1. 15:07 1st Sep 2011

    notes: 10

    tags: passwords

    Doing Passwords Right

    A student once told me, in all seriousness, that his password of “password” was secure because:

    It’s a double bluff. No-one would believe I’m stupid enough to use that as a password

    Yeah, right.

    The trouble is that passwords are hard. One password is easy, two ok but most of us need tens, if not hundreds, of passwords for all our different services. Work password, personal email, facebook, Google, ebay, three banks, that random quiz site, phishme.com…. 

    Then each of these sites will have a different password complexity/strength checker, work insists your password is changed every 30 days and on it goes.

    In attempting to deal with this, most people work their way down this sequence:

    1. I’ve thought of a good password. It’s “fred”.
    2. Oh dear. It’s rejected as too short. Let’s try “fredfred”
    3. Now it needs numbers. Try “fr3dfr3d”.
    4. Accepted

    And we’re all good to go until….

    1. The next site comes along. Now we have to have a special character as well. So let’s use ‘fr3dfr3d!’. 
    2. Now sign up to internet banking. Best use a different password. Ok. ‘G30rge!’. Done
    3. Now what about the credit card? ebills? Oh dear.

    The only way to deal with this and keep everything in a human brain is to have two or three basic passwords (say one for banking, one for login and one for other websites) and reuse them everywhere, with random variations to deal with different sites password policies. This way madness lies. The small variations cause endless problems and the sharing of password across sites means that one compromised site is a disaster.

    The solution: write your passwords down. As prohibited in every security policy ever.

    Use the paper, Luke

    By ‘write it down’ I don’t suggest you physically write it down in any way, but rather than you stop trying to remember passwords and use a password manager to store them.

    Password mangement (or “Password Safe”) software encrypts away all your passwords with one master password so that you now only have one password to remember, but your passwords are still safe from prying eyes. Unlike the ‘post-it-note under the keyboard’ approach.

    Once you stop trying to remember passwords, all sorts of good things happen:

    1. You can (and should) have a unique password for every single site or application. Even the silly ‘joke’ websites. Everything
    2. You can stop trying to think up passwords. Just let the password manager generate a random one for you. It’ll be impossible to remember (e.g. mine has just generated ‘eRxz%b3gtV’ for me) but it doesn’t matter. You never need to remember it

    And that’s it. Now you can have complex, unique passwords everywhere and also have less stuff cluttering up your brain and making you stupid. What’s not to like? Just do it.

    The Details

    That’s the basic principle, but like everything, the details matter.

    1. You’ll still have to remember your login password and a master password for your password safe. That’s only two passwords. Not so bad
    2. You may also want to remember your internet banking passwords.
    3. Remember that the strength of this whole system depends on the strength of the master password you set for your password safe. Since you don’t have to type it very often I suggest just going for a very long phrase (30-50 characters).
    4. Don’t use any random piece of software. Writing secure cryptographic products is hard and you want to be very sure that if you are putting all your passwords in one place that you haven’t just made it easy for them to be all stolen at once.

    Finally, most of us use many different computers over the course of a day so need these passwords everywhere. There’s two basic approaches:

    1. Let the software itself store the data in the cloud, or,
    2. Store the encrypted file on a sync service like Dropbox

    Either works. You’ll also want to have a copy of the program and your passwords on your phone for those times when you want to login into a site on a different computer/internet cafe etc. 

    All of the recommended products below can be integrated into your web browser as well to allow for seemless logins to everything web based (which is going to be 95% of everything for most of us).

    Recommended products

    • KeePass: Works on Windows and Linux. Supposed to work on OS X but I gave up waiting for Mono to install. Also has version for most phone OSs. Open Source
    • LastPass: nice, but costs to use on mobile. 
    • 1Password: those that use it love it. Works on Windows, OS X, iOS and Android. Costs.

    Edit: thanks to Max Spicer for prompting me to get off my arse, change my password management and actually write this up :) 

       
      1. arthurclune posted this
       
      • Comments