Why Use a Password Manager?

Why should you use a password manager? Well, here’s a reason.

So your password can’t be cracked.

and

So you can easily use a different password for every site.

If one site is hacked, then the bad guys will try your email and password at lots of other sites just to see if they get a hit. Same password on different sites? Bad idea.

Let’s look at the math of password cracking.

There are about 3000 common words in English, and most other languages.

Crys_00195.png

So if you pick, for example, an easily remembered password containing two words, with initial capital letters, and then follow those two words by three numbers, you get:

3000*3000*1000 possible passwords or:

Crys_00196.png

Sounds like a big number, right? Not really.  Not only can modern graphics cards whiz through these in a few hours, but if the website where passwords were stolen did not use a different “Salt” for every password hash, then they can “pre-make” a list of the hashes and then look for matches in much less time. Instantly.  It’s just a look in a table rather than a search with billions of calculations. Does the site where you last typed in your credit card “salt” their hashes? Salting is adding some gobbly gook to your password before they hash it. And the gobbly gook is different for every customer. Yep. Keeping track of passwords is that complicated. I’m not going to cover it all here. Just saying, it’s a complicated business and many companies short cut the process, or don’t use modern security methods to keep track of passwords.

Secure Passwords and Password Managers

Password managers allow you to use a different password for every site you visit. And it generates them and keeps track of them for you. Here are some examples:

Feel free to use any of these you like for your password to some site. Every time I sign up on a new site, I make a new one of these.

How many of these are there?

Let’s assume there are about 20 characters that will not be confused with one another.

Crys_00193.png

Assuming a 12 character password using only these 20 characters gives us 20 to the 12 power or:

Crys_00194.png

And you get a lot more if you use upper and lower case characters of course. I’m not clear on how many “unambiguous” upper and lower case characters and special characters are used by the LastPass secure password generator.

If we assume there are 50 characters in the set, the number gets a lot bigger: 50 to the 12 power or:

Crys_00197.png

I’m not pushing Lastpass. There are many good password managers out there. Go get one that’s been reviewed and is secure, and one you like and use it to store your passwords.

What if a site breaks password managers?

I just tried to sign up for a credit card from Capital one because I heard they had a new service called ENO. A virtual card for every different merchant I shop with online. So if they are hacked, the rest of the merchants I shop with are not affected and I don’t have to change the card number on the rest of the sites. Go look it up if you like the idea. I do.

Great idea.

BUT

Capital One thinks they are being more secure by “Breaking” Password managers.

Password managers cannot be used to log into the Capital One website or to use ENO, which is a plug-in for use with Firefox or Chrome.

So, great idea. But BAD IMPLEMENTATION.

So I have to use an insecure password that is easy to remember and type rather than one like the ones generated by a password manager.

We can only hope that they wake up and someone fills them in about why password managers are a good idea.

:ww