Your Weekend Security Challenge: Password-Style

Friday, April 12, 2013

Le Grecs


Ubiquitous two-factor authentication is still far off and in the meantime we are stuck with passwords. Unfortunately, passwords usually “suck” because most lay people just use the same password everywhere on the web, whether it be for accessing their bank and credit card accounts or joining a social networking site. Worst of all this one password most likely is very weak … probably names or birthdays of family, friends, or pets or some other word of some significance to the user. Yeah, they might append a “1″ or “.” at the end to get by sites with password complexity requirements … but these techniques are the first that any attacker would try.

So what’s the solution? Password managers of course… And I’d like to challenge each and every one of you to help at least one of your non-infosec friends or family (a.k.a., target) setup a password manager and show them how to use it.

Modern password managers can do almost everything nowadays. Not only can they store a bunch of those weak passwords but also automatically create complex passwords for new sites during account creation and “audit” the strength of existing passwords. Still, starting out with a password manager can be a pretty daunting task … especially for those non-infosec types. But of course the easiest way to get started is to just start using it. When your target enters in their credentials like normal, the password manager simply pops up a friendly prompt asking if it should remember it. After a few weeks the password manager should contain most of their regularly used passwords.

In the meantime the password manager will automatically fill in usernames and passwords as your target surfs around the web doing their usual things. I’ve found they just love this convenience and it serves as a great motivator for them to continue using it. And when creating a new account, they’ll be surprised when the password manager pops up with a message asking if it should generate a password. And then afterwards it’ll ask if it should remember those credentials.

So where should you get started? Well, a few weeks ago we came across an excellent article from How to Geek that takes you step-by-step through the process of getting started. They cover all the basics … like the importance of using strong different passwords for each site, choosing one super-strong master password, getting current passwords into the manager, and using it to generate passwords for new accounts. Most of the discussion centers on my current personal favorite, LastPass, but if you or your target is not comfortable with a cloud implementation, the article also covers others like KeePass.

Good luck on your weekend challenge…

Let us know if you have any luck getting one of your non-infosec friends or family to use a password manager?

Cross-posted from

Possibly Related Articles:
Passwords Security password managers tips
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.