Gawker, a large blogging network, recently had a security breakin and over 1/2 million users passwords were compromised. If you're like me, you re-use the same password on multitple different sites. That would give hackers access to multiple web sites by getting one password (Facebook, Twitter, your bank, Amazon, etc.).
While I used a "more secure" password for some sites, I did not have a systematic way of dealing with managing a unique password on multiple systems.
So, last night, I finally bit the bullet and installed a (free) password manager - Last Pass. Last Pass will do two things for you. First, it created a cloud-based secure storage location for all of your passwords. They are available from any web browser. Second, you can install a browser plugin that will auto-fill your username and password into any site you use regularly.
So, now, I have the freedom to create a unique password on every web site I use, AND I can choose something that is much harder to guess - like a string of 12 randomly chosen letters and digits. Since my password is not in any dictionary, the only way to steal it from a web site (that stores passwords as cryptographically secure hashes), is to to brute force guess all possble 12 character strings. That's over 60 bits of random information - or over a quintillion (10^18th) combinations.
It feels a little odd not even knowing my passwords anymore (I just have to remember a single secure password to log in to the Last Pass site). But I feel much better knowing that my data is not vulnerable to the kind of security breach that happened at Gawker this week.
The only downside is that I now have a single point of failure in LastPass. If they loose their database, I could loose my passwords I haven't backed up locally. And if THEY have a security breach, I could loose all my account information to hackers. But I would rather put my faith in one company, dedicated to protecting security, than to distribute that obligation among lots of individual sites around the web. Since my Last Pass password is also a random string, it's very difficult to decode on a trial and error basis. I believe Last Pass also goes out of their way to use an encryption algorithm that is intentially slow. Making a brute force attack that much more difficult.
If all sites supported a distributed authentication system, like Open ID, or oAuth, it would be even more convenient to use just a single authentication provide you trust, to gain access to every service you use.
I was toying with the idea of using a password generator or a hash code generator:
HASH CODE GENERATOR
Example phrase: Startpad.org is the best place to be
http://www.whatsmyip.org/hash_generator/
md2: d197438815b7e10da30464b29d4bf9c3
md4: 782db17757f55d16160c4f824cd140a9
md5: daf75056074dfdbf4d5a3450226e5d84
sha1: d5a92aeeffd01d19303f763e1cb6a0b1b7e928d9
Plus 34 more hashcodes
I use Firefox to store my passwords so I don't have to remember them.
The advantage of hash codes is I can recover them with phrases that I store in clear text..
PASSWORD GENERATORS
Here are some password generators I considered using.
http://www.whatsmyip.org/passwordgen/
http://www.freepasswordgenerator.com/
http://www.techzoom.net/tools/password-generator.en
http://strongpasswordgenerator.com/
https://www.grc.com/passwords.htm
https://www.grc.com/ppp.htm (Perfect Paper Password)
You need the ability to rule out certain "forbidden" characters in the password generated to be acceptable to manyl password systems.