Passwords: a Primer
30 Aug 2013
You may have heard that you should use a random password to protect yourself. Or that you should use a different password on all your different online accounts. Or that you should use some r@nd0m characters in your password. This article serves as a short primer on passwords and why they are more and more of a problem. If you don’t read further than this paragraph: the key to passwords and password management is finding a reasonable level of security with a tolerable amount of inconvenience.
Why are passwords a problem?
Passwords are becoming more and more a problem because of a) our increased usage of online services b) the ever increasing processing power. This short scenario will be illustrative of how your identity gets stolen and life becomes very inconvenient:
You shop at charlieskittenmittens.com and buy your cat a lovely set of mittens. Before you checkout, you create an account because you might want to buy more kitten mittens later. All is well and your cats are not making too much noise. Unfortunately, two months later Charlie’s web server gets hacked and in the process the attacker steals the database of username and encrypted passwords. Charlie was at least smart enough to encrypt the passwords. Which in this case means that he takes your password and performs a complicated (in terms of computer processing) math equation on the password and stores the result rather than your password. The idea here is that Charlie never “knows” your password. He “knows” the answer to that long equation. When you login to his site you enter your password, the calculation is done again on what you entered and that result is compared to the answer he stored. If the two results match you are logged in. Unfortunately, Charlie chose a bit too simple of an equation and a common one at that. The attackers actually have huge tables of the results of this equation and so if your password’s result is in their table, they know your password. With your password they then try to get into your associated email if you left one with Charlie. If it unlocks your email, this is game over. The attacker will quickly begin changing your banking passwords (doesn’t matter how strong those are if they can just send a reset email to the email account they now own). From here things go down hill quickly…
So what can you do?
From this story we can glean some lessons and perhaps find a balance for password management. First, it is clear that email password is the crown jewel, we must protect it as though it were our SSN. Secondarily, we see the problem of account coupling. If attackers can link your accounts together (usually with stored emails and perhaps a bit of googling), they can compromise accounts that share passwords. Maybe you have a different email password, but how easy is it to find your facebook/twitter account from your email?
In order to solve these issues I will list out options and you will have to try what works for you. I rated them on complexity: 0 being things that absolutely must be done and all higher numbers are incrementally more secure but perhaps more inconvenient
- Protect your email password with a very strong password. What is a strong password? Diceware is a solid way to generate strong passphrases. Do not use this password anywhere else. Another less secure solution is to tier your email accounts. One email acct used for all your superfolous stuff and one email you use to communicate to colleagues and bank with. If you tier in this fashion you have the added benefit of less spam in the account you care about.
- You must also treat other services with high data storage on you with the same level of scrutiny as your email. This is services such as google drive, dropbox, sugar sync, etc.
- Use different passwords for different accounts. Even if the attacker wasn’t able to get into your email, maybe he got onto your facebook and used it to send malware to your friends.
- The different passwords for different accounts is a hassle. One Solution: use a similar base password such as fluffyl0vesm3 for all sites. But then append the name of the site to your base pass so your facebook password is now fluffyl0vesm3fbook
- Use two-factor authentication where you can. It is offered with google and dropbox. Two factor auth means two forms of identification to be verified, often times this means something you know (passphrase) and something you have (your cell phone for example). Two factor authentication is not a perfect solution but it will certainly stymie a lot of attackers.
- Use a password manager. Password manager can theoretically make life as easy as it is for you right now (with your single password that goes into everything) but offer you the external protection of having long random passwords. The major problems with this method are that it is a single point of failure (attacker gets into the password vault and you lose everything). Secondarily, it is inconvenient because you have to carry the password vault with you to wherever you may need passwords. For what it is worth, most technical people I know use password managers.
- KeePassFree, open source. Expect to pay in your time as you finagle ways to make it work with your browser, carry it around, etc.
Whatever you do, use a strong passphrase for your main password (see diceware above).
- Password manager with 2 factor-auth. This solution offers convenience and a reasonable amount of security. A popular solution is to use something like a Yubikey. Which is a small usb stick you can carry that serves as a unique form of authorization. Other options are to use google authenticator as the second form of ID. I know that either method works with Lastpass and suspect that the other pay services would also support 2 factor auth.
- Not stored (not in a manger, so memorized) diceware pass phrases for the majority or all accounts
What doesn’t work
- Single words and names: These are going to fall quickly in the attack scenario above. You might as well be using “password”. Moreover, the ability for password-crackers to guess just gets eaiser with each passing day.
- Mangling: By mangling I mean something like: tayl0rm@de. This is only slightly better. If you thought of a way to mangle the word, expect that attackers are trying to mangle their dictionaries in a similar way.
- Writing passwords down: I feel like the movie War Games covered this about 30 years ago… but there you go.
- Common phrases (“lifeislikeaboxofchoclates”): These are working their way into many password cracking dictionaries. Your pass phrases need to be random words.
A side note on tiering
What follows, does not follow with the current security dogma. At least none that I have read. As such, utilize it with caution.
My idea behind tiering is to achieve a bit more convenience in exchange fro negligible security trade offs. The concept is simple: choose a level of security based on what type of account you are trying to secure. On accounts that truly don’t matter you can get away with weak security. On accounts that really matter, you want to be as secure as possible.The real problem here is that it requires critical thought about what type of account it is, when setting up passwords or entering them. This may make the system more hassle than it is worth, depends on how quick you are to assess and remember.
I use this rough system for deciding on security:
####Master accounts#### Banking, email, accounts that secure sensitive data, accounts that are used as a passport to other accounts (facebook, twitter)
####Business Accounts#### Stuff related to work
####Shopping Accounts#### Accounts that are used to buy anything (even if they claim not to store your CC).
####Subscription Accounts#### Netflix, Xbox, etc. These fall into the shopping category, but I teased them out for special attention
####Any account with my real name and important email attached#####
Working up, I use a single insecure password for the first level, and move up in terms of security as I get higher up the list. As the top we are in the level 4 range and the rest use mostly level 3. I find this method offers me more convenience with an acceptable level of security trade off.