I know you all want to use secure passwords especially after reading this weeks hacks of LinkedIn, eHarmony and LastFM. So why don’t you?
If you use LastPass in your browser, it will happily create 16 character gibberish passwords for you and fill them in automatically.
Unfortunately this all breaks down once you start using your smartphone. Yes, initially it’s ok to look up the password and fill it into the settings of your mail or Twitter application. But when you’re on the road and want to share something from an app to Facebook, the app will often pop up a Facebook login. This is when you need to remember and type that gibberish password, and unfortunately neither LastPass nor any other password manager will fill it in for you.
The same is of course true for desktop apps, like your ERP system. So what do you do? You either use simple passwords that you can easily remember _and_ type on a mobile device, or you think of one really good password and start using it everywhere.
From a security perspective – not what you want. But completely understandable.
iOS and Android need to come up with an API to allow passowrd managers to do their thing. Better still, App developers should start using built-in identity providers like Twitter in iOS 5, or Twitter and Facebook in iOS 6. We have to get rid apps asking for a new password all the time, or password hacks will be a topic that will be with us for a long time.
Oh well, another breach: According to dagensit.no, 6.5 Million LinkedIn password hashes have been posted to a russian web site. The Next Web also has a report.
You might also want to change passwords on the other sites where you’re using the same password. While you’re at it, consider moving to something like LastPass, which allows you to painlessly manage 16 character passwords like “dF*^B@@uBqK&VXt9” for a site. I recommend getting the YubiKey package which adds additional security.
I’m getting tired of LinkedIn anyway, so I’m going to delete my account. They’re not adding ANY value over other social networks for me and have been constantly spamming me:
They keep trying to sell me on their premium services, which I have no interest in.
They constantly try to get me to get into their ‘groups’, which will just increase SPAM.
Plus they’ll not only let just about anyone contact me, they have the guts to remind me that I haven’t added that person I don’t even know!
And that after having to admit that they’ll store all the data they can get from me through their iOS app.
Time to go.
Excellent article by Gene Spafford about threads regarding password policies. Best article on the topic I’ve seen yet – and lots of wisdom to use for your own security related discussions.
“From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place. Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. â€œBest practiceâ€ is intended as a default policy for those who donâ€™t have the necessary data or training to do a reasonable risk assessment.”