On keeping passwords and accounts

Bronze lock locking a chain across an old wooden door, painted green.

Lately there have been some high profile password issues. Twitter discovered a log that was logging passwords in cleartext (this is eminently avoidable if you have an internal security team that’s properly empowered to train developers not to do this sort of thing). GitHub too.

I have several recommendations on keeping your accounts secure:

  1. Try not to use the same password for every site. The reason for this is that once you provide a password to a site, you are then trusting that all the strangers who run that site are handling your password correctly, and that they won’t abuse it. The possibility is wide open that these strangers (or even just one among them) are bad actors – that they now know the password you used with this website. The worst case scenario is that they’ll find a way to share it with the black hat (criminal) hacker community. After that, even the most random password probably ends up in a universal password guessing dictionary. So it’s not safe to use the same password for every site that you use.
  2. Avoid guessable passwords. If you must use words (to remember these numerous passwords), use more than one word, and use words that aren’t related. E.g. “flowerstamen16” is worse than “flowervolcano27” Better might be more unrelated words, like “flowervolcanoshielddynamic72”. (Note to hackers and users, these are examples, not in use by me. In fact, never use literal examples people provide, because it’s trivial for them to end up in password guessing dictionaries. Instead if you must follow examples, come up with your own specific passwords that are not literally these examples.)
  3. Because, if you follow my advice in point 1, you’ll have a proliferation of passwords, consider using a password manager. I use LastPass, but others like 1Password or Dashlane. Since these three services store your passwords (deeply encrypted and otherwise protected) online, some even more paranoid and old school folks instead use utilities like KeePass, which store passwords locally on your hard drive. Making this choice, you lose convenience of being able to access your passwords from anywhere, but you gain security. Using KeePass and other products, the passwords never leave your sight (you do have to trust that the authors of KeePass, e.g., aren’t surreptitiously sharing your passwords, but you have to trust LastPass, et al. similarly). LastPass is a bit finicky, but it’s relatively inexpensive and provides a lot of control – perfect for a geek like me. 1Password and Dashlane are both good for less technical users, or those less inclined to put up with quirks.
  4. Since you’re using a password manager, switch your passwords to random or semi-random passwords. These manager utilities will help you create random passwords that are very complex and have as much randomness as each site will allow. Get to the point with your password manager where, like me, your passwords for each site are unknown to you (you can look them up if you want to). Let the password manager pick and set your passwords and only remember the master password for the manager. This helps fix issue 1, where even if a site’s administrators are black hat hackers, the fact that they have your password for their site does them no good – because all of your passwords are both different for each site, and as random as possible.
  5. Also, since you’re using a password manager, if a site allows you to pick a username (especially banks), make that as random as possible too.
  6. Another benefit of a password manager is you have an opportunity to randomize those dumbass “Security Questions”. I’m glad that sites are phasing these out or at least allowing open, unvalidated answers, but “Security Questions” are not about security, but convenience. They’re there to make it easier for the company providing them, not to make your security better. The reason is that most answers to security questions are, by and large, guessable. A hacker could use your security questions to bypass even a very secure password, if you answered these questions honestly. But if you have a password manager, you can generate, and record in your password vault, random answers to these questions. The password manager will help you both generate them and remember them. What, for example (not a real example), was the place where I first met my sweetie? The well known restaurant, “eFlUN TEArHEn THESTAmi”.
  7. Use 2-factor authentication (aka 2fa). This is a per-site/per-service setting. Some sites and services don’t support 2fa, but many do, and the number is growing every day. You can look at the Two Factor Auth List or just check each site or service that you use. 2fa adds an additional layer of security in a frequently changing (every 30 seconds or so) pseudorandom code. For a simple way to do this, you can use a 2fa authenticator app on a smart phone (preferrably your own – 2fa using services can ask for a new code at awkward times). Some sites will send you codes to your phone via SMS text messages. For more complicated (but also more secure) 2fa, you can use a 2fa token, like a product from Yubikey. But be warned – not all sites support this. The list of authentication apps is growing, but I use LastPass Authenticator, Google Authenticator, and Authy, primarily. I prefer LastPass Authenticator and Authy because they are smart phone apps that independently lock. But when I set a lot of these up, LastPass had an annoying bug that didn’t allow me to set up more than one code per URL (but it looks like they fixed that, so I may switch away from Google soon).

Got any other suggestions?

, , ,

2 responses to “On keeping passwords and accounts”

  1. Good post and a subject near and dear to my heart!

    I like the xkcd correct horse battery staple style of passwords as referenced here https://xkcd.com/936/

    There is a lovely python library that allows you to generate those passwords easily called xkcdpass that is pipable. In general longer is always better. I’ve been known to pull in words from generally unknown non-English languages as well. Think Klingon, Welsh, Potter spells, Tolkien words and other generally bizarre languages to keep the passwords memorable and hard to dictionary.

    • Looking at this comment again, my only concern here is that if you are remembering your passwords, you may be using too few passwords and may be reusing passwords. Depends on the number of sites you sign up for and use. I have 1033 different passwords in my LastPass vault. But I do sign up for services relatively more frequently than most people I know. I think I personally know/remember perhaps 6 or 7 passwords and have the vault remember the rest.

      I do like that you may use xkcdpass (and that it’s pipable). I also like that you use non-English words. Anything that makes the randomly generated space larger is good!