Video icon 64
Learn to code with practical video courses from Tuts+. Start your free trial today.
Advertisement

How to Perform a Password Security Audit

by
Student iconAre you a student? Get a yearly Tuts+ subscription for $45 →

With password breaches, like Adobe's recent loss of up to 130 million passwords, becoming all too common, now is a very good time to conduct an audit of your password security. In this tutorial I'll show you how to use 1Password or LastPass to analyse how secure your passwords, and where necessary, create new, secure ones.


The Need for a Password Security Audit

Passwords Have Never Been Less Secure

If you're unsure what makes a secure passwords, this tutorial on picking passwords is a great place to learn.

Every breach like Adobe's, and Evernote's, and Linkedin's, and Yahoo's provides information, even when the passwords are encrypted, to the people developing methods for cracking passwords. CrackStation has a 190GB, 15 billion entry word list encrypted using two of the most common algorithims, MD5 and SHA1.

If you enter any common password in one of those encryptions, CrackStation will break it in under a second.

If the web services you use are very careful and look after your data properly, then you will be fine. But one slip up by them and a hacker could have your password and email address. As xkcd points out, if you reuse passwords that's not a good thing.

People Use (And Reuse) Terrible Passwords

Unless a website stores your password as plain text, if it's long enough, it will take months or years to crack even when best practices aren't followed. However, people's passwords aren't long enough. Almost 1% of the passwords in the Adobe breach were 123456. Today I'm going to show you how to make sure you're not one of that 1%!


Password Management Software

1Password

Agilebits' 1Password is a desktop password management application with companion browser plugins for Safari, Chrome, Opera and Firefox. It also has iOS applications that sync with your desktop data so you can access all your passwords from anywhere.

When you log in to a site, 1Password offers to save the login details for you. The passwords are saved in an encrypted vault protected by a single password: the one password. So long as you remember that one password, you are able to use 1Password to log in to any given website without needing to remember that website's specific password. This means each site you use can have its own, unique, secure password without you having to worry about remembering them all.

1Password can also generate these secure passwords for you, which it then automatically saves making life even easier.

LastPass

LastPass is a browser plugin password manager. Like 1Password, it has an iOS application. It also provides the same basic feature set. However, where as 1Password saves all your information locally, LastPass encrypts it before uploading it to their servers. LastPass also uses a freemium model. The browser plugin and basic feature set are free, but the mobile version requires a premium subscription for $1/month.

Security Audit

In addition to drastically simplifying your logins, 1Password and LastPass are also able to show you your weak and duplicate passwords.

It is best practice to use a unique password for every service. If like me, however, you have been using the same passwords for a lot of different services for a long time, it can take a while to sort them all out. For that reason, you should prioritise updating important passwords as soon as you can and then work through the less important ones at your leisure.

Also, if you are not already using 1Password or LastPass, you should download one of them and use it for a few weeks so it can build a database of your most used passwords before proceeding with this tutorial.


Using 1Password

Finding Duplicate Passwords in 1Password

To see all your duplicate passwords, open 1Password and click on Duplicate Passwords under Security Audit in the sidebar. 1Password then groups all your logins with the same passwords together.

Duplicate passwords in 1Password's Security Audit
Duplicate passwords in 1Password's Security Audit

When you generate a password with 1Password, it is recorded in addition to being saved along with the website's login details.

It is a slightly unfortunate quirk that the generated passwords are included when 1Password checks for duplicates so that sites that you used 1Password to generate a password for will show up as being a duplicate of the password you generated for it. All this means is that you must scan through the list and ignore the duplicates that are the same site twice.

Like me, you will likely find that there are a small number of passwords you have used for a large number of services. These are the important ones to change.

Generated passwords are included along with logins in the duplicate finder. Ignore them.
Generated passwords are included along with logins in the duplicate finder. Ignore them.

Finding Weak Passwords in 1Password

Also under Security Audit in the sidebar, opening the Weak Passwords tab reveals a list of your weakest passwords grouped by how weak they are. In my case, there were two groupings, Terrible passwords and those that were merely Weak.

You will most likely find that the very worst passwords are from things like local development environments, or passwords that must be four or six characters.

My Terrible passwords
My Terrible passwords

Finding Old Passwords in 1Password

In Security Audit there are also three time-based categories, 3+ years old, 1-3 years old, and 6-12 months old.

1Password tracks when a password is created and so can tell when a password has not been changed in a while. For some passwords this is more important than others. It is good password practice to change passwords regularly. To get the full benefit of this tab, you must have been using the software longterm as 1Password sets a password's creation date to when it was added to 1Password.

Updating a Password with 1Password

To update a password, visit the relevant website and log in using 1Password. It will autofill your (insecure) login details.

  • Navigate to the update password option, it is generally under security or account settings.
  • Open 1Password by clicking on the 1Password menu bar icon and hover over the suggested login that you want.
  • Click on the •••••••••••• in the password field of the flyout menu to copy your old password to the clipboard.
Copying the old password from 1Password
Copying Twitter's old password from 1Password
  • Paste the old password into the Old Password field.
  • Reopen the 1Password menu bar and hover over the Password Generator option.

1Password's Password Generator automatically generates a password based on some rules you can define. You can set the length, separator, whether you'd like the password to be pronounceable, and whether you'd like it to use mixed-case letters.

Tip: I suggest you use passwords that are 20 characters in length and separated by digits. This means that, in the rare instances, when you have to enter them manually on an iPhone keyboard, it is still just about doable.

Click on Fill to insert your new, secure, password into the New Password and Confirm New Password fields.

Generating a new password for Twitter
Generating a new password
  • Clicking on Save Changes will bring up a dialogue box from 1Password asking if you want to update the existing login.
  • Hit Update to save the changes to 1Password's vault.

You've now updated a weak password to a secure one.

Updating Twitter's current 1Password entry
Updating the current 1Password entry

Using LastPass

Finding Duplicate Passwords in LastPass

To find your duplicate passwords with LastPass, visit the website and login with your LastPass details.

The site then explains what the Security Challenge does, how to interpret the results and stresses that all the password decryption is handled locally on your computer.

Click Start the Challenge to begin.

LastPass will then use your browser to download, decrypt and analyse the contents of your LastPass vault. Depending on the number of passwords you have, this could take up to a minute or two.

Next you will be presented with your results. However these do not tell you what specific passwords you need to change. Scroll down to see these.

The results from the LastPass Security Challenge
The results from the LastPass Security Challenge

LastPass, like 1Password, now groups all your duplicate passwords together.

Duplicate passwords in LastPass
Duplicate passwords in LastPass

Finding Weak Passwords in LastPass

LastPass displays your detailed results in a list with the weakest at the top. It is unlikely that you will have many weak, unique passwords so you should start with the duplicate passwords.

Once you have fixed all your duplicate passwords, start at the top of the list and work down. LastPass gives each password a security rating percentage.

If a password's score is less than around 80%, you should consider changing it.

Updating a Password with LastPass

Updating a password with LastPass is very similar to 1Password.

  • Visit the relevant website and log in using LastPass.
  • Navigate to the update password option, it is generally under security or account settings.

LastPass will automatically detect you are editing a password and give you the option to generate a new password.

  • Click Generate, and then Accept if you are happy with the suggested password.
  • If not, you can click Generate to create a new one or click the Show Advanced Options check box to see more options.
Generating a password with LastPass
Generating a password with LastPass

LastPass will then autofill the new password into the form.

  • Enter your old password into the Old Password field and then save the changes you have made.

LastPass will detect that you have changed a stored login and offer you the option as to whether you want to update the information in your LastPass vault or save a new entry.

Select Confirm to update LastPass.

You now have a secure password.

LastPass confirm password change dialogue
LastPass confirm password change dialogue

Conclusion

In this tutorial I've shown you how to conduct a security audit with 1Password and LastPass. It is very easy to slip into bad password practices, and even when you start using a good solution like 1Password or LastPass, if you don't go back and correct your old mistakes you may still be at risk.

Think I'm too paranoid? Let me know in the comments!

Advertisement