Wednesday, January 23, 2008

Are you helping someone Harvest your Passwords?

Do you ever reuse passwords? If not, can you really keep them all straight. Which password goes with which site? I will assume that on more than one occasion you have mistakenly entered one of your other passwords while trying to log into a website.Consider for a moment all of those failed logins that the webserver handles. What if the webserver logged the username and the incorrect password that was entered. In many cases the incorrect password would be a typo. But in other situation it would be the legitimate password of that user at another site.

If the owner of this webserver wanted to be particularly malicious, they could keep track of the usernames and failed logins and then attempt these combinations at other popular sites. gmail, yahoo, ebay, amazon, myspace, bankofamerica, chase. I imagine you have a login account at at least one of those sites.

What can you do? The obvious and least helpful suggestion is to not enter a valid password at the wrong site. However, an actual suggestion to help is to consider a secure password storage. There are several options out there. I would recommend the program called Password Safe. This application lets the user create a master safe, with a single master password, to store all other passwords securely. You add a website name and the username and password. After that you can double click on the saved password and copy it into the password form of the website. You don't even have to see the password after you initially set it. If you really want to take passwords to the next level you can use the random generator built into the tool. This lets you generate a random password when you create the entry (obviously you have to set this same password for the web site account).

If you go to try out pwsafe I recommend a couple of things.

1. Make the password for pwsafe strong (ie the master password). But at the same time, don't make it something crazy that you will forget since you would lose access to all your other passwords. There are lots of guides out there on how to pick strong passwords. One method which is effective and easy to remember is to pick a pass phrase. For example, the following could be your passphrase:

The little brown fox ran into the barn.

This passphrase contains 39 characters and would not be quickly guessed by anyone. Also remember, the only people which will have access to pwsafe are the people with access to your computer.

2. If you are afraid you are going to forget your master password, go ahead and write it down and store it somewhere securely. Yes, I said you can write down your password. The key is to still store that piece of paper somewhere that is not accessible to others (ie not on your monitor, under your keypad, or in your wallet). You may be questioning my suggestion and think that if its written down then someone could find it and gain access to all of my other passwords. True, that would be bad. But we don't want you to forget the master password and completely lose access to everything in pwsafe. And if you really feel threatened about unknown people entering your house, searching through your stuff and taking a piece of paper with a sentence on it and then using that to hack into your computer...well, invest in better locks for your doors and stop using computers.

I certainly got off the initial topic. I think it is an interesting threat that is posed by simply entering incorrect passwords into site we use each day. Pwsafe has worked well for me and I wanted to provide that suggestion along with a few tips. Best of luck.

-Michael Coates