Plug-ins, plugs and passwords

First, a quick plug: I've written a Chrome Extension to solve a problem that I, at least, was encountering.  I have a primary email client (Outlook) that I want to remain my default mailer, but I also want the ability to quickly and easily send from a Gmail account that I'm logged into.  The extension adds a right-click menu option to links that pops open a Gmail compose window instead of opening the usual mail client.  If you use it, let me know what you think.  If there are any other webmail clients that someone needs support for, let me know and I should be able to add those.

So, let's talk about passwords.  First, let me try to guess your password.  Is it "password"?  No?  That's the single most common password, so that's what I'd guess first.  Next would be "1234", "12345" and so on until "12345678".  It's not that?  All right, now I'm going to start guessing your first name, your last name, etc, then different combinations, then I'll probably check the internet for public information about you.

This is going to take me a while.  However, being technically savvy, instead of doing this myself I could just write a computer program to do it.  Even a desktop computer is capable of thousands of words per second; if your password is in the dictionary, or it's a slightly modified dictionary word, then I'll get it in a couple of minutes at most.  If I have access to a more powerful machine, that time will drop to seconds.

And it doesn't need to be in the dictionary.  At ten thousand guesses per second, I can go through every eight-digit number in three hours on just a beefy desktop computer.  With a powerful server, I can go through every eight-letter word in a matter of seconds.

This has been a hot topic of discussion around the technosphere lately.  XKCD addressed the topic, and Steve Gibson Research posted a "password haystacks" application to test prospective passwords for their strength.  Both of these are good resources (yes, even the stick-figure comic), but neither of them address what's arguably the most dangerous thing people do: reusing passwords.

Say you have a relatively strong password, but you use it for almost every web site you log into.  Few web sites allow super long passwords, but maybe it's something like 6eE*jhgf, which is by any measure hard to guess.  Now, imagine that I hack into, say,, and they're not storing their passwords sufficiently securely (because, of course, you have no way of knowing ahead of time if that's the case).  Even with the above password, GRC's password haystacks say a dedicated cracker could break that in minutes if they could take the password database offline, which is exactly what happens when a popular web site is cracked.

After that, your username on that site (and slight variations thereof, like your email address) go into a cracking system, and the hackers can now attempt to use that same combination on every web site. If you've re-used that password, you'd better hope that you can get to all of them before the hackers can.  You'd better hope you remember all of the sites you've logged into.

Realistically, no one can remember a different password for every web site.  However, there are two primary options short of that:

Option 1: create a selection of passwords.

  • Use one, long, strong, totally unique password for your primary email account, because that is how you can reset all of the others in an emergency.  
  • Create another super-strong one for vital accounts like banking and bills--anywhere with information that's potentially dangerous--but remember that because your primary email address is the key to resetting these things, that one's even more important.  Also, use that second password anywhere that you're storing personal information, like your birthday or mother's maiden name, because many sites will allow someone with that information 
  • Use a much simpler password for throwaway sites you are absolutely certain don't have any useable personal information.  Ideally, create several simple passwords for this.
Option 2: use a password manager.  This option is much easier than the above, and provides greater security, provided that you trust the company that runs the password manager.  But that's a big "provided", and you ought to put a lot of research in before picking your password manager.

I use a hybrid of these two.  I keep a unique password for my primary address that is not saved anywhere (in fact, I use two-factor authentication, but that's another discussion).  Then, for all other sites, I use Lastpass, and I keep a strong password on my account with them.  Lastpass has a great reputation, and appears to be doing everything correctly; no one is hack-proof, but the one time there was an intrusion on their servers they immediately disclosed the information and required everyone to reset their login passwords (the data transferred off was too big to contain whole user databases, but better safe than sorry).  Maintaining a separate (strong, long) email password means that in the event of a catastrophic intrusion at Lastpass, I still have a way to authenticate myself and begin resetting my passwords.  Let's hope that doesn't happen.

Other popular managers are 1Password and KeePass, both of which have good reputations for security.  I haven't used them, but have heard good reports about them.