A Business Technology Place

The Weakest Lock

What entry point to your electronic data is the least secure?
The Evernote announcement of forced password resets last week started an email discussion between a colleague and I about password security. I was impressed with the precautionary measures of Evernote and their transparency to admit they detected suspicious network activity. Although they found no evidence that password files were compromised they chose to communicate their findings and force the password resets of all their users. In a blog post and email Evernote states “As a precaution to protect your data, we have decided to implement a password reset.” That’s a small price to pay for a little insurance and peace of mind about my the information in my account. I gladly reset my password and then moved on with my other daily activities.

My email conversation was about password security and authentication measures to access data. Some time ago I started using one of the online password services called PassPack to help me manage passwords for all my accounts. I setup a randomly generated password for most sites, which means I can’t get access to these sites without first signing in to my password manager. Extra security does comes with extra overhead.

Are gestures a good idea for authentication?

Are gestures a good idea for authentication

The email conversation on the topic captured a thought about the weakest entry point.

“Follow up on Bob’s random password use. I use LastPass and have considered having it randomly generate passwords for everything. That would create a complete dependency on LastPass, and I’d want to export / backup the list at times. But then what password guards LastPass? That one password would become the weakest lock.”

For me, PassPack requires both a username / password combination as well as an additional encryption key which is a full phrase/sentence. But conceptually the thought in the email is correct. A single authentication to get access to a group of credentials is the weakest lock or the most impactful lock. If someone were to gain access to my master list of authentication credentials then it really doesn’t matter that each of the sites I use have a different password.

The balance between security and usability.
Yancey Vickers from Red Clay Interactive wrote about the convenience of password manager programs and OpenID in her post One Password to Rule them All. She discusses some of the tradeoffs between added password security and usability. People have a different tolerance for how much security they use in their authentication process. I suspect that the level of overhead I take to sign-in to to a password manager to retrieve a password is not acceptable to most people.

What about mobile devices?
The email goes on to read:

“Then I think about our smart phones. That may be the weakest lock because if you get into my smart phone you can get into a lot of stuff to either gain access or socially engineer others to gain access. For the longest time that was just a 4 digit pin. Now it is a gesture.”

I hadn’t thought about this before the email. But my friend is right. The security requirements for my company issued phone are not the same as those on the company issued laptop. There is no multi-character password requirement, expiration date, or VPN program on the phone. A single pin, or gesture, allows access to corporate email. That does sound like the weakest lock.

Do mobile devices warrant tighter security? Would people use a mobile device if they had to key a password composed of capital, non-capital, numeric, and a special character? What if they had to authenticate with a VPN service after unlocking the phone? The standards seem to vary by device.

The Weakest Lock.
One password to rule them all, One password to find them,
One password to bring them all and in the mobile device bind them.

Secure your identity with password storage software from PassPack

I finally forced myself to sit down and come up with a better management plan for password management this past week. As online identity theft grows, it’s becoming more common place for media and bloggers to write about security best practices, password protection, and other topics related to online identity. Unfortunately,  password management is one of those topics that people choose to ignore because they want something simple and don’t want to be burdened with password rules and expiration dates. I counted myself in that group up until now.

I reviewed a few alternatives for password management programs. Some of the programs have local clients to install with the password storage local. Some use a recording and playback method. Some leverage a two-factor authentication system with a physical device that supplies a key.  What is common among all of them is that they require a user to change their habits in someway. I think this is a valid trade-off for added security and a little peace of mind.

For my review, I decided I needed to find a solution that addressed the following criteria:

1. Portability

Have an online version so that I could access my password storage from multiple locations. Since I use different computers throughout the week or may need to get to a site from an unexpected location, I need something portable.

2. Multi-Factor Security Options

Ok, so this is obvious right? After all I am giving someone my accounts and passwords. Since I wanted an online solution, I need to be comfortable with the security of the system. A fairly new approach to security that goes above encrypting the contents of the message on the wire is the host-proof-hosting system. I’m not a security expert, but I get the fact that this systems encrypts the data on their server, that I have a secret key that is not stored on their server, and that at no time is the key moved to their server. I see there are several players on the market that are using this system including industry giant Verisign.

3. Browser Compatibility

I spend 95% of my Internet browsing time using Chrome or Firefox, so the password management system must run on those two browsers. I already have too many applications that only run with IE. I’m going to add another one.

At the end of my journey I selected PassPack as my management tool. The tool meets all three of my decision criteria and offers additional optional security features that I won’t list in this post. There is a local desktop version available as well. The PassPack business model is currently set to give away usage rights for individuals (up-to 100 passwords), while charging for group and administered accounts. It definitely requires a change in my behavior, but I know its for the better. At the end of the day, I’ll learn to enjoy the central management aspect of the password storage system and welcome the value-add it provides to me.