Oct 21, 2013

Passwords and all that security stuff

With all the security scares in the news, people are scrambling to change their passwords. So, here's my take on the subject. In fact, this is what I did/do in my own life. First, separate all your logins into three categories: the critical ones, the important ones and everything else. The distinction between these categories is the amount of aggravation and losses you would suffer if a malicious person were to steal your login and completely take over your account.


Critical list: login theft would cause substantial losses and consequences.  For me, the critical ones are my home and work computer logins, Quicken, email, bank, investments, health insurance, password manager (more on that one later). Compromised accounts on this list would result in substantial loss of privacy and money. This list must be kept to a bare minimum (a dozen at most).

Important list: login theft would cause inconvenience and aggravation, but no irreparable damage. For me, this list includes sites where I've used my credit card, Facebook, Skype, kids' schools. You could argue that credit-card sites belong on the "Critical list", but I disagree. Your liability on a stolen and misused credit card is very small (something like $50). And since I do most of my shopping online, my credit-card sites number is probably in "hundreds", and would certainly completely blow my at-most-dozen quota for the "Critical list".

❧ Everything-else list: login theft would cause a curse or a chuckle. Examples of items on this list for me are my subscriptions at various news sites.  

How large are your "Important list" and "Everything-else list"? Mine are in the "hundreds" each. If yours are small, you may want to skip the next section and simply write down your logins (more on this heresy later).

Password Manager


For my "Important list" and "Everything-else list", I use a password manager. What is that? It is a program that remembers your passwords for you. I use Lastpass because it is simple and exists on all platforms, including my cell phone. A good article on password managers is Heartbleed Should Motivate You to Get a Password Manager. I agree with the author that it is a pain and tedious to use one, but that like vaccinations, it is a necessary evil in the online world. 

The "Critical list"


For the items on my "Critical list", I have made strong passwords and I carry them in my memory. I have also written down some hints for myself that would be meaningless to a stranger.  There is no shortage of advice on creating good passwords. Here's the recommendation that I use and it comes from a highly-respected cryptographer Bruce Schneier: 
"My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal."

Create a good password - a walkthrough


❧ Get yourself a memorable phrase of at least 6-8 words that you already know and will not forget. Examples: title of favorite song, favorite quote, favorite book title (add author name if the title is too short), ...
❧ Take the first letter of each word in this phrase.
❧ Now apply a few transformations to the first-letters "word" from previous step. Below are a few suggestions or you can come up with your own:
  1. change letters that look (vaguely) like number in to numbers, e.g.  i=>1  e=>3  o=>0 s=>5 
  2. add a punctuation mark after any letter in the 2nd half of the alphabet (n-z)
  3. double-up all vowels and add a punctuation mark between them, e.g. a=>a#a   e=>e#e
  4. replace every other character with its capital
  5. if a character appears more than once, put parenthesis around its second occurrence
Example:
❧ Say you like "The only living boy in New York"  (a Simon and Garfunkel song)
❧ The first-letters of each word gives you TolbiNY
❧ Your password, version 1: Apply transformation #1 to get T0lb1NY (replace 2nd letter with number 0 and 5th letter with number 1) and then apply transformation #3 (replace the only remaining vowel, i.e. Y, with Y#Y). The resulting passwor:    T0lb1NY#Y


❧ Your password, version 2: If instead you apply transformation #4 followed by transformation #2 (with "~" punctuation), you get:    T~O~lBiN~Y~

"Recalling" the password


You need to remember your memorable phrase and the transformations you use. Keep the transformations simple enough so that you can apply them as you are typing the first letters of each word in your memorable phrase.

WARNING: What I'm recommending below is considered heresy in security circles.
Use at your own risk.
You have been warned.

Here it goes: I think you should write your passwords down on paper. Obviously, do not tape this missive next to your keyboard, but write the critical ones down on paper, make copies of this paper and store them in multiple places in the "real world" (e.g. inside a few favorite books, a safe, a file cabinet). Here's my reasoning for this heresy: 
  • If you worry about forgetting, you are likely to create easy-to-remember passwords, and easy-to-remember passwords happen to be the ones that are easy for an online thief to figure out. If you don't believe me, or if you think your password is good because it is not in the dictionary, read  If Your Password Is 123456, Just Make It HackMe  or Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” or No password is safe from new breed of cracking software
  • Passwords need to be strong in order to prevent a hacker from getting in to your account and wrecking havoc before you suspect anything. The risk of having a physical item (with your passwords sheet inside) stolen from you by a real-world thief, having the thief discover your passwords sheet, figure out what accounts are associated with it, and using it to wreck havoc to your online account --  all this before you notice the object is missing -- this risk is much smaller by comparison. If you realize the object with the written passwords is stolen, just change the passwords.  And let's face it, how many thieves are going to go after your book collection?