A member of a not-for-profit organisation that I’m involved with has just succumbed to a phishing expedition. It wasn’t particularly sophisticated but it was all that was required to extract her GMail user name and password. The success of the trick was only noticed when her bank phoned asking if she really did mean to transfer $70,000 out of her account. Oh, how we laughed.
Remember when things were simpler?
If you’re of a certain age, you’ll remember a time when you used only one password for every system, application and website to which you had access. Like me, maybe you can recall the feeling of horror and indignation upon being asked, for the first time ever, to change your password after 365 days had elapsed since you had first set your original password: “well really! This password has seen me right for years. And it was good enough for my father too, and his father before him.” Then you’d congratulate yourself on your cunningness for merely adding the number ‘1’ to the end of your new password. But password strength checking routines became more sophisticated (“your new password is too similar to your previous password”) and adding a single digit was no longer an acceptable new password.
Then using leets as passwords was the thing until dictionary attacks became common knowledge. Basically, if you’ve thought of a technique for easy-to-remember passwords then the bad guys have already thought about it, and they were thinking about it way before you did. In fact now they’re thinking about stuff that you’ve yet to think about. What do you think about that?
Security through obfuscation
Widely-known user names became an apparent weak-spot of security and these too had to become unique. Then the best-practice suggestion was that you should have a unique email address for every site where you held an account – which requires yet more user name and password combinations.
Whatever happened to OpenID?
OpenID seemed like a great idea: keeping a single set of credentials with a central provider which would then authorise access to third-party sites. The underlying concept never really took off until ubiquitous enterprises such as Google and Facebook took on that role and we now know how far you can trust those big behemoths.
Passwords on sticky notes
As password strength checking routines diversified, so too did my list of passwords, to the point where I had to start writing down my passwords, albeit in a difficult to understand format that would sometimes even out-fox me.
Which brings us round to password managers. It’s a sad reflection on the industry that these are the best solutions to managing authentication credentials that we currently have. In the main I work remotely and despite constantly pruning the entries in my password manager, when I last looked there were over 500 unique sets of credentials (which doesn’t include those for financial sites, which are the only ones that I have managed to commit to memory).
Which password manager would you recommend?
So which password manager would I recommend? Well I’m not going to tell you because if I told you then you’d know where to start hacking my passwords and in that case, then I might have to kill you.*
* Note to GCHQ: this is flippancy and does not amount to a tangible threat.