card image

Many people use combination locks because they don’t want to carry a physical key and to have that added level of convenience. Thus, keeping items, whether tangible or digital, safe is not new.  Whether you have passwords for websites, applications, or devices, protecting those credentials and using them to log in securely is vital to everyday life. Many use the same combination or password for everything from their bank pin, highway toll Account pin, voice mail password, and many others.  However, what would happen if that pin or password were compromised?  Bad Actors may have access to your website, financial information, and personal data that may be used to exploit you.  This article will share some essential security tips and explain why password-storing applications and websites are not a good idea.

The concept of general passwords in the world started in The Roman “Watch World” by the Roman Army called “Watch Words.”  These are phrases that members of units use to validate their level of authentication in a non-digital world, thus identifying whether they are friends or foes.  In the 1920s, prohibition sparked the growth of “Speakeasy” bars where alcohol was sold illegally without many knowing about it.  Speakeasies would ask their clients to show either a card or say a phrase to gain access to this backdoor area where the illegal activity took place.

Digital Passwords were started in 1961 at MIT by Science Professor Fernando Corbato as part of a problem solver project.  Around the same time, MIT launched a large time-sharing computer where many users had access to their private terminals via their digital passwords.  Around 2004 Web 2.0 emerged, and there suddenly became a need for passwords for everything.  The average person was starting to have 100 passwords or more, and several had to be shared with family and friends.  Now many people worldwide have developed a new frustration called password fatigue. 

Today people understand that it is unacceptable to store their passwords on a sticky note or a piece of paper that gets tapped to the bottom of your drawer, desk, or keyboard.  There are three password types:  simple, strong, and super complex.  A simple password is one where there are only lowercase letters and numbers.  A strong password has at least eight characters or higher and no prominent words or passwords used within a history limit.  Complex passwords have at least eight or more characters and at least one of each:  upper case letters, lower case letters, numbers, and symbols, and a history limit.  Remember never to share your passwords with anyone, and don’t use a password containing any part of your name, special dates, or other personal information. Using Two Factor Authentication with an OTP (one-time password) and biometrics is a great way to keep data safe.

Many password apps have been hacked:  Lastpass, KeeFarce, Keeper, and another that claims to be the most secure on the market.  I’m referring to RoboForm, which I downloaded to investigate its security.  RoboForm was first launched in 199 by Siber Systems.  RoboForm claims to be, and I quote, “military-grade encryption”  Whenever a vendor states that their application is “military grade” or “completely secure,” I will usually take 15-30 minutes to review it.  Any app or program that utilizes security must balance safety, reliability, and usability. Thus, any portal or data source can be a single point of failure.  Roboform does use AES256 encryption like many other password managers.  We all know that any security is only as strong as the weakest link.  Their site has many carefully crafted sales blurbs that don’t hold up to what the product does.  Yes, RoboForm does do many things securely, and as any password manager, it asks you to set up a master password to the vault of all your credentials. 

If you still believe all the sales copy on their sites and other marketing material, it might interest you to know what I did next.  I downloaded the product on my PC, created a test account, and logged into their portal.  Next, I decided to browse the site's data, and sure enough, there is a field called my_password_in_plain; which means that it sends the master password in plaintext without encryption or they are storing them locally encrypted.  Thus, they know our password, and there is no absolute security. 

Yes, I can understand how many want a solution to give them convenience, but is it worth sacrificing security and personal information?  Thus, there will always be tradeoffs with any technology password manager.  My recommendation is to come up with a simple formula that you use for one type of entity.  For example, you want to set passwords for your websites:  Take a verb that shows you doing something with the website, and take the 4th letter of the website and capitalize it, followed by the current year.  You can make the formula more complex and then lastly ensure to enable two-factor authentication.  If you are looking to lock it tight, use a formula coupled with a biometric that verifies your information with a two-factor code, thus being three-factor, which is not even mainstream yet.