Usable Security - Passwords

Some time back, I came to a few not-terribly surprising conclusions.

1) Security information gets dated, fast. As attackers become aware of a given tool, they work to circumvent it. What is a secure, safe practice one year may actually be a security hazard later on. This bad advice tends to get 'stuck' on the Internet, made even worse by the fact that Google still gives immense weight to stale - but highly linked - articles.

2) Security advice is often completely unusable. One example of unusable security is 'use a different password for every website, alphanumeric plus symbols and mixed case, write nothing down and never use a password manager'. Security advice you are forced to ignore is horrible advice.

3) Security advice can also seem like a massive checklist, rather than a way of thinking. At best, your eyes glaze over, and you ignore pieces of it or make a mistake. At worst, you spend hours ticking off each item, and then consider yourself safe.

Security procedures need to be usable, reasonable, and practical. It needs to be something that you will not only get a definite benefit from, but also advice you are willing and able to follow. This series of blog posts will focus on providing advice that you can actually use, rather than some impossible checklist.

As the title suggests, this first article will cover passwords.

If you think of the keys you have, you probably have a few that you consider important - your car keys, your house keys, maybe the key to a safe. If you own a business, you may have the key to that place, as well, and a special key for a secure room in that building.

Most people, however, do not need a lot of keys. If you have a lot of keys, it is either related to your job, hobby, or position, and in such cases, you handle that accordingly.

Passwords work, in a large part, the same way.

Just having a single password is a bad idea, and while having a separate password for each service is infeasible (and a bit silly), you will want to consider having a number of them-

• Your e-mail password.
• Your Paypal password.
• Another unique password for something you consider important. Keep track of what sites you visit over the course of a given month, and assign the important ones a unique, strong password accordingly.
• A common throwaway password that you use for everything that is not important. You use this on many sites.

The key here is to make sure that:

1. If your common password is compromised, you have not lost your financial security.
2. If your common password is compromised, you have not lost your personal security.
3. If an important password is compromised, you have not lost anything else important, at least not immediately.

If you are exceptionally paranoid, you can use a password keeping program like Password Safe or KeePass, for Windows, or Mac OS's keychain. You can manage a lot of passwords securely this way, but, of course - back up your password database!

When choosing how complex to make your password, you will want to consider the sorts of adversaries you will face.

The first, and most common, is the phisher and general hacker. They may try to get you to visit a website that looks like the website in question, and sometimes, the url may even look correct - but it is not, actually, the site you think you are on. Alternately, they may try to get you to simply visit a site that is capable of compromising your browser and machine, or to open a malicious file. Or your machine may be attacked directly by a botnet looking for vulnerabilities to exploit.

Ultimately, the only solution to this sort of attacker is not to fall for their ruses, and to keep your machines secure. While some of that belongs in future articles, a certain amount of common sense does apply - don't click on links from people you don't trust, and just because someone claims they are Paypal in an e-mail, does not mean they are. Always make sure you are in fact at the appropriate site in question when entering your password. Any site you consider important should allow login over ssl - that is, https://www.importantsite.com rather than http://www.importantsite.com - or better, force login over https. Check the security icon to make sure the site is who it claims to be. Obviously, adjust your paranoia to your situation. I always look at the bar when I am buying something via Paypal, for example, while just about every other site I either type in, use bookmarks, or do not particularly worry about.

The second, and still rather common, is the robot. The attacker in this case does not much care about you, personally, nor is overly interested in trying. Instead, they try to guess your password - and the password to millions of other accounts - by brute force. They typically using a list of common passwords, which can be thousands long for web services, or billions for trying to crack your password when they have the encrypted data in hand and can devote personal resources to it. At some point, however, you need to have some trust that the people who store your passwords are not idiots, and use various means to, at the very least, make brute force attempts difficult.

This, with some advice from below, tells us that the ideal password is not actually a password at all, but rather a passphrase. If my life would end if someone managed to brute force or guess it, you can bet that it is either a passphrase, or randomly generated garbage in a password keeping program encrypted with a good passphrase.

A passphrase is like it sounds - an amusing, nonsensical string, like
johnnyspilled14dropsOntothehighestfloor,$;

Don't use that one. Ideally, it should be something that amuses you enough that you can think it out regularly, and eventually memorize it.

I should point out that I don't type passphrases often. I have two. One protects my Password Safe database, and the other one protects my private key for this and other servers. I type them both in when my machine boots, and in the case of Password Safe, occasionally at later points as it times out after half an hour or so. Since most of my passwords are randomly generated nonsense created by Password Safe, I don't actually remember most of my passwords - I can't, actually.

Passphrases tend to be rather cumbersome on websites, however. If you are going to avoid KeyChain/Password Safe/KeePass and such, I would suggest using made up words, with numbers and mixed caps. Before I switched to Password Safe, I had a number of password 'schemes', such as-

Made up word and digits
sponced935 - low security password for most sites. Had a few of these.

Made up word with mixed case and prefix as well as postfix
x4Nubilon529 - high security password, used for e-mail, something with a similar scheme for Paypal, etc.

Ultimately, I find using Password Safe easier. The only time I resort to something like the above is for my laptop password, which has a limited set of characters, so I make the best of it.

The third is the targeted attacker. They may scour the web for details about you and potential vulnerabilities, personally try to gather information from you, a friend, or a co-worker personally, and try to exploit any vulnerability they can - typical human vulnerabilities. They may craft complex attacks targeting you specifically, which can take any number of forms. This is the sort of situation you face when you have actually made enemies, for one reason or another.

There is something to be said for the benefits of simply not making enemies. Professional courtesy and a mutual respect for most of humanity will go a long way for this, but of course, there will always be assholes in the world, or maybe you simply have something worth taking. Again, a lot of advice belongs in future articles, but some pertinent advice:

1. No password, ever, should be related to a detail of your personal life. It's simply a bad habit.
2. Related to the above, 'security questions' need to be cast into the deepest pits of Hell. I always answer gibberish for them. An alternative is to make up false information for them, especially if you are consistent. Some friends of mine have a different mother for every company they deal with.
3. If you are going to tie an account to a mobile phone, don't use your smartphone. Grab a cheap, not terribly smart phone from PlatinumTel or Net10, keep it up to date and just use it for emergencies and things like tying them to Google Accounts and Paypal. Ideally, it will not even be capable of browsing the web or connecting to a machine via bluetooth or a cord. It just needs to be able to send/receive calls, and text.

In a nutshell, it is important to treat your access to certain things - particularly your e-mail and financial accounts - with greater care. If you are not going to use separate passwords for each site, or a secure password storing program, you should at least use separate passwords for important sites.