Passwords are the bane of everyone’s computer existence. Unfortunately, until someone comes up with something better, we are stuck with passwords.
First let’s talk about the something better. Some very smart people are working very hard and there are some prospects that are moving through the development and evaluation stages, but there is nothing yet which offers a large scale solution.
Ok, back to passwords. Everyone has a bazillion of them. One for this web site and one for that web site. Too many to remember. And what difference does it make anyway. I will just use 12345.
Splashdata, a company that makes password management software, does an analysis every year of the passwords that show up in the hacked web site lists every year (see my blog post on the subject). The most popular password this year was 123456. That was followed by password. I think that most people would legitimately say that those passwords are not secure, but still, it is the most commonly used password.
I tell people that how you treat computer security and privacy is dependent on your “level of paranoia”. People range from the very low (and use password as their password) to the very high (and use 1erT%5-@ewTT as their password ) :). Based on that, how you manage passwords absolutely follows that level of paranoia.
What I am going to present as recommendations will start at the very low level and work up. When you reach your level of paranoia, stop. Basically, you are accepting a certain level of risk or exposure and as long as you understand that risk, that is a decision that each of us make.
Step 1: Triage. What I mean by triage is that you should categorize accounts into different piles based on the damage that can be done to you if that password is compromised. For example, I triage bank account passwords for online banking as very high. I triage passwords for my email as high and I triage passwords for sites like Fox News as low.
Why do I rate those sites that way? I rate my bank account as very high because I don’t want anyone to steal my money. Pretty simple. I rate my email passwords as high because if I forget a password for a particular web site, that site will likely email me the password or a link to reset my password. That means if a bad guy has access to my email accounts, they can get or reset many of my other passwords. I rate the password to Fox News as low, well, because it is Fox News.
One criteria is does the account have access to my money. Another criteria is does the account store my credit cards and hence, if the bad guys get access to that account they can charge stuff. Other sites, like Facebook, might let people say bad things about me, but probably not much else. Finally, sites like news sites probably don’t have much sensitive information at all.
An example might be useful. Right now there is an issue with Verizon customers being charged for iPhones being sent to out of state locations, with plans set up and them being charged for the phone. That is an example of a web site where a hacker could charge things to my account, but can’t directly steal my money. You might have to yell and and threaten Verizon, but eventually, they will figure out that you didn’t send that iPhone to Idaho.
How do the bad guys do this? One possibility is that people have chosen bad passwords for the online Verizon account and the hackers guess them and login to order the phones. Another is that the hackers have access to these people’s email accounts and captured emails between Verizon and the customer to get enough information to pretend that they are the customer when the call Verizon to order the phone.
Unfortunately, you have to do this with each account. After a little while you will be able to very, very quickly figure out which pile to toss a particular account into.
Step 2: Create at least one password per triage level. Create a password for bank accounts and although it is a pain, make the password hard for a hacker to guess (because even though that is a pain, so is having your bank account emptied). Create another password for your email accounts and so on until you get down to Fox News. That password can be password if you like.
One rule that you can never break: DO NOT CROSS PASSWORDS ACROSS LEVELS. For example, never use a very high password on a medium risk web site. That way, if the medium risk site is hacked you don’t have to worry about your very risk sites being compromised.
Step 3: Do not use the same userid across triage levels. This is a variant of Step 2. For many sites, but not all sites, if the hacker does not know your userid, they cannot request a password reset. Just trying to make things harder for the bad guys.
Step 4: Use a password manager. There are many different types of password managers and that is a whole separate chapter, but if you have too many passwords and userids to remember, use a password manager. There are many that are free. There are many that you can install on your phone. Do not save your passwords in your email or contacts, especially if you use an online service like Google Apps or Office Online. What you don’t want is for someone to hack your email password and have access to all of your passwords, including, for example, your banking passwords.
Step 5: Use different passwords for different accounts. Especially at the very high level of account that you are protecting, you may want to not reuse passwords, even within the same triage level. For example, if you have two bank accounts, you MAY want to use different passwords for each bank account. Depends on your level of paranoia. 🙂
Step 6: Use random complex passwords for each web site which only the password manager software stores. Some of the password managers integrate directly with the browser, which represents a security problem in itself, but ignoring that for the moment, some password managers will generate strong random passwords and automatically log you in to each web site as you visit it. This way, if any one web site is hacked, it will not affect any other web sites.
Step 7: Two factor authentication. Many sites offer two factor authentication. While the manner of two factor authentication varies, the most common one is for the web site to send a one time code to your phone via email or text message. After you enter your userid and password, the site sends the one time code which you must enter in order to complete the login. A few web sites use a device called a token which generates a semi random password which changes every few seconds. If you don’t have the token, you cannot login.
- Some web sites return your actual password to you in an email. An example of this is Mondaq, the British publisher. When I signed up for an account on the site, they sent me an email with my userid and password in it. Besides the fact that sending me my password in an encrypted email is, shall I say, a bit of a security problem, it also means that they likely store the password on their site unencrypted, which is also a problem. It means that if that site is hacked, the hackers have access to your password and might try it at other sites to see if it works – kind of like finding a key and trying it in different locks to see where it works. It also means that a dishonest employee might have access to the passwords and might use them for personal gain. Another clue that a web site has access to your password is that when you say that you have forgotten your password, rather than sending you either a temporary password or a link to reset your password, they send you the password itself. If you discover a site like that, you should use a unique password for that site and not use that password elsewhere.
- Don’t use passwords that are words in the dictionary. There is software that can try random passwords very quickly and words in the dictionary are the first ones they try.
- Passphases sometimes are easier to remember. For example, the Beatles song Yellow Submarine starts out “In the town where I was born Lived a man who went to sea“. As a passphrase that might be IttwIwbLamwwts . Totally gibberish except to you.