password management – Odinn Security

Password Managers – Local vs Global

By Edward Thomson | March 4, 2017 | Comments 0 Comment

I’ve written a few articles already about the need for better passwords and the necessity of using a password manager. In this article I will point out why I think a local password manager is better.

Local

A local password manager is one that sits upon one device and does not back up to the cloud or anywhere remote location automatically. My own preference is to use something which is as simple as possible. This minimises the possible attack surface in case the password management software has a flaw. Let me recap what my password manager does / is:

Save my passwords in an encrypted file
The software is local to my computer
There is a automatic backup file which is saved locally
I can copy / paste the usernames and passwords

The password file is only saved to the computer on which I’m working. I have one manager on my work computer and one on my personal computer. There is no saving of passwords to the cloud, nor do the password managers have any sort of remote connectivity.

The software only saves passwords. That’s it. Nothing more. Let me outline why this is best.

…

It may look complex and unpredictable but is it really?

By Edward Thomson | November 14, 2016 | Comments 0 Comment

A key idea in security is that of unpredictability. If I can’t guess your password then it ought to be secure. This is almost true, except the problem isn’t about whether I (as a human) can guess your password but whether a computer can iterate through all possible passwords and find your particular password within a sufficiently short timeframe. There is a mistaken assumption that if your password is hard for a human to guess then it is a good password to use. I heard an anecdote that went something like “My password is ‘JohnSmith’. No one will guess that because my name is Bill Jones.” This line of thinking is based on whether someone you know is likely to guess your password.

…

Creating better passwords

By Edward Thomson | August 14, 2016 | Comments 0 Comment

TL;DR: use a password manager.

Allow me to suggest Password Safe (https://pwsafe.org/). Forgive the lack of design on that website but the product is free and was created by security expert and cryptographer Bruce Schneier.

Password Memes

Everyone has undoubtedly seen the memes that illustrate our common frustrations in picking a password for a new account. A new website has gone live and everyone is racing to join it and try out the new service. There is a large fear of missing out (aka #FOMO), but you may need to pick a username that hasn’t already been taken. John1 has likely been taken even if you’re an early bird, but in the case where you just have to use your email address as your username there is always the dreaded next step of choosing a password. We scratch our heads and feel the sensation of guilt when our brain falls into the groove of recalling our favourite password.

I will outline the usual problems with password creation and storage, and then make the case for password managing software. My aim is not to complain about bad behaviour nor chastise anyone for having a weak password. We’ve all been there. I’ve even typed passwords into group chats: “MyCompany789!$”. Oops! I’ve had a few moments of embarrassment while I frantically change a terrible password that I shared with everyone.

This is a non-technical article and should be readable without any specialist knowledge! This is intended for everyone and to help improve real world security for people in their personal and professional life.

…