Whether it’s your bank’s website, OSCPA’s membership resources, or even just an email account, nearly everything we do on the Internet requires us to authenticate ourselves with a password. But passwords provide a virtually inevitable quandary: Any password that easily can be remembered can also probably easily be guessed. Worse yet, it is difficult enough to remember multiple simple passwords, much less multiple secure ones, so people tend to reuse the same password, or set of a few passwords, across multiple services, perhaps altering the passwords very slightly (and probably predictably) for each one, and that’s if we’re lucky. Add to this the sometimes draconian password policies requiring passwords to be changed on a regular basis, and it’s no wonder that passwords are such a problem today.
The ideal solution, of course, would be if everyone (we will use an apocryphal user Alice for simplification) used different passwords for each resource (email, banking, OSCPA, etc.), and if each password was secure. The importance of using different passwords for different services is the same as the importance of using different keys for different locks. Imagine if Alice used the same key for her car, her home, her mailbox, and her office. If a thief — let’s call her Eve — ever managed to copy the key, she would immediately have access to all of these locations, and Alice would have additional hassles with having to change so many locks. Furthermore, Eve could target the easiest location at which to copy Alice’s key — perhaps by impersonating a maintenance person at her work, instead of having to go directly to her house. The importance of Alice’s keys being secure (i.e., not easy to copy, not blank keys bought from the store, and of a shape not easily guessed) is, we hope, self-evident.
Password security involves a lot of different technical aspects, but the three take-away elements are this: Good passwords should be complex, utilizing both uppercase and lowercase letters, as well as numbers, spaces, punctuation, and other symbols; they should be long; and they should be random. Complexity is a measure of a password’s key space. Intuitively, the greater number of symbols that Alice’s password contains (e.g., letters and numbers instead of just letters), the greater the number of combinations of passwords that she could be using, and so the more passwords that Eve must guess. Length is a measure of a password’s key length. Once again, the longer a password, the more possible passwords there could be, and so the harder individual passwords are to guess. Finally, randomness is a measure of a password’s entropy, which can be thought of as measuring how hard it is to predict one letter based on another (for example, a password of “abcd” is less entropic and so less secure than that of “a3@Z”).
These days, a minimum amount of entropy that we should demand from our passwords is about 128 bits. In lay terms, this corresponds to a password of between 16 characters (containing a completely random sequence of every symbol of which you can conceive) and 64 characters (containing only regularly-typed English letters). Somehow remembering a litany of completely different passwords of these types, some of which must be changed on a regular basis, is understandably probably impossible (unless you’re Dustin Hoffman’s character in Rain Man). And if you write these passwords down, unless you store them somewhere safe, you might as well use weaker passwords that are easier to remember — and if you do store them somewhere safe, they’re probably not going to be easy to get to.
What’s the solution to this technical headache? Go ahead and use different, strong passwords everywhere — but only worry about remembering one of them. There are a number of different software solutions that will store your password for you, many built into the different operating systems, but the program we will be reviewing is Password Safe, which is free (in fact, open source), available for Windows (beneficial for many corporate environments, and programs compatible with Password Safe are available for other operating systems), and secure.
Upon launching Password Safe, you’ll be asked either to open an existing database or to create a new one (choose the latter if you’re using it for the first time). The fact that you can create multiple databases has a number of useful applications. For example, you could have one database for home and another for work, or one database for personal accounts, and another for group accounts, and the password database for the latter could securely be shared among multiple people. The password that you supply for each database will be all that is required to access the passwords inside, letting you remember just one key — the database password — while forgetting about the numerous secure passwords stored inside. If ever you need them, just open up Password Safe and pull them back out again.
Password Safe helps you manage your passwords in other ways as well, like coming up with good passwords in the first place (you can customize your password policy and even have the program generate a random password for you), storing account and other info along with them, remembering the last several passwords used, copying passwords to the clipboard without viewing them (for deterring shoulder surfers), changing how often passwords expire, and so on.
Finally, the databases that Password Safe creates are very secure, ensuring that if a thief somehow got access thereto, if the password you chose to protect it is secure, its contents will be, as well. The software is open source, so you can examine its code yourself and ensure it is up to no ill, and it was designed by the respected security analyst Bruce Schneier. To protect your information, databases are encrypted with the Twofish algorithm, one of the Advanced Encryption Standard finalists, and Password Safe has been reviewed by Schneier’s own Counterpane Internet Security, Inc. (now BT Counterpane, owned by BT Group plc). So whether you’re a grandmother at home or a corporate executive flying between Columbus and San Francisco, it’s time to set your excuses aside for not using multiple strong passwords everywhere and save yourself a headache of trying to remember them all.