The DDoS IoT led password zombie attack last week hit a nerve. Internet-connected toys, cameras, DVRs and other devices with neglected passwDDoS, IoT and Hoodies Combine in Attackords were hacked. Collectively, millions of our devices were deployed to break the internet by pounding DYN, a company that hosts domain name servers. We all have a lot of accounts and a lot of passwords. If the security of the internet is in the hands of people who have ‘Admin’ as their password, we now feel a lot of pressure to not be the weak link for our clients or our own cloud-based software. That means we have to really own this password situation.

Ahhh, passwords, those one-of-a-kind words. Or so we thought.

Either they don’t make a whole lot of sense–which is good for security, but bad for remembering. Or they are super-simple, like ‘Password’, or ‘123456’. But we have dozens of them, and with the online world getting hacked and attacked, we must prevail. How can a jumble of characters, phrases, and numbers give us so much grief?

We thought we had it licked when computers and browsers remembered passwords for us. Websites like Facebook, Twitter, and Linkedin auto-save passwords and usernames. How convenient–for hackers. Do you know what is not convenient? Actually changing that password. To make matters worse, security best practices advise changing the password every 3 months. A study says that people in secure workplaces should change their passwords every 42 days. As one Reddit commentator put it, “If our new network security guy had his way we’d have to use a retinal scan, thumbprint, blood and an RSA key that changes every 60 seconds”.

The changing-of-the-password problem is even harder when businesses use social media. Usually, there are multiple users and staff changes and dozens of accounts. There are also good old social media lockouts because someone tried to use the wrong password too many times.  Another common condition involves chasing after passwords handed down from generations of disenfranchised interns who’ve used the names of their cats, favorite cocktail or Simpsons quotes, and who have signed up for products and connected them in ways you don’t even know about.

What is the best way to solve this password fury?

screen-shot-2016-10-22-at-4-33-21-pm

screen-shot-2016-10-23-at-1-50-20-pm

From XKCD.com

According to the best geek comic strip ever, XKCD, the last 20 years have created a world of passwords that are hard for us to remember but easy for computers to guess. You need a system to quickly create unbreakable passwords. Some people have a crazy string that they update by adding a ‘next number’ in the sequence. More secure is this favorite of the internet savvy, the infamous password simulator, http://www.correcthorsebatterystaple.net/  

The thought behind the quirkily named CorrectHorseBatteryStaple site is based on an information security theory that if you put 4 common but random words in a password string it will take a computer making 1,000 guesses a second 550 years to crack it. Unless, of course, you use CorrectHorseBatteryStaple.

But that’s the easy part. Implementing those crazy word combos is the trick.

There are two kinds of password people: Those who write their passwords down and those who don’t. Within ‘Those Who Do’ there are people who write the password down and hide it somewhere they can’t remember; and there are people who write their password on a Post-It note and stick it on their monitor–until the sticky gets old and the password is lost. Either way, you’re going to forget, and then you’ll be frustrated.

Content Carnivores is built on big data and machine learning technology. We thrive on algorithmic efficiencies. But when it comes to passwords?  Our system was based on a Google Docs spreadsheet. The logic was that if Google gets hacked we’re all screwed anyway. But that didn’t change the need to have an adaptable way to change and update and maintain the passwords in our network. So we put Carnivores Social Media Manager, Lucyvore, on the job, scouring Product Hunt for an answer. Lucyvore (who researched and helped write this article), asked, ‘Can we have a system that updates a big list of passwords every 42 days, keeps them in a totally secure place, AND updates the 3rd party services like Twitter, etc.?” It’s 2016, isn’t there some sort of social media hack to ease this pain?

She found Dashlane, which helps you track your passwords on their platform. They also have a service called, “password changer”. This helps with the password drama. With one click of a button you can change any of your passwords. Wow. You can also share these passwords among fellow employees. To get all of the Dashline services, there is a fee, starting at $39.99 a year. Something to consider. Lucyvore reports,  “I demoed the free version of Dashline for a week. To set up, I was put through a simple process to download the software. I logged into Twitter using the Dashline platform and then saved the username and password. The system linked Dashline to my Chrome browser, making it easier for me to sign into accounts. I was also able to add multiple Twitter accounts. This was an easy process. I felt no threat of security with this platform–but look at how many ‘secure’ transaction just happened. Hmmmm.”

She also found a creative approach to password managing called PasswordChef. According to the founder, Robert Merrill, this app, “helps you design a personal algorithm (we call them ”recipes”) which generates unique, complex passwords for all your accounts, and enables you to recall them from anywhere.” Lucyvore reports, “Sounds like it’s right up Content Carnivores alley. We love our chefs. When I demoed PasswordChef, I noticed that it seemed for more of a personal use as opposed to business-use.” In the ProductHunt comments, someone wrote, “PasswordChef is a password cipher manager instead of a much more risky password manager. It is a neat trick that helps you generate passwords based on your unique inputs–that you remember more easily. It also provides a means to easily change those things, ie, adding a one, or changing something, but in a way that you will also remember.” PasswordChef was easy to use, but again not sure if it would hold a strong presence in the business world. Security-wise, the app might not be ready for a company with multiple users, permissions, accounts….

There are pros and cons to each form of managing/changing a password. It’s a mix of personal style, efficiency, and time. We are still looking for positive outcomes in this search for managing/changing password success. No more pushing (multiple) buttons. And especially, no more time wasted. We want the best security for the accounts we run. And we most certainly don’t want  ‘Password’ or ‘123456’ to be the reason the internet blows up. Happy passwording!

Sources: