Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: Choosing whether to sync your passwords

Glenn Fleishman | Dec. 5, 2014
Every password you create should be unique: every site, service, or system needs its own. Also, they should be long, not contain any words found in dictionaries, and contain punctuation, a clearly expressed thought, and your grandmother's famous corn-pudding recipe.

Every password you create should be unique: every site, service, or system needs its own. Also, they should be long, not contain any words found in dictionaries, and contain punctuation, a clearly expressed thought, and your grandmother's famous corn-pudding recipe.

Passwords are ridiculous, and you may be daunted because millions of them pour out of cracked databases and websites all the time. You may have become a fatalist, assuming that whatever and however you create and use passwords, they are likely to fail.

I'm here to tell you that you needn't despair. It's still worth putting the effort into unique, strong passwords that you don't memorize — except one, and you can make it memorable without risking anything.

The cracks you hear about typically involve the leak of account names or emails paired with encrypted passwords, ones that are scrambled using a cryptographic "hashing" function that grinds the "plaintext" (your actual password) through a series of mathematical operations that produce a result that can't be reversed to recover the original.

Common passwords can be tested against the hashed results, and, if the passwords lack an extra bit of entropy, called a salt, any successful test of a password against its hashed equivalent matches all accounts in the leaked information. This is why researchers know that "123456" is a common password, for instance.

In those leaks, so long as the passwords are encrypted at all, choosing a strong password will resist efforts to crack it. Choosing a different robust password for every use also means that a total failure at one site or service doesn't provide access to every aspect of your identity everywhere.

As with many other aspects of online security, unless you're targeted specifically — where a malicious party, a criminal, or a government puts determined effort to get your details — you can still mitigate your risk. You might be thinking ahead, though: if I make a bunch of passwords that are impossible to memorize, don't I still need to secure them in a way that's weak? I'll get to that, I promise.

Stong passwords are generated, not dreamed up

It's never been easier to set and store unique and strong passwords, making them easily available when you need them. Apple's addition of iCloud Keychain in Mac OS X 10.9 Mavericks and iOS 7 in 2013 was a boost, though it's not comprehensive. In Safari, iOS and OS X can suggest a long, strong password, and then store it locally, and optionally sync it to other devices that are logged into the same iCloud account. (Joe Kissell wrote a tutorial that's still accurate in iOS 8 and Yosemite.)

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.