National Edition

Secret security: The only password you'll ever need

Published: Thursday, Feb. 6 2014 4:00 a.m. MST

The advantage of programs such as 1Password and LastPass is they can work across both Mac and PC platforms and have many more features.

When 1Password, for example, is installed, it enables users to click on an icon added to a browser to put in a password on a website. It can enter other information as well — including credit card numbers and so forth.

The program also can generate very long, very random passwords for websites that are nearly impossible to memorize. The long password stays in the password manager and can be accessed from other computers and devices. All a person has to do it memorize that one password to access the password manager.

Just don't ever forget that one password.

"It is a paradigm of putting all your eggs in one basket and then watching that basket very carefully," says Hunt.

Angwin also uses a password manager for her passwords. The trick is to come up with a good master password.

Pass phrases

It would make little sense to install a password manager with high encryption and then use a simple master password like "qwerty" or your birthday.

Angwin recommends using what is called a pass phrase, a few short but random words found in a dictionary such as "market gear train pencil." The words can be separated by spaces, or sometimes people will put a numeral or symbols between the words.

The idea, popularized in a XKCD Web cartoon, claims a password such as "Tr0ub4dor&3" is harder to memorize and easier to crack than a pass phrase such as "correct horse battery staple."

Although pass phrases provide better passwords from a security standpoint, one study in the "Proceedings of the Symposium On Usable Privacy and Security" says pass phrases are forgotten at similar rates to regular passwords and took longer to enter.

Two factors

Jeff Atwood, a blogger in El Cerrito, Calif., who co-founded the programmers website stackoverflow.com, is also concerned with password security online, but doesn't use a password manager. Instead he tries to sign onto most websites using his Google account. That way, he says, if other websites are hacked, they do not have his password.

Like Angwin and Hunt, he is mostly concerned about people getting access to things through email. For this reason, he says to use what is called two-factor authentication.

"That is something you know and something you have," he says.

The way it works is the thing you "know" is a password.

The thing you "have" could be your mobile phone. So when you sign into a Web service such as Google, it asks for a password and it also sends a text message with another code you have to enter. This authenticates the computer you are using. If you use another computer, you have to use the two-factor authentication again — something a hacker couldn't do.

Atwood also has a Citibank account, which requires him, in addition to a password, to insert a USB fob into the computer to authenticate it is him accessing the account.

Google and other email and social media websites offer two-factor authentication.

Once Google is secure this way, then it can be used with fewer problems to access other online services. This method is, in a way, similar to using a password manager.

Atwood, however, doesn't worry about less important websites and has a simple password he uses for websites he says he probably will never visit again. Getting access to this password would not divulge any important information — if it would, he wouldn't use it for them.

EMAIL: mdegroote@deseretnews.com

Twitter: @degroote

Facebook: facebook.com/madegroote

Try out the new DeseretNews.com design!
try beta learn more
Get The Deseret News Everywhere