Why you must use a Password Manager

If I were to ask you why you don’t use a password manager, and you answer:
“Oh, I don’t need that”.

… then I’ve got another question for you:
You sure about that?

Let’s look at who would not need a password manager:

1. People with less than three passwords (usually not Internet users)
2. People with more than three passwords and a fantastic memory

I know what you’re thinking – you think I forgot:

3. People who use the same passwords for everything
4. People who use some sort of nifty and (supposedly) fail-safe formula

Sorry to disappoint you, but those are the very people that need a password manager – and pronto!

The Big, Scary News

I recently came across a fabulous article by the authors of PRTK – a “password guessing program”.

Say a a hacker, let’s call him Mr. Nasty, wanted to break into your webmail account. In order for PRTK to work Mr. Nasty would need to have a copy of your login data (he might be able to get this by stealing it off of an encrypted cookie in your browser). Then he’d set PRTK to work, go out for a coffee, and come back later to see if the password has been guessed.

As Bruce Schneier puts it:
“So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like ‘letmein’, ‘password’, ‘123456’ and so on. Then it tests them each with about 100 common suffix appendages: ‘1’, ‘4u’, ’69’, ‘abc’, ‘!’ and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.”

24 percent of all passwords!! In a matter of minutes.

Does this apply to you?

Of course, PRTK doesn’t work every time: if your password is “strong” enough, and the program you use is built well enough, than Mr. Nasty is out of luck. But how strong is your password really?

Raise you’re hand if you use some combination of names of people or animals in your family and tack on a number or two for good measure. And how many of you use simple substitutions like ‘$’ for ‘s’, ‘3’ for ‘e’, ‘0’ for ‘o’?

Ok, if your hand is raised – you should know that “Eric Thompson estimates that with a couple of weeks’ to a month’s worth of time, his software breaks 55 percent to 65 percent of all [those] passwords.”

55% – 65% of the time!

Why little ol’ me?

You see, re-using the same passwords (or formulas) over and over again is very dangerous. But most folks think:

“Why would anyone want my passwords anyway – I’m nobody special.”

Mr. Nasty isn’t concerned about your social status – he just wants access to that juicy list of contacts in your webmail account.

Or worse, he can click the “lost password” link at your bank, have it sent to your email, then READ that email, login and wipe you out. (though I hope your bank doesn’t really use such a system)

That’s not very fun.

Or what if you use some variation of that same password for your bank account? Mr. Nasty doesn’t care how rich you are either: even if he get a few hundred bucks off each person… times the amount of passwords he’s cracked… it’s worth his effort to try.

So what to do?

  1. make strong passwords – (here’s how)
  2. don’t reuse them – (even the UN says it’s a bad idea)
  3. Can’t remember all that nonesense? get a password manager

(Ok, I admit, PassPack is my favorite Password Manager, but there are plenty of others out there, and you should always shop around. And only choose someone who inspires your trust.)


Technorati Tags: , , , ,


3 responses to “Why you must use a Password Manager

  1. “If Mr. Nasty gets into your webmail, he can send harmful emails to your friends, family and coworkers in your name.”

    You don’t need to hack the account to do this. ANYBODY can send emails with ANY sender’s address easily.

    “But it get worse. What if you use some variation of that same password for your bank account?”

    He would still need a TAN to get money from the account. The password could only be used to view transactions.

  2. @Juli
    Yes, you’re right – my examples are simplistic.

    While sending emails with other accounts is done constantly, and contact list are often exploited simply via malware, actually having to access to the webmail is dangerous nonetheless.

    Think: incoming mail.

    How many sites email your passwords (or TAN?) with an “I forgot my password” feature. It becomes a snowball effect.

    The point still remains: if you reuse the same passwords – they are all up for game.

    Thanks for pointing these things out. The article is meant to be simple, to make “normal folks” think – thus terms like “Mr.Nasty” – and it’s certainly not a be-all end-all list of what hackers can, or want, to do with your passwords.

  3. Pingback: Nicola Mattina Blog » Blog Archive » Chi ha bisogno di un password manager?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s