Passwords For Websites
Technology with Integrity
By Tim Torian, Torian Group, Inc.
If you use a computer, you probably have a lot of websites you log in to, each of which requires a password. You log in to your bank website, your web based email, your social networking sites, your custom home page at Google, Yahoo, or AOL, etc. If you are a professional you probably have research or online services you log on to. It is not unusual to have 50 or 100 websites, each requiring a username and password.
Common strategies for managing this are to use 1 or a few memorized logons that you use everywhere; or keep a written list on your desk or on your computer, or use password management software – the preferred choice.
If you use the same or a few logons, your password is as secure as the weakest site you log in to. In order to compromise all your websites, a hacker only has to break one. Many forums and social sites not too concerned with security will send the password in clear text (meaning it can be intercepted), or will have very basic security set up on their website. In many cases it is possible to hack the password database on poorly secured websites. The hacker then can try your password and username on a list of more interesting sites such as bank and credit card logins. They don’t have to know who you are, they can just try the login. Of course if you write it on a list by your monitor, the cleaning crew can give it a try or sell it to a friend with very little effort. A list on your computer is a little tougher, but not safe. Word and Excel passwords can be broken relatively quickly.
Password managers allow you to securely save unique passwords for each website in an encrypted database, and login once to the password management software. It saves time, and is more secure. You log in once to the password manager on your computer, using your master password. The master password is not ever sent to any website, and is not stored on your computer. It then automatically logs you in to sites where you have saved your password, saving time. You can use a unique and complex password without having to memorize it. Obviously, you need to protect your master password carefully, and make sure your master login is turned off if you leave your desk.
Web based password managers allow you to log on to your websites from any computer – the passwords are encrypted locally, and then saved on an internet server which you access from anywhere. It is secure, since the encryption/decryption takes place locally.
Most employees now need access to multiple business websites to do their work. You have to give them the password, which they can take with them if they stop working for you. With the right password manager, you provide them with one login, and they use it to log in to the work websites you have already set up for them. You can restrict them to only certain websites, and make each site have a long and complex password. Unless they are a hacker, the login is relatively secure. If they leave, you change one password for the password manager, rather than dozens for websites they logged in to.
For those needing greater security, some password management programs offer “two factor authentication”. This takes the form of a physical key (usually a special USB device that looks like a thumb drive) which has to be inserted into the computer along with requiring the master password.
We have tested a number of password managers, and recommend www.lastpass.com. It give you most of the features that a personal or business user would need for free, and allows you to expand to full featured security, including a physical key if needed. It allows you to group website logins and share them with another separate master account, without sharing the underlying password/login. In other words, you can set up a group of websites and give your employee only the master password to use. It is web based, which makes it feasible to login to needed websites when working remotely or on a different computer. It is easy to use, and the price is right.
Tim Torianhas taught computer networking at the College of Sequoias. He has a BS in Computer Science, and has been consulting on computer networks for the past 20 Years. His industry certifications include: Cisco CCNA and CCNI, Microsoft MCSE, and Novell CNE. He is president of Torian Group, Inc. which provides a full range of Technology Consulting services to local business, including computer services, networking, and custom software development. They can be reached at (559) 733-1940 or on the web at http://www.toriangroup.com