If I were to ask you why you don’t use a password manager, and you answer:
“Oh, I don’t need that”.
… then I’ve got another question for you:
You sure about that?
Let’s look at who would not need a password manager:
1. People with less than three passwords (usually not Internet users)
2. People with more than three passwords and a fantastic memory
I know what you’re thinking – you think I forgot:
3. People who use the same passwords for everything
4. People who use some sort of nifty and (supposedly) fail-safe formula
Sorry to disappoint you, but those are the very people that need a password manager – and pronto!
The Big, Scary News
Say a a hacker, let’s call him Mr. Nasty, wanted to break into your webmail account. In order for PRTK to work Mr. Nasty would need to have a copy of your login data (he might be able to get this by stealing it off of an encrypted cookie in your browser). Then he’d set PRTK to work, go out for a coffee, and come back later to see if the password has been guessed.
As Bruce Schneier puts it:
“So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like ‘letmein’, ‘password’, ’123456′ and so on. Then it tests them each with about 100 common suffix appendages: ’1′, ’4u’, ’69′, ‘abc’, ‘!’ and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.”
24 percent of all passwords!! In a matter of minutes.
Does this apply to you?
Of course, PRTK doesn’t work every time: if your password is “strong” enough, and the program you use is built well enough, than Mr. Nasty is out of luck. But how strong is your password really?
Raise you’re hand if you use some combination of names of people or animals in your family and tack on a number or two for good measure. And how many of you use simple substitutions like ‘$’ for ‘s’, ’3′ for ‘e’, ’0′ for ‘o’?
Ok, if your hand is raised – you should know that “Eric Thompson estimates that with a couple of weeks’ to a month’s worth of time, his software breaks 55 percent to 65 percent of all [those] passwords.”
55% – 65% of the time!
You see, re-using the same passwords (or formulas) over and over again is very dangerous. But most folks think:
“Why would anyone want my passwords anyway – I’m nobody special.”
Mr. Nasty isn’t concerned about your social status – he just wants access to that juicy list of contacts in your webmail account.
Or worse, he can click the “lost password” link at your bank, have it sent to your email, then READ that email, login and wipe you out. (though I hope your bank doesn’t really use such a system)
That’s not very fun.
Or what if you use some variation of that same password for your bank account? Mr. Nasty doesn’t care how rich you are either: even if he get a few hundred bucks off each person… times the amount of passwords he’s cracked… it’s worth his effort to try.
So what to do?
- make strong passwords – (here’s how)
- don’t reuse them – (even the UN says it’s a bad idea)
- Can’t remember all that nonesense? get a password manager