The always wonderful xkcd has a great comic 792 starting as above, talking about the dangers of password re-use. Along those lines, comic 936 has the caption “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” The point here is it’s easy to find bad password management advice on the internet. In fact there’s plenty of good advice as well, it just tends to get drowned out. So for this week’s post, I pulled together my notes on how to deal with the pain of password management.
If you don’t think or read much about passwords, and who among us really can stand thinking about it, then you might hold a common misconception and believe putting special characters and numbers into your passwords makes your accounts safe. That belief comes from assuming that the most common way to crack into an account is by computers randomly guessing your password. But that approach is rarely used in the real world.
Another misconception is that most hackers try to hack into your bank accounts, and guess the password there. But again, that’s not quite how it’s done.
How hackers break into accounts
The primary hacking point is actually email, not bank accounts. This is because by taking over your email, a hacker can reset passwords on all your other financial accounts. Some common approaches are:
- Phishing – sending you a forged email, which appears to be from a bank or a friend, that asks you to log into your account. It takes you to a fake web page, you log in with your normal password, and you’re toast.
- Duplicate passwords – most people use a single password for everything. So if you have a scam site or just a site that’s not run very well like a discount retailer on the web, you can lose your login information pretty easily. And if it’s the same for your other accounts then all your accounts are lost, not just the one you didn’t care about.
- Human engineering – calling you up on the phone and pretending to be a helpdesk, spinning a story asking for your password. For example, there’s a famous case where Mat Honan had his Apple iCloud account hacked by someone calling up Apple on the phone and tricking them. Great story.
- Unsecure computer – Sometimes you need to check your email from a internet cafe or some other non-trusted computer. In that case, keylogging can lift your password.
- Stealing your phone – this is fairly common and a great way to get access to someone’s accounts.
- Password dictionary – hackers don’t randomly guess passwords. Instead they use password dictionaries which contain the top 10 million or so passwords and try them.
What you’ll notice about number 6 above is that having numbers, characters, etc in your password doesn’t help much. blink182 is not a secure password. It’s at the top of the common password list. Dates, names, and variations on them are also common. Anything likely to be in a password dictionary shouldn’t be used. And what’s worse is all the ways above except for the last one can get you hacked regardless of your password strength. Password strength is only important in the sense that you need to avoid using something in password dictionaries. Once you’re good enough to avoid being on a common password list, it doesn’t help too much to get more complicated.
What hackers do – identity theft
So what do hackers want if they get control of your email account? What they want is identity theft. All your info. Either used directly, or else sold to a third party. Usually both. They want your contact list to spoof other people. They want to pull identity info from facebook, twitter, etc. They want your bank and billing accounts to get your money. If you did not read the story above, I want to give the link again because it gives a real feel for how it works. A typical first move is to pull everything out of your account and then delete everything, so all your historic email and contacts are gone. But sometimes a phantom account is set up to siphon up other people in phishing schemes. Regardless, once you lose your email account, you’ll normally get everything deleted before you can get your account back.
How to manage passwords
I have at least 20-30 online accounts I use regularly. Banks, airlines, bills, magazines, credit cards, newspapers, music, etc.
There are some clever ideas out there for remembering passwords. For example you can take a phrase and use first letters of that. Or even better just string four random words together like “horse moon bank flower”, since most modern sites allow very long passwords. But in the end I’m not buying the whole approach. You have so many accounts that even with tricks I don’t believe you can remember them all unless you duplicate them. So this means writing them down somewhere.
Personally, I use the password manager LastPass to manage my passwords. If you don’t know what a password manager is, it’s a browser plug-in that can log you into websites, and it remembers all your passwords and can autogenerate complex ones. It uses a single master password to get access. I use different passwords for all my key websites, anything dealing with money, and anything dealing with identity. So that would be banks, credit cards, facebook, twitter, email, etc. Then for sites I don’t worry about, like say the NY Times, I have a single password I use for them that is rather generic. If those accounts get hacked I don’t care too much.
I have LastPass set up so that it logs out if I shut my browser or if it’s been unused for more than an hour. In practice, I don’t log in that often, so even at work it’s not that much of a risk to use it. And I can just shut my browser down if I want to make sure LastPass is loggged out. I also bought the corresponding phone app which allows me to look up passwords with my phone, so if I need my Netflix password for example to log in from my Tivo I can pull it up. Like my web browser, on my phone I have it set up so I have to log into the app each time to get at my password list. A password manager isn’t perfect, but it solves the duplicate password problem.
Another approach is to have a secure text file with your password list. For example in Evernote you can secure your note with a passphrase using the desktop client. Then you can decrypt that note using a browser or a phone app. This works fine as well if you don’t want to go to the trouble of setting up a password manager. I would say paper is a way to go as well, but to be honest I think those days are past. Your phone is your paper, so having a text note you can access on your phone and in your browser in a secure manner is better than paper.
What’s the minimum? Well I think you just use different passwords on at least a few basic accounts – email, banks, social identity – then that’s a minimum that would at least avoid the duplicate password hack from catching you. You could in fact put that small list on paper if you wanted to.
There are a lot of secure password phone apps out there, but most are way to paranoid and complicated. They make you jump through lots of clicks and hoops, and I’m not sure you’re getting much value from them. If you choose something besides LastPass, I think the best approach is still to stick with a password manager that’s browser based like LastPass, with a tie-in to a phone app. If you just have the phone app it’s too much of a pain to use a computer web browser and you’ll give up.
Two factor authentication
Once you have a password manager (or a secure text file) to let you avoid duplicate passwords, the next thing to do is set up two factor authentication on your email account. What this means is that if you try to log into your email from a new computer, then you get a text message on your phone with a security code you have to type in to get into your email. It’s called two factor or two form authentication because you need something besides just your password to get in. Gmail’s explanation is here.
One additional annoyance is that two factor authenticate is a pain when you need to sign into your account to allow access to a third party. For example, I have to use my google sign in on my TiVo to watch favorited YouTube videos. And Tivo doesn’t do two factor authentication. So you have to generate something called application specific passwords (one time passwords) for those uses. Like I said, it’s a bit of a pain, but as more and more of the world moves on line, this is just a cost of living in the world.
You’ll note that two factor authentication goes a very long way to avoiding most of the hacking methods listed above. It’s very important. I also tend to just get my email using my phone when I travel anymore, so the need to use foreign computers has gone down greatly with the rise of smartphones. This avoids the keylogger problem.
Careful on back up accounts
I’ll put one other trick here, which is to be very careful about cross-linking your back up accounts. By this I mean putting your gmail account as a back up to your Apple iCloud account and vice versa. If you do this, then once you lose one you lose another. For me, I keep the gmail as my primary and if I lose that I’m done, but at least that one has two factor authentication.
Use a passcode on your phone
If you travel a lot especially, your should enable a passcode on your phone. Personally I leave my turned off for work and home, which is most days. But if I travel or I’m going to a ballgame or something, then I turn it on. If you travel often or tend to lose your phone, you probably want to keep the passcode on all the time.
So that’s it: a) password manager with unique passwords, b) two factor authentication on your email (careful about cross linking), and c) passcode on your phone. The whole thing is very tedious and boring, but you’ll regret it if you don’t do it.