In my last blog, I gave some general front end security guidelines for developers. Today, I’m going to focus on what you can do as a user can do to increase your online security. As a user, it is all about passwords.
I like starting out at Wikipedia since they have a really good article on password strength. I would consider this the grandfather of all password policies since most policies you encounter on sites will be a watered down version of this. After looking over a few of the guidelines, it’s pretty clear that most applications will make a few concessions for the sake of enticing users. Complexity is king, so the more complex your password, the more secure you are. The problem, at least for me, is that remembering random strings of 8-10 characters can be a pretty tall order at times. Compound that with the knowledge that most places recommend you use a different password for each account and you start to forget a few here and there.
So, the question really becomes how are you going to remember the hopefully strong passwords you are going to create for your accounts? Thankfully, there are several approaches you can take:
- Password Manager Program
- Open ID
- Alternative secure passwords
Password Managers are pieces of software that you can use to keep track of all of your various usernames and passwords. Generally, these will have some sort of master password to secure the rest of your accounts. Most of them will also integrate with your internet browser and auto fill your account information when you navigate to a site you have an account for. Lastpass is one such program that is getting pretty sophisticated. It has extensions for just about every browser, mobile apps, desktop apps and even runs from a usb drive. I think this is a great approach for web sites. You can create really strong passwords for your online accounts, store them in a manager, and only have to remember your master password. Where this starts to breakdown is if you rely so much on this that you start forgetting your passwords and then have to go without the password manager or worse yet, forget your master password. There are quite a few of these out there so I recommend you shop around, but definitely take a look at Lastpass because they have a lot to offer.
The next recommendation is something that is really starting to gain in popularity. Open ID is a protocol that lets you use an existing online account at other websites. Facebook Connect is a similar tool with more functionality rolled into it. These are basically account consolidators since you only have 1 account and password to keep up with, but you can use them to log into any site that implements their protocol. I like this approach for a lot of things, but I don’t think it is as secure as a password manager. This is something I would use for random ecommerce sites and blogs where I just want to comment a little every now and then. In general, I would classify this as having fewer accounts and therefore less passwords to have to think up and keep track of.
Lastly, I thought I would share a set of posts I found describing an alternative way of creating passwords. The author crunches the numbers behind what it would take to be able to use more memorable pass phrases instead of random character passwords. The logic is pretty solid to me even though he has a lot of detractors (that he actually answers). I think the major hurdle to this approach is that so many applications enforce their own password policy. I would love to be able to use a pass phrase, but I’m pretty sure it wouldn’t contain a special character or a number.
The bottom line here is that there is a hard line to walk between secure and usable. Ultimately, I end up making extremely secure passwords only where I need it (my bank) and using lastpass/facebook connect for things that I’m not really worried about.
I like the password manager approach and use PassPack. Part of my password security plan is to avoid using the same password at multiple sites. For me to get into the master PassPack location I use a password, random image identification, and a pass phrase. I like their system because the pass phrase is not stored on their system but is necessary to decrypt my password file.
As more aspects of our lives go digital, in particular banking, having a sound password discipline is definitely “key”.