazy password requirements?  No biggie.    Keepass can generate any combination of letters, numbers, special characters, etc at any length you need.  It even allows you to collect random data to further seed the password generation with more randomness.

Does your organization have crazy password requirements? No biggie. Keepass can generate any combination of letters, numbers, special characters, etc at any length you need. It even allows you to collect random data to further seed the password generation with more randomness.

Does having an ultra secure password make you hack-proof?  Unfortunately not.  All a computer needs is time and power to hack any password.  Having a password database is the first step in making sure your information is safe.  It allows you to change your passwords as often as you like and it encourages your passwords to never get reused again.  Even though Keepass itself is secured with a master password, it can also be locked down with a key file (which can be anything you want) as well as a password for multi-factor authentication.

Multi-factor Authentication

Multi-factor authentication is when you have multiple elements of authentication: something you have (key file) + something you know (your password).  Banking websites as well as Google are starting to allow a unique code be sent to your phone in addition to typing in your password on a website.  If you have the option to do this, do it.  If your password ever gets compromised, your information is still safe because the attacker doesn’t have the information you have sent to your phone or email address.