A co-worker sent out an e-mail today about how he does his personal password strategy. It shocked me a bit that he was sharing as much information as we was -- especially the fact that he basically uses a fairly simple strategy and he uses one password for all of his accounts, and it got me thinking. This post was originally a reply to his e-mail, but I didn't actually send it, because it seemed like I was just saying "I'm right and you're wrong." However, I have some strong feelings about passwords, so I felt compelled to write it down somewhere, even if it is on my obscure, seldom-updated blog that is only read by myself. For the most part, I think people know better, but just get frustrated by all of the passwords that they have to manage, so they take shortcuts in order to make life less miserable for themselves. As a long-time IT Consultant, here are my recommendations on passwords. They are not original ideas, but the main point is that you need a well-thought out strategy to deal with your passwords.
Use a Tool for Password Management
I would suggest a password tracking utility (KeePass, Password Safe, etc.), which encrypts your file of passwords. Put the encrypted password file on an encrypted USB device so that you will have your passwords where you need them and when you need them (you should probably also load the software on your USB device so you can access the data from somewhere other than your computer, using something like PortableApps). Additionally, passwords stored this way are protected by at least 2 layers of encryption (one layer on the drive, one or more layers in the software). Pick one up at Staples or Office Depot today.
Almost everyone I've talked to about this has a fair amount of frustration built up from trying to remember all of their passwords. I'm sure that we are all aware of the dangers of written passwords, or passwords stored in the clear. However, we all at some point get overwhelmed at the task of remembering all of our passwords, so we resort to shortcuts that are much less secure than they should be. I've seen DBA's (yes, more than one) pull up a shortcut on their desktop that points to a text file of all of the system passwords, as well as their own personal passwords -- stored in the clear. When you really look, we've ALL (myself included) done something at least that insecure.
A strategy of using an encrypted password tracking tool helps alleviate the pain of tracking all of your passwords, but still does it in a secure manner.
Use Multiple Passwords/Password Schemes
I would recommend against using the same password for all of your accounts. It's a can of gas waiting for a lit match. We all have personal bank accounts, forums, social networking sites, etc. that we have passwords for. When I last looked, I have at least 30 passwords that I have to keep track of -- that's 30 systems that contain a password of mine. If you use the same password in all of your accounts, then your security is only as good as the weakest system that you use. I would submit that your personal e-mail address should be the STRONGEST password of all of them, as most systems use e-mail to trigger a password reset. You should also not use that password on ANY other accounts.
In coming up with a password strategy, I would suggest breaking down your accounts into different layers:
- Accounts you use, but wouldn't care if they were compromised (your delicio.us account, car repair forums, etc) -- low risk accounts that pretty much contain information that is all public anyways.
- Accounts you care about, but contain semi-public ( less sensitive) information (Facebook, LinkedIn, RememberTheMilk etc.)
- Accounts that contain sensitive information (LAN/email accounts at work, accounts with your utility company, bank account, etc.)
- Your personal email account. This should have the most secure password, but people often use a weak one here, and leave it in place for years.
As an example, I used to have an account on lifehacker.com, one of the sites owned by Gawker Media. For their site, I used a weak, easy-to-remember password on it because everything in that account was public information with no need of protection -- "posts" to a forum. The only risk in someone getting that password was that they could have posted in my name. Possibly a reputation risk, but not a big risk. Well, Gawker Media was hacked this year. The hackers got my personal e-mail address and they got my Gawker password. Had I been using the same password on my personal email account, they could have gotten access to not only my email, but most likely, to every account I've ever had -- and they could have easily searched my email to see which bank I bank with, etc. If your personal email gets hacked, you're toast, as most online accounts use your email as part of their password reset procedure.
You Should Lie
OK, honesty is really the best policy, but consider this point. Social networking websites are a goldmine of personal information that can be used if you are launching a targeted attack of some sort -- or even as a tool in finding good targets. Interestingly, enough, social sites also frequently highlight information that could be used to hack a lot of people's accounts using "password reset" tools -- especially if you have access to their personal email account. For example, what are the security questions that you get asked when you have to reset a forgotten password?
- What is your mother's maiden name?
- What is your favorite color?
- Where were you born?
- Who was your best friend in High School?
- Where did you go to High School/College, etc?
- What year were you born?
- etc.
- "Do the people that I'm giving this information to really have a NEED to know it?"
- "What is that need, and does the need also benefit me?"
In a Nutshell
I'm not trying to go all "Conspiracy Theory" on anyone or cause any panic. However, whether we realize it or not, each of us has enemies of some sort -- ex-spouses, a ticked off former co-worker, a building contractor that you made mad one day, the Cable Guy, a neighbor who doesn't like how you look, that kid that you "pantsed" in Junior High who just found you on Facebook, someone who you cut off in traffic and they wrote down your license number. I'm not sure if you can still do it, but with a simple phone call to the DMV, I once got a name and phone number, based on the license plate number of a car I wanted to buy -- imagine how surprised this person was when I called about the car (they didn't sell it to me, by the way...). Just by living, you have ticked off some people in life. In addition to these people, there are plenty of strangers out there, fishing (and phishing) for targets. These are your enemies when it comes to security.
If one of those enemies suddenly decides to cross the line and go all Hacker, they can make a mess of your life if you have one password everywhere and they get ahold of it. Given enough time and a specific target, a Hacker can get a long ways. The task here is much like locking your car doors or putting cable locks on a laptop -- it's nothing more than a deterrent -- it won't totally prevent a criminal from breaking in, but the harder you make it and the more time consuming it becomes, the higher the risk, and the more likely the criminal will be to move on to some other target. Your job is to make your passwords hard to crack, but accessible to yourself when you need them. Use a Tool to simplify password management, Use multiple layers of passwords/strategies, Lie -- use false information when the information is not needed by the system you are accessing. It's easier than you think.
I know that just in writing this, I've remembered several "chinks in the armor" of my own security strategy -- things that I've known I need to fix but have procrastinated. I will be making some changes, and I invite you to re-examine your security and make changes where they need to be made.
