In the past week Secrets was featured in both the Mac and iOS App Stores on the “New Apps We Love” category. This exposure resulted in fantastic new customers with interesting questions and comments. Some of these new customers are also new to the concept of managing passwords and want to know more on how to fully take advantage of a password manager such as Secrets.
To understand the benefits of using a password manager one must understand the dangers of not having a good password discipline.
When presented with the challenge to memorize passwords for various sites users will, understandably, either reuse a known and memorable password or have minor variations of it.
Today we have logins for everything, from our personal e-mail to our child’s day care. According to BuzzFeed the average person has 27 discrete online logins. Memorizing 27 different passwords is simply not feasible for most of us.
So what’s wrong with reusing the same password? Every year many sites are compromised and login information is leaked. Recently it was reported that a breach on Yahoo leaked about half a billion logins. And this happens all the time.
If your username, e-mail and password is exposed in one of these leaks, a malicious person can simply try using this information on other sites and gain access to your account. E-mail hosting services such as Gmail, Yahoo, Hotmail etc are probably one of the first sites they would try. If an attacker gains access to your e-mail he most likely gains access to all other sites you use by simply using the “Reset password” functionality available on most sites.
With this information an attacker can try to gain access to your bank account, discover your credit card details or simply use your name to send spam.
If you have some technical experience you probably know that most sites don’t store your password just like you type it in the password field. If done correctly the site will store the result of passing your password through a one-way function. A one-way function makes it easy for the site to verify that the password you entered matches the password you chose when setting up an account, but makes it hard to retrieve original password given the result of the one-way function.
The sole reason for sites to do this is to mitigate the consequences of a data breach such as the ones mentioned above.
However, even though a one-way function makes it hard to determine the original password given its result, an attacker can quickly try to apply the same one-way function to many common passwords and simply verify if the result is the same they got from some data breach. This is called a brute-force attack.
The lower the complexity the easier it will be for an attacker to retrieve your password. And now you know the reason some sites ask you to pick combination of uppercase/lowercase letters, numbers and symbols. These sites are simply trying to force you to pick a strong password.
Out of curiosity here’s a list of the most commonly used passwords. Just note that if your password isn’t listed that doesn’t mean you have a strong password.
One of the goals of using a password manager such as Secrets is to facilitate having a good password discipline.
By using a password manager you can store different passwords for every site avoiding the need to remember them. And if you don’t have to remember passwords there’s nothing stoping you from using strong passwords on every site. And Secrets will generate strong passwords for you, so you don’t even have to worry about that.
The only password you need to remember is the password to unlock your secrets and this password never leaves your device.