App and website developers: please do not disable paste on your login forms.
Let people use password managers so they can keep a unique password for your site that’s resistant to both password-guessing and password-sharing attacks.
Thank you.
Tag: password
Treat Passwords Like Driving: Separate Your Hazards.
The last time I set up a new computer, I was surprised to find that installing a password manager has become a critical part of getting the system ready to use.
It used to be that you could pick a few unique passwords for critical services like your primary email and banking sites, and reuse some passwords for less important sites, and maybe remember them all. But when so much of what we do happens online in so many places with so many different levels of security (and visibility), the attack surface is huge. Add in how many criminals and others are trying to break into those sites, and it’s no longer safe to reuse passwords.
Why?
If one site gets hacked, and you use the same password at another site, someone will try it just to see if it works.
The only way to protect against that is to use a different password on every site. And unless your online activity is very narrow, chances are you can only memorize a few of them. You can stretch it out with mnemonics like XKCD’s passphrase scheme, but eventually you’re going to have to record them somewhere. Putting it in a text file or spreadsheet is bad, because anything that gets onto your system can read it, but password managers are designed to encrypt them.
You still have to protect the master password on that file, but now you don’t need to worry that when someone finds your old MySpace password, they’ll start buying stuff on one of your shopping accounts, or hijack your Twitter as part of a harassment campaign, or use your email account to send malware to all your friends.
LastPass is a popular one. It’s cloud-based, which makes it convenient to use on multiple devices, but you do have to trust them. If you’d rather not trust your passwords to someone else’s computer, you can go with an offline manager like KeePass, which stores everything locally on your system in an encrypted file.
Recent Tech Links
Some interesting technology articles I’ve found over the last few weeks.
- Cornell lab prints food (LA Times) – One step closer to the day we can order pizza online…and download it!
- Ping isn’t always the best way to test network connectivity (or even speed) – ISC Diary
- XKCD and the paradox of password strength. ISC responds: it’s not that simple.
- Consolidation in the Telecommunications Industry since 1984 (the government-imposed breakup of AT&T into the seven “Baby Bells”) – WSJ
- ISC asks: Should We Still Test Patches?
- Introducing CloudFlare’s Automatic IPv6 Gateway – Very cool use of an existing proxy to make any website reachable by IPv6 with no changes to the server.
- Extrasolar planets seen by Hubble in 1998 revealed by new image processing techniques.
1…2…3…4…5.
If Your Password is “123456”, Just Make it “HackMe” (New York Times). Security researchers examine a list of 32 million passwords stolen from RockYou, and the most common are…well…pathetic. Things like “123456” (the most common), “abc123”, “password” and even “rockyou” (seriously!)
There’s been some slight improvement in the past decade, when the most common password was “12345” (the kind of combination an idiot has on his luggage). Now it’s got a whole extra digit. (Whee.)
Hmm, I wonder where “Chuck Norris” appears on the list?
(via @dixonium)
At least it’s pricier than a candy bar
Maybe it’s the housing costs, but people in San Francisco need a little extra incentive to give out their computer password than people in Liverpool. Last year a survey found that 71% would reveal their password for a chocolate bar. A similar survey this month in San Francisco found that 66% would give it up for a coffee.
At least Verisign made good on the offer—with a $3 Starbucks gift card.