[Dailydave] Don't use vowels in passwords!
dan at geer.org
dan at geer.org
Thu Dec 11 00:48:04 EST 2014
This Old Thread seems as good a thread as any to hang something
else on. First, a reminder:
William Arbaugh writes:
> According to the Defense Finance and Accounting Service (DFAS),
> you shouldn't use vowels in your password!
So here's the scoop; a password wallet & changer all-in-one and
in the cloud. Your move;
A Quick Fix for Poor Passwords
Geoffrey A. Fowler, WSJ, Dec. 9, 2014 3:24 p.m. ET
Changing passwords is like flossing: You know it is important, but
you always put it off.
Keeping the same password for everything is bad. If one site gets
hacked, you're vulnerable everywhere.
A program called Dashlane has figured out how to automatically
create strong, unique passwords for a bunch of different websites,
all at once. Think of it as digital hygiene.
This new service, available Tuesday in an update to Dashlane's
excellent password manager on PCs and Macs, changed 34 of my passwords
in less than five minutes. Letting Dashlane tackle this drudgery
saved me hours. Though this means committing to Dashlane's password
management across all of your devices, I recommend it.
Rarely does tech make our lives easier and safer at the same time.
As hacks at Yahoo, eBay, Adobe and many others have shown, anyone
who reuses passwords is asking for trouble. But who can remember a
different, unguessable password for each site, let alone change
them regularly? According to Pew, only 39% of us changed our passwords
or canceled accounts after we learned about the Web-wide Heartbleed
security hole last spring.
Dashlane is like a butler for your passwords. It can alert you to
ones that are at risk, create really good new ones and now also
tackle the chore of logging in and filling out all the forms to
change them. It can automatically change passwords on more than 50
major sites, and its makers say they plan to keep adding more.
Shortly after I published this review online, Dashlane rival LastPass
announced its own beta that lets you easily change one password at
Inside the Dashlane program, you just select the accounts you want
it to change, press the change button and wait. Some sites require
additional information, such as the answer to a security question
or a code sent via text message, which Dashlane will prompt you to
So far, it doesn't work on programs that only exist as mobile apps.
And bank websites aren't yet included in the service.
Behind the scenes, Dashlane has studied the security settings on
all of these sites and written programs to simulate manually changing
a password via the Web. But it can do it much quicker on Dashlane's
servers. Since sites could adjust their pages at any time, Dashlane
has to constantly monitor them for changes that might break its
system. (It failed once in my tests, when it was unable to change
my OpenTable password. But no harm was done.)
To change your passwords, Dashlane also needs to know your old ones
-- which means you have to use it as a password manager. Some people
don't like the idea of keeping all their passwords in one place. I
think a password manager has become a must for modern digital life,
as most noggins just can't recall dozens of codes that are good
enough to foil hackers. The alternative is writing them all on a
piece of paper, and in the smartphone era, carrying that paper
around with you. (Probably not a good idea.)
There are several decent password managers, but as I wrote in May,
Dashlane is one of the simplest and safest. Dashlane encrypts your
trove of info behind a master key that only you know, so there's
very little risk that a hacking attack on Dashlane's computers could
expose all your passwords. It's free to use on one computer, or $40
a year to keep passwords automatically in sync across all your
devices, including phones and tablets.
The password changer is a beta service, so you'll have to sign up
on Dashlane's website to get access. The company intends to roll
it out free to its customers, and add the function to its phone and
tablet apps, too. The software is still experimental, and there
were a few bugs in an even earlier version that I tested, but nothing
that put my accounts at risk.
Using Dashlane will require a shift for folks used to going it alone
with passwords. The password changer will invent new ones that
you'll never be able to remember, so you'll have to rely on Dashlane
to fill them in on your Web browser. For apps on iPhones and iPads,
you'll have to keep the Dashlane app handy to copy and paste passwords
-- Apple's software doesn't allow Dashlane to interact directly
with other apps. On Android, Dashlane can manage app passwords fine,
In short, you have to totally trust Dashlane with the keys to your
Is that a good idea? Dashlane says its security has been audited,
and its record is pretty solid. (Its biggest problem was a bug in
its iOS 8 app update that left a small number of users temporarily
unable to access their data.) But since the new password changer
is only now reaching the public, it hasn't been battle tested. It's
also possible some websites won't like Dashlane changing passwords
on behalf of their customers, and will seek to block it.
What does a hacker think? I discussed the idea of a password changer
with Marc Rogers, the head of security for DefCon, the large hacker
conference, and a researcher at security firm CloudFlare. He thought
it could be a very useful service for consumers -- if designed
But he questioned why the actual password changing needs to happen
on Dashlane's servers. Running the software there, as opposed to
on the user's computer, could expose our new passwords while they're
being changed. The risk, he says: "Someone hacks their server and
sits there harvesting passwords."
A Dashlane spokesman says passwords are encrypted going to and from
its servers, and that it deletes them immediately. He says its
password-changing programs require more processing power than an
average PC (or, in the future, phone) might be able to deliver on
Dashlane's best defense against hackers may be that its password
changer isn't a lucrative target. Most hackers are looking for vast
reservoirs of data, not a trickling faucet. If that still makes you
nervous, the LastPass password changing system does all its work
locally on the user's Web browser (though it won't work on Internet
Explorer). But for now, that means you can only change one password
at a time.
It isn't hard to imagine where this kind of tech could take us next.
I'd like it to automatically change all passwords on a rotation,
like once a month. (Once a day? An hour?) The only password that
we should have to memorize is a master one, perhaps made super-duper
secure with a scan of your finger or eye.
One of the most important things I did in 2014 was take control of
my password safety. Dashlane is a great fix for folks who recognize
it's important to improve their passwords, but just don't have the
time to do it themselves.
More information about the Dailydave