True password confessions of a security expert
I have a confession. It's hard to admit, and I know it might make me a bit of a social pariah and an outcast in the industry I work in but I need to get this off my chest:
I used a single password for many online services *deep breath* for a long time.
It wasn't a big deal at first, I only used it on slashdot, then eBay, then Yahoo, then Apple then a plethora of other systems until I simply lost control, plugging the same password into too many websites to count. It's just so darn convenient to use one password that I could rattle off in a second on every website I visited. I felt confident knowing that if I remembered the username or email address used I'd be able to buy something I didn't need but desperately wanted.
I finally realized I had a problem though when I signed up to yet another service and they emailed me confirmation of my account with my one online password just sitting there, cleartext, in the email. I had to do something about it. I turned to my friends and family for support but they were all at it as well, popping the same password into lots of different websites with reckless abandon, not worrying about the future consequences.
Years before I fell into this terrible habit, I had an encrypted spreadsheet on my desktop computer where I dutifully stored all my credentials. It wasn't very secure by today's standards, but worked a treat. I hardly bought a thing off the Internet so it mostly had logins to each of the systems I administered, each password created by either a cunning recipe I'd come up with or random bashing on my keyboard if I needed to relieve some stress.
The aim was to slow down any would be hacker from being able to through brute force access using dictionary attack techniques, allowing me to sleep at night knowing the 50 or so corporate systems protected by my angry keyboard mashing were safe.
Times have moved on though, and I needed passwords synced across multiple devices including my mobile and tablet. I had to come up with a better way of creating new passwords as frequent bouts of maniacal keyboard bashing would raise eyebrows in the office. The solution? A decent password management platform. I can now create complex passwords with any number of connotations and never have to worry about remembering the output. I can even sync to my other devices when needed, so I don't have to worry about having the one version of my password database sitting on my laptop in London when I'm desperately trying to book a flight on my iPad from Germany.
The first few months were hard and I faltered a few times at moments of weakness when the desire to book a hotel quickly was more important than going through the rigmarole of resetting the existing password, creating a new one and storing it, but I got there in the end and I'm now clean and away from the steel like grip of my old habit.
The most shocking part of this woeful tale is how many accounts I now have in my password manager, last count was over 100. Previously if one of them had been breached, the attackers could have gained access to all of them, completely owning my growing online footprint. Sobering thought.
With the recent spate of accounts being breached at companies I don't need to mention, maybe now is a good time to take a step back and rethink your password habits. Stop trusting other companies to protect your password and give them one that you'll use nowhere else so if they do get breached, you've significantly reduced your risk of further exposure.
If you don't already use one, make the right decision and download a password manager today. Here are a few to get you started:
Gavin Millard is the technical director EMEA at Tenable Network Security
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.