Can you remember your passwords? That's bad.
By Michael Argentini
Managing Partner, Technology and Design
If all of the recent corporate network security hacks (like the recent SONY Pictures Entertainment debacle) haven't scared the bejesus out of you, you must be a sociopath; stop reading and move along. But if they have, welcome to humanity. Let's talk about the first line of defense in protecting your identity online so that you don't become an explicit target or collateral damage: passwords.
Before I dig in to the password strategy, here are some facts regarding passwords, and credential security in general, to keep in mind.
- Passwords need to be long and random.
The longer the better. The more random the better. And using upper and lower case letters, along with symbols like # or $, will increase the strength of your password.
- There is an inverse correlation between password strength and memorability.
This is where the friction lies. In order to have strong security, we need to give up some level of convenience. Is it worth it? Absolutely, yes.
- Memorable data does not make for a secure password.
Data like your birth date, telephone number, and cat's name, are too easily guessed, researched online, socially engineered, or brute forced using a dictionary attack.
- Security questions can completely mitigate security measures.
When asked for your high school mascot or mother's maiden name remember that not only are these types of questions very easy to research online, they completely ruin a good password strategy. One day websites will realize this and stop asking these ridiculous questions.
- Password retrieval should scare you.
Sites that allow password retrieval (as opposed to forcing you to change it) have a copy of your password. Even if they encrypt your password on their systems, they also must have the key to decrypt them. If a website security vulnerability is ever exploited by malicious hackers, they, too, will have your password. Not good.
The following are some basic steps you can take to regain confidence in your privacy. My hope is that if you follow these initial steps, you'll increase the level of security for your personal information. You should also gain a better overall understanding of just how important it is to take control of this chore, so that as new threats arise, you'll be able to take the necessary steps to address those concerns as well.
At this point I hope that you're suffciently concerned and ready to make a change. You've been naughty. But there is hope!
Step 1: Change your mindset.
You need to have a particular mindset regarding your credentials for websites and services, as well as an awareness of all the ways you can inadvertently give the keys to someone of ill intent.
You need to understand and accept that you can trust no one, and that even if your personal information is stored with a completely trustworthy source, their systems can be exploited by malicious hackers. Trust no one. Trust no computer. Trust no website or service.
Take control of your identity and credentials. You need to think of your credentials as a credit card. I get a slight uneasy feeling every time I have to hand my card to a restaurant server, knowing they will walk away to charge the card in a secluded back room. A fair amount of credit card fraud is made possible when someone gets your card and copies the information down prior to returning it to you. This is just one scenario.
It's a scary feeling. But it isn't merely F.U.D. Imagine having to sit at a hotel courtesy workstation to print out your boarding pass. Nervous yet? You should be. Ask yourself questions like the following before you take your seat.
- Whose computer is this? Do they have an interest in knowing my personal information?
- Is this computer being secured properly in order to protect the personal information of those who use it?
- Is a key logger installed, which keeps track of every key I press for some criminal intent? What about a screen capture tool?
- Is the WiFi connection encrypted? Are the website connections encrypted? Can someone watch the data flying through the air or over the local network?
- Did I bring an extra pair of underwear, in case I suddenly realize that I just gave this computer enough information to wreak havoc on my personal life?
As I stated previously, there is no practical reason to have passwords that can be remembered. In fact, quite the opposite is the case. If you can't guess or remember your passwords, it's likely that others won't be able to either, provided the passwords are strong. Besides, in most cases you can tell a website to reset your password if you forget what it is.
Step 2: Use unique passwords.
Using the same password on multiple sites (or all sites) means that once any of the sites is compromised by malicious hackers, they potentially have access to all of the sites and accounts you use. It also means that you'll have to visit every site and change your password each time there's a successful security vulnerability exploit. Fun!
Here are some tips for using unique, strong passwords without being driven to gouge your eyes out with sticks:
- Use a password manager app, like LastPass or 1Password, which has a web browser extension and mobile device support. These apps make it super simple to create new passwords, and also to sign in to sites securely.
- Create a strong master password to use with your password manager app. Remember this. Write it down if you have to. And if you do, don't include anything but the password. Don't label what it's for. And treat it like a credit card. Keep it safe in your wallet or purse. Hide it in a book; whatever it takes.
- Use device biometrics (like Apple's Touch ID) to simplify password manager operation; to make it more convenient to use without reducing security. Basically, do what you have to do to ensure that you WILL use the software.
- Sync your password manager data to cloud services like Dropbox, so you can access your credentials across all of your devices. This will increase the likelihood that you WILL use the software. Make sure that the password manager app you choose encrypts your data locally (on the computer or other device) before syncing. That way an exploit of the cloud service will give the attacker a blob of entropy that is incredibly difficult or even impossible to decrypt via brute force.
Step 3: Abuse security questions.
Remember the earlier point about security questions being a horrible idea? I lied. Well, not entirely. They really are a bad idea. But if you abuse them, they're great.
Abuse them? Well, what I mean is, don't use them for their intended purpose. If the question asks for your birth date, mother's maiden name, high school mascot, etc., you shouldn't tell them the truth. Instead, for each question create a strong, unique password as the answer. Make them unique per site. If you get to enter your own question and answer pair, choose something like "Password2" for the question and use the same strategy.
It's against our better nature to lie (I did tell the sociopaths to leave at the outset, right?) But this is one case when it's imperative to be deceptive and unpredictable. Besides, the password manager app will do the heavy lifting when it's time to fill in the answers.
Step 4: Use multi-factor authentication.
Multi-factor authentication is a method of authenticating using something other than a piece of knowledge (like a password); perhaps including something you have. You've probably already encountered this. If a site requires that you sign in and then emails you a code to complete the sign in, that's multi-factor. Codes sent to your mobile phone are another example. Yes, they're less convenient. But they're also very strong protections. When used in your overall password strategy, it doesn't get much safer to shop and create content online.
Step 5: Raise your awareness.
You need to be very aware of what sites you're connecting to, how they treat your personal information, and how seriously they view security in general. That means reading their privacy statements and watching how they sign you in, among other things.
Here are some tips that cover the most important considerations, to get you thinking about other possible concerns.
- For the most important sites, read their privacy statements. Understand what you're giving up in order to use their services.
- Sites that force you to reset your password (as opposed to recovering it) are likely to only keep a hash of your password, which generally can't be reverse-engineered by a malicious hacker if they gain posession of it. This is not annoying. This is good.
- Sites that require a complicated password are not annoying. Learn to like these a lot. It's one indicator that they're concerned with their internal security and your privacy. Besides, you don't have to memorize your passwords, right?
- Always use an encrypted connection when signing in to a website or service (https not http). If that's not possible, connect to the Internet using a VPN and then sign in. Both methods are great ways to keep the connection private.
- Sign out when you're finished using a site. If you don't, another site (in another tab or window) can potentially access the authenticated site using methods like a cross-site scripting attack. Your password manager app will make signing back in each time really easy, so no worries here.
Note that in the case of a VPN, corporate network traffic can be watched by the company's IT department or sometimes by others on your subnet. So using encrypted website connections is preferred over VPN connections when it's one or the other. Using both would be fantastic.
Step 6: Distributing credentials...
Inevitably, you'll find that you need to give someone a set of credentials to access a website or service. Below are some tips on how to do so in the most secure manner possible. Remember that this should only be used as a way to get someone authenticated so that they can immediately change their password.
- Don't do it. This is always the safest option. Is there another way to achieve your goal?
- Opt to invite the recipient to join the website or service using any built-in invitation feature, allowing the person to set and control their own password.
- Use separate delivery methods for each credential. Send the recipient the user name via one method, like chat or SMS, and send them the password using another, like a voice call.
- Obscure the content. Wrap the credential in other gibberish, or compress it with encryption. Again, send each credential using a different method. Give the recipient the decryption code or unwrapping instructions using yet another method, like a voice call.
- Hide the context. Don't include the website URL or service name, your name, email address, or anything else that provides a way for a man in the middle to identify what he or she is seeing.
- Leave no trace. Once you're done, clear the history, delete the email, purge the SMS messages, and otherwise remove any trace of what you've sent. Cover your tracks.
IMPORTANT: If you have to send someone credentials, it is vital that they change their password once they have access.
This isn't overly cautious digital parenting. This stuff is important and could very well save your butt, or at least prevent a giant headache. The hijacking of digital identities and financial assets is on the rise, and very well may be the most lucrative crime in human history. The only winning move is not to play.
Here's your homework:
- Purchase a password manager of your choice. Give it a strong master password. Install it on all your computers and mobile devices.
- Make a list of the websites you frequent most often. Visit each one, and change your password, using the new password manager to generate strong ones that look intimidating; 12 characters or longer with lots of mixed case and symbol characters.
- Get accustomed to this new paradigm. Visit these sites and sign in. Revel in the fact that you don't know the passwords. Breathe.
- Change your remaining passwords over time. As you visit sites that you frequent less often, the password manager will ask you to add the site to its database after you sign in. When that happens, use it as an opportunity to change the password.
Security, security, security. Eventually all of your credentials will be unique and strong, and you can breathe a little easier.. until the next article. Ha!
Comments? Opinions? Use the form below to send me a note. I'd love to know your thoughts.
Article last updated on 4/21/2018