How to Hack Your Go-To Password

by Erik Lane 27. March 2007 01:12

I wrote 'What's You're Go-to Password' last year and just last week I came across another article on password management.  If you use a weak password or have a Go-To password then you need to read this article on how this guy would hack your passwordTell your friends and family as well.  The author does a very good job of explaining how a typical hacker may go about cracking your password, examples of how to make your passwords better, and a nice little chart to show just how fast a typical password can be cracked.

This is a real problem.  Gone are the days where you can have one password and use it for all of your online activity.  Or, as the author pointed out, use a weak password for your unsecure sites (email) that actually lead to breaches into your secure sites (online banking) .  Based on a chart in the article, he says:

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters - like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Whose going to take 2.4 days to work on your password?  If it's all automated then it doesn't really matter (he give links to tools that can do this).  How do you keep track of all of these difficult passwords?  Yep, he recommends Roboform!  I'm telling you, it will be the best $29 dollars you'll spend on internet security.  I've been using it for over 2 years now and I've got my wife on it as well.

Giddy Up!

Comments

Tara
Tara on 3/26/2007 4:43:00 PM

I read your 'What's You're Go-to Password' and noticed you talked about roboform. You may also want to look into an Online Password Manager since it frees you from being stuck to just one browser or computer. Mine is PassPack (by "mine", I mean I'm a founder and, of course, a user). It's got import/export and backup/restore functions for data portability - so no vendor lock-in. Automatic form filling is on the way too:

passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../">passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../

Please let me know what you think.
Cheers,
Tara

eriklane
eriklane United States on 3/26/2007 5:23:00 PM

Thank for the suggestion Tara and I may take a look-see.  I also use RoboForm2Go which lets me take everything with me on a USB key.

Maybe it's just me but something just feels weird about storing that information in one location on the Internet.

jayson knight
jayson knight on 3/26/2007 7:49:00 PM

No, it's not just you...some red lights went off when I read Tara's comment. A USB key is portable enough for me.

JoeyDotNet
JoeyDotNet on 3/27/2007 2:05:00 AM

My personal favorite and the one I use is Password Minder.  That way, I truly don't even know all of my actual passwords most of the time, because I usually let Password Minder generate very complex and encrypted passwords for me.  And it basically just flat out won't let you create a weak "master" password.

http://www.pluralsight.com/tools.aspx" rel="nofollow">http://www.pluralsight.com/tools.aspx">http://www.pluralsight.com/tools.aspx" rel="nofollow">http://www.pluralsight.com/tools.aspx

For a keyboard junkie like me, it's great.  'Cause I can just wire up Ctrl-Alt-P to open it up from anywhere (I usually store the actual PM app on my USB key), give it my master password, start typing the application/website I need a password for, hit enter and it automatically types in the highly secure password for me.  You can "peek" at the individual passwords, but I rarely if ever need to do that.

eriklane
eriklane United States on 3/27/2007 11:56:00 AM

Joey - I've heard of Password Minder and it seems like a pretty good tool as well.  Anything like that helps increases your security 10 fold.

I use RoboForm in the similar fashion...makes things pretty quick and painless.

Tara
Tara on 4/26/2007 11:13:00 AM

@ Erik
Thanks for considering taking I look. Have you done so yet? Our accounts are anonymous so I have no way of checking actually.

I can understand. Until PassPack's automatic login is released (just a week or so to go) then it can't compete with Roboform for ease of use. But with the auto-login in place, it'll offer nearly all of what Roboform does ... for free.

Storing passwords online... well, yes, thats the point of it really. But you'll be happy to know two things:

1. PassPack can't read your data. It's AES encrypted and the decryption key is only in your head, never gets sent to the server, and it could take decades to crack it by brute force when using a military grade supercomputer. But if you prefer, you can disconnect from the internet when you manage your passwords. PassPack needs you to be online only for signing in, saving, and editing your account settings.

2. You can export, or save encrypted backup copies, of your data whenever you want (Roboform doesn't let you do this - they use the old fashioned "vendor lock-in" to keep you on their system). We're working on an offline version of PassPack that will let you work from a local copy on your computer, and sync with your online data. So that should alleviate some of your fears, while still allowing for full portability.

Here's a link to how PassPack works, and why we can't read your data:
passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../">passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../

If you'd like to try it, I can send you instructions on how to export your passwords from Roboform (there's a work around using the print function). Then you can use these instructions for getting started:
passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../">passpack.wordpress.com/.../" rel="nofollow">passpack.wordpress.com/.../

Thanks, let me know if you would like any more information.
Cheers,
Tara

eriklane
eriklane United States on 4/26/2007 1:23:00 PM

Tara - I've not taken a look at passpack.  I've been a happy user of RoboForm for a long while.  I appreciate the security that you guys are putting in place but storing that stuff online isn't something that I am interested in.  Best of luck!

Tara
Tara on 4/26/2007 3:39:00 PM

Thanks for the reply. May I ask one more question?

What, if anything, would be a deciding factor in you moving away from Roboform? I don't mean towards PassPack, but just in general.

Thanks,
Tara

eriklane
eriklane United States on 4/26/2007 4:23:00 PM

Tara - At this point in time, I think there would be two things that would move me away from RoboForm.

1.  RoboForm stopped working all together, went away, or bought by someone else who drastically changed the product.
2.  If the licensing model changed to something outrages like a fee per entry or a fee in perpetuity.  Right now the licenses I have are good to go.

Tara
Tara on 4/26/2007 4:35:00 PM

Thanks Erik.
I appreciate your time. Roboform should send you a gift - they've got one faithful customer on their hands. Smile

Cheers!
Tara

Comments are closed