I am sorry to let you know that your email has been hacked. Or if it hasn’t, then it will. Very soon.
When I first got into this Internet thing, say some 16 years ago. I made my first email address at HoTMaiL (bonus points if you also made it when it wasn’t part of Microsoft). And I was asked for a password.
Actually it was probably the first time I had to make a password. I had no idea what a password should look like, so I just went and made something like “ilove[random girl which I liked at the time]”.
Then I made a GeoCities website. That one also required a password, so I went with the same one for GeoCities.
And then I joined a bunch of sites. Each time I had to write a password, I used the same old password.
This password policy (use the same trivial password on a bunch of sites) probably describes the vast majority of people in the Internet. I know a bunch of people who do this, and actually send me their password by email so I can login somewhere and fix something for them.
“But who’s going to -want- to hack little old me?” they say. And I’d have to agree that most people in the world, me included, are so irrelevant in this world, that nobody will even consider the possibility of trying to get into their email accounts. And even if they did, what will they find? Emails from mom showing off her latest gadget? A small, easy-to-remember password for every site is a very simple solution, and the risk of forgetting a complex password very much outweights the perceived little probability of getting your password brute-forced and your account hacked.
And there lies the main problem. Passwords, by themselves, are a complete nuisance. Most people see passwords as one annoying barrier between “I want to see my email”, and “I saw my email”. In fact, I’d say a lot of people would be happiest if there were no passwords at all. These people are the ones who keep their computers with no password, and have their browser remember their passwords.
Sysadmins would love for everybody to have really long randomlike passwords, and have us change them to a completely different password every 14 days. Some actually enforce this, but eventually people end up using stupid substitutions like !L0V3Y0u, and then !L0V4Y0u, and then !L0V5Y0u. Character substitutions are not only useless, but also troublesome when you use symbols and happen to live outside of those magical realms where they only have one type of keyboard layout.
It is a cost-benefit problem. It’s not that the risk of losing control of your online identity isn’t low (even when you do completely idiotic things such as sending yourself passwords via email). It’s that the cost of remembering secure passwords is so high, and the risk of locking yourself out when you forget your secure password is even higher, that people resort to either using the same trivial password, or writing it down on a post-it note below your keyboard, which is even worse.
So fast forward a few years. Now I have a ton of accounts in websites, Linux servers, banks and local libraries. I arbitrarily decided that some of these accounts are “more important” than the rest, so I decided I should make a “secure password”. This is a random, somewhat long password, that took me a huge amount of effort to remember, and that’s what I used for the “important accounts”. The rest used another simpler password. Now I felt “secure”.
Well, maybe my “secure password” was tougher (but not impossible) to crack. But was this a good solution? As I mentioned before, who would like to hack my account? I’m so irrelevant in this world…
Fast forward to the present. Indeed, I remain being irrelevant, and there’s no reason I can think of why somebody would actually want to pinpoint target me. Are all my accounts safe?
I think we’re missing the entire point of password policies. Unless you’re a security door standing between James Bond and the villain, I can pretty much guarantee you that the odds of somebody wanting to brute-force your password are minuscule.
No. The real problem is not brute-force. The real problem is moron sysadmins who store plain-text passwords, or non-salted passwords (which is basically the same) in their databases; session hijacking; and phishing attacks. Hackers won’t try to brute-force your password. They’ll plant some traps, and expect you to give them your password at some time. Unlike the brute-force defense of “I’m too unimportant to be hacked”, these threats are very real, and it is just a matter of time until either you fall, or some site you have trusted with your passwords, falls.
Finally, there’s another threat I haven’t mentioned. If you happen to use netcafes, unsecure WiFi connections (or with WAP, which is exactly the same), use other people’s computers, or simply use a laptop in a public place, your passwords may get stolen as you write them, using extremely hi-tech expensive tools, less expensive tools, or even with the old “watch the password as it is typed over the shoulder”.
This is a matter of damage minimization. Suppose that your password, secure or not, is already known to somebody else. Once you interiorize that, I would like you to agree with me that your password policy is pathetic. You may want to use the “I use two-factor authentication, therefore I am better than you” defense (which hopefully won’t give you a false sense of security). But what about all those other dozens, if not hundreds of sites that you must use, and don’t let you use other ways to secure your login?
Good passwords are long, random, and most importantly, unique. You should be able to painlessly change a password each time you have the slight feeling it may have been compromised, each time your sysadmin wants you to, or whenever you just feel like it, and still be able to remember them. I am able to do that, and some other things. And I am going to explain to you how I did it.
You know where this is going. Use a password manager. I had been very reluctant to do so, simply because I believe that it means putting all the eggs in the same basket, and losing them to some hacker or in the memory hole is a risk too big to even consider. But the way in which I implemented my password manager is good enough for me. I have been using it for some six months, and I couldn’t be happier.
So without any more foreshadowing, I’d like to introduce my setup: I’m using KeePass. It’s an open source password manager that securely stores your passwords in a file.
Since KeePass only requires the software, the passwords file, and the master password to open, I store both the passwords file and the software in my Dropbox public folder. That way, I have my passwords file synchronized, and I can access it at home, at work and in my android phone. The dropbox password itself is also inside the passwords file. So even if disaster strikes, and I lose access to my home and office computers, and the phone, I still have access to all of passwords.
I also have a linux server, which downloads the passwords file from the public folder once a week (using cron) and stores it in a completely different location, which is publicly accessible via HTTP. This file is for the “Dropbox got pwnd like MegaUpload” scenario. But is also useful if I happen to lose my file at Dropbox, either accidentally or maliciously.
So far, this scheme allows me to recover my file in a wide array of situations. Now, let’s talk about the master password. Or dare I say, master passphrase. It has been widely proved that a long passphrase is both safer and easier to remember than a short complex password. But since a passphrase is easier to remember, it is also easier to change: KeePass allows you to set a time limit on your master passphrase. I set it to 30 days, and once a month, I just think of a new passphrase and change it! It’s much easier to remember one passphrase, than a bunch of passwords for a bunch of sites.
So what about this passphrase? It is long, and easy to remember. My current passphrase is 45 characters long, but trivial for me to remember. I just imagine a bizarre scenario, such as “A garden hose vibrated over the latte drinking cosmonaut”, and make that my passphrase. Sometimes it gets a little tricky to remember, so I just make a small drawing in a post-it, that reminds me of the scenario. Even if somebody sees the drawing, and knows that it represents my passphrase, it is so crude that it is basically impossible to derive the passphrase out of it. I eventually end up destroying the post-it after a few days when I completely remembered the new passphrase.
So now I have a secure scheme, that also lets me recover the password file in even the most unimaginable scenarios. Let’s now talk about how I use the software.
Each site gets a different password, and sometimes a different username. Some sites have some password policies that are… let’s say stupid (such as the bank, which only lets you use a 4 digit PIN). Others impose minimum complexity requirements, while others have arbitrary restrictions. But that’s okay. KeePass allows you to randomly generate passwords which you can fit into any password policy. For everything else, I go with the KeePass default of 20-character alphanumeric, which rounds to some 110 bits of entropy. When I want to change a site password, I just generate a new one.
The Windows version of KeePass also allows you to automatically input the password with several methods (Ctrl-Alt-A is my favorite). This makes it very convenient for me when actually using the passwords. KeePass also provides clipboard auto-clear, database auto-lock, file transactions, memory curtaining and secure desktop database unlock. I strongly recommend you use all of these settings (and understand what each one does) for maximum security.
But good things also come with goodies! By using a password manager, not only I get to have my passwords stored. I also get the websites remembered. Have you ever done the obligatory and arbitrary sign-up for some obscure website, and then one year later, when you are forced to use the site again, ask yourself “have I sign up here?”. Well, with KeePass, each password comes right with the website I registered at, so I don’t have to remember whether or not I have signed up.
And last, but not least, KeePass allows me to store non-web passwords. Things like game passwords, Linux logins, VNC logins, credit card numbers, complex (two-stage or more-stage passwords) and even important phone numbers can be safely stored in KeePass.
So far, I have been using this scheme for a long time, and not only I consider myself safer, but it has also simplified my life in many aspects.
Before I finish, I would like to talk about some other tools or schemes I considered, and why I think they are to be avoided.
- The password remember scheme in common browsers: It is a complete waste of time. You cannot carry it around between computers, or even between browsers in the same computer. If you lose it, it’s game over. Okay, maybe your super-browser does it, but even then, it doesn’t do non-web stuff, and is hardly as feature-packed as a dedicated password manager.
- LastPass, 1Password and friends: Please avoid these things like the plague. In cryptography settings, open source is the only way to go. Please do not trust your passwords to a third party, even when it is “the cloud”. If you don’t know how your passwords are being stored, they are effectively not being securely stored. And they even have the nerve to want to charge you money for “premium features”.
- OpenID and friends: Once again, you’re trusting somebody else different from yourself, to keep your data private. If a site forces you to use one of these frameworks, I’d recommend you make a new user for every site.
Okay, now let the flaming begin.