Michael Cordell's Blog

Passwords: a Primer

You may have heard that you should use a random password to protect yourself. Or that you should use a different password on all your different online accounts. Or that you should use some r@nd0m characters in your password. This article serves as a short primer on passwords and why they are more and more of a problem. If you don’t read further than this paragraph: the key to passwords and password management is finding a reasonable level of security with a tolerable amount of inconvenience.

Why are passwords a problem?

Passwords are becoming more and more a problem because of a) our increased usage of online services b) the ever increasing processing power. This short scenario will be illustrative of how your identity gets stolen and life becomes very inconvenient:

![Kitten Mittens!]({{ site.url }}/images/Kitten-mittons2.jpg)

You shop at charlieskittenmittens.com and buy your cat a lovely set of mittens. Before you checkout, you create an account because you might want to buy more kitten mittens later. All is well and your cats are not making too much noise. Unfortunately, two months later Charlie’s web server gets hacked and in the process the attacker steals the database of username and encrypted passwords. Charlie was at least smart enough to encrypt the passwords. Which in this case means that he takes your password and performs a complicated (in terms of computer processing) math equation on the password and stores the result rather than your password. The idea here is that Charlie never “knows” your password. He “knows” the answer to that long equation. When you login to his site you enter your password, the calculation is done again on what you entered and that result is compared to the answer he stored. If the two results match you are logged in. Unfortunately, Charlie chose a bit too simple of an equation and a common one at that. The attackers actually have huge tables of the results of this equation and so if your password’s result is in their table, they know your password. With your password they then try to get into your associated email if you left one with Charlie. If it unlocks your email, this is game over. The attacker will quickly begin changing your banking passwords (doesn’t matter how strong those are if they can just send a reset email to the email account they now own). From here things go down hill quickly…

So what can you do?

From this story we can glean some lessons and perhaps find a balance for password management. First, it is clear that email password is the crown jewel, we must protect it as though it were our SSN. Secondarily, we see the problem of account coupling. If attackers can link your accounts together (usually with stored emails and perhaps a bit of googling), they can compromise accounts that share passwords. Maybe you have a different email password, but how easy is it to find your facebook/twitter account from your email?

In order to solve these issues I will list out options and you will have to try what works for you. I rated them on complexity: 0 being things that absolutely must be done and all higher numbers are incrementally more secure but perhaps more inconvenient

Level 0

Level 1

Level 2

**Whatever you do, use a strong passphrase for your main password (see diceware above).**

Level 3

Level 4

What doesn’t work

A side note on tiering

What follows, does not follow with the current security dogma. At least none that I have read. As such, utilize it with caution.

My idea behind tiering is to achieve a bit more convenience in exchange fro negligible security trade offs. The concept is simple: choose a level of security based on what type of account you are trying to secure. On accounts that truly don’t matter you can get away with weak security. On accounts that really matter, you want to be as secure as possible.The real problem here is that it requires critical thought about what type of account it is, when setting up passwords or entering them. This may make the system more hassle than it is worth, depends on how quick you are to assess and remember.

I use this rough system for deciding on security:

####Master accounts#### Banking, email, accounts that secure sensitive data, accounts that are used as a passport to other accounts (facebook, twitter)

####Business Accounts#### Stuff related to work

####Shopping Accounts#### Accounts that are used to buy anything (even if they claim not to store your CC).

####Subscription Accounts#### Netflix, Xbox, etc. These fall into the shopping category, but I teased them out for special attention

####Any account with my real name and important email attached#####

####Everything else####

Working up, I use a single insecure password for the first level, and move up in terms of security as I get higher up the list. As the top we are in the level 4 range and the rest use mostly level 3. I find this method offers me more convenience with an acceptable level of security trade off.