No more slacking and delaying the unevitable, this weekend I've migrated fully to cloud password manager. It doesn't mean I didn't use it before - for over a year I was using KeePass with DropBox synchronization, but even if I like & admire the idea of Open Source, free app like that, I find it missing too many features & to be honest - the UI has a huge room for improvement.

But before we dive into apps & services ...

Let's talk about passwords

Few years ago I was fully convinced that having a strong, multi-word password with some digits, special chars & lower/upper-case variation is more than enough to keep my data (& other property) safe. Unfortunately, I was too short-sighted to foresee the direction things were going ...

Like mushrooms after the rain shower

My approach was fine when I was using 1,2,3,...,7 services - the number was still quite manageable - I was able to keep different passwords for different services & change them pretty frequently if there was any need. However, the number of on-line services I was (and am) using is (still) growing exponentially - internet banking, on-line shopping, streaming services, e-mail accounts, blog platforms, multi-player games, social networks: pretty much of them require registration, login & (at least) password.

In such circumstances it is NOT possible to have a different password for each account (not mentioning having each account bound with dedicated e-mail account - for password retrieval purpose or so) - you would never be able to remember all those passwords.

There are some workarounds of course:

  • some sites use external authentication service (like Microsoft Password, Google or Facebook authentication), but these still are a minority
  • you can create an algorithm that generates a password unique for each service (for instance: based on the service name): but if your passwords leak out in personal-targetted attack, hostile individual may easily break your code and gain address to pretty much everything
  • or you could (and it was my favourite strategy) create few highly secure passwords and classify the services you use into separate segments (critical, highly confident, confident, I don't give a f#^&...) and use a single dedicated password in each segment: usually your classification would match the overall level of security standard of the service:
    • small internet shops / personal interest forums are very prone to vulnerabilities (but you don't keep critical data there...)
    • on the other hand - banks & large retailers do not tread security lightly - the probability of leak is significantly lower (as information kept is more crucial)

My way or highway

Unfortunately even the smartest workaround from the list above quite quickly turns out to be insufficient. To improve (hehe) the security level, many sites force you to use their password policies:

  1. Some chars may not be allowed, some (combination) may be required, etc. - this can pretty easily break the rules / conventions you've come up with.

  2. Service may force you to update the password every X months / weeks: that could easily de-sync your policies, especially when you've set up some segmentation schema (like the one I've mentioned above). What is more ...

  3. ... there may be some strict restriction about required differences between passwords -> your new password may be rejected due to unacceptable similarities to the previous one: this could ruin your "algorithms" as well.

Consequences of negligence

Obviously you can ignore the whole thing and happily live in an old way:

Such things (hacking, etc.) may happen in US or Western Europe, who would like to hack my account here in Poland?

or

There are zillions of Internet users worldwide - what's the chance someone would hack me - I'm not particularly rich or special in any other way that could catch the attention of hackers ...

Obviously - this is a flawed way of thinking.

First: hacking knows no borders - internet is everywhere, services are widely available: script kiddo from Elbonia may hack account of a polish person as smoothly as he would do with american.

Second: volume is not a problem - volume is an opportunity, volume means a human mass - it rather simplifies things to be honest. Accounts are not hacked individually - it's the whole databases that leak on daily basis and no-one checks the credentials individually: such activities can be automated / scripted and executed via whole botnets.

This post is a part I, you can find a continuatio here