Wednesday, January 9, 2013

Password best practices

So I am creating this post for friends and family as a guide to help them create better passwords and help them better protect their important data.  If any of this is not clear or needs some editing, let me know.  I'll save the hardcore technical details for other posts for the curious.


Passwords

Lets start with passwords.  I am not going to lecture on reusing passwords since I do it all the time.  It would be nice if we could create a new password for every website, but it is impossible in 2013 without using a password manager, and with all the networked devices(phones, media boxes, etc.) it means we have to remember a few without the help of one.   I just checked Firefox and I have over 250 logins and passwords.  So you are inevitably going to reuse passwords.   Password reuse is probably responsible for the second most breaches, just behind guessing bad passwords.  In a perfect world you would never reuse passwords, and choose a unique and random one for every account.  But last I checked this is pretty far from a perfect world we are living in.

The downside to reuse is if a bad person(aka hacker) were to compromise a database of usernames/passwords, and yours is in there and easily cracked, they can try all the common sites and will gain access to a bunch of your accounts.  So keep in mind, you are going to have to go through and periodically change all these too.  Unless you use a much longer and less crackable password.  So lets work on developing an easy to use system of creating passwords.

So first what you should do is separate your passwords into two categories, one for 'who cares' and one for 'uh-oh, my life is ruined!'  The 'who cares' category will be for sites like Yelp, Starbucks, etc.  If someone were to gain control of your accounts, it would be a pain and embarrassing, but life would go on.  Now for the other category, such sites as your bank/credit card, email and sad as it seems, Facebook, this could be a very unfortunate thing.   So what you want to do is come up with a way to create a unique but memorable password system.  


 

The point of this is, that it is better to have a longer password that you can remember than it is a shorter cryptic one you are prone to forget.  But because most people are forced by password policy to create something with uppercase, lowercase, numerals, symbols, etc. they usually pick something shorter and less meaningful, the bare minimum to comply with the policy.  What I want to do here is show you how to create memorable passwords that are also very secure. 

Lets say for the sites that aren't really important, you come up with a stock password, and for this example I am going to use 'LiveFresh.BajaFresh1'  I have a Baja Fresh cup next to me, which has that saying, and I added the 1 and upper case letters so you won't typically run afoul of site's password policy requirements(upper, lowercase, digit, some other character.)  You could also do 'LiveFresh@BajaFresh1982' or something along those lines.  Now you could reuse that one on all your non-financial sites.  

And now for the critical and financial sites, you are going to want a method or system, not just one password.  So as in the above example, I am going to use an object that is nearby, 'MacBookPro@' and this time personalize this for each site.  So lets say I have an account at Bank of America, I am going to use the password 'MacBookPro@BofA1990'  and for an account at Citibank, 'MacBookPro@Citi2002'  You can add the personalization as you see fit, but these are much better than B0fA123+ or whatever else you will forget easily.   You may run into some real strict sites that won't allow you to use dictionary based words, so you could easily just leave out a couple of vowels or whatever gets you around that.  And some policies actually restrict the maximum characters to 15 or 12.  You will have to work around those by shortening, but only do it for those sites!  A longer password is a more secure password.

Check your passwords here: https://www.grc.com/haystack.htm


Separate Browser Profiles

Now one thing I do as an added security measure, is I use multiple FireFox profiles depending on what I am doing.   I have one profile for each bank account and then a few others depending on what I am doing.  I have a NSFW profile which has no personally identifiable information(well, nothing real anyway.) for those times when you have to click on some URL shortened link from an untrusted source(ie, bit.ly, tinyurl, etc.)  This way if you do end up somewhere that does something unfortunate to your browser, you could just delete the profile and start over.  It also keeps your banking info pretty safe from that type of exploit.  If you have a profile that you only go to Chase with, you can be pretty sure that you aren't going to get Malware and no one is going to grab your saved passwords via some exploit.

Also, bookmark this site:  https://www.virustotal.com/#url

If you ever get a shortened URL and are unsure whether it is safe, check it first.   You can also check files on your computer with them.


MISC

Some other general tips(that I will expand into it's own post eventually):

Don't use any one device or service for your only copy of unreproducible content.  For instance, if you have pictures of your child, do not keep them stored in one place!  I'm not even going to let you decide how to do this...go get a removable hard drive.  Now copy all your pictures and documents you created on to this hard drive.  Ok that is a good start.  Have family near by?  Good, drive over and drop that drive off and have them hang on to it.  If you can afford it, buy two of the same drive and keep one you use and the other one offsite(family or friend's house is fine, just password protect it.)  And update it at least every 6 months!    

This is what I do, I don't expect everyone to follow this, but it would be a good idea if you could find some middle ground.  I have two sets of removable drives, I call A and B.  The A set I have 3 identical drives, and the B set I have 2.  For the A set, I have one drive in a safe deposit box, one in a fire proof safe and the third is on my desk.  Every quarter(3 months), I sync up the two drives I have at home.  I then take one to the bank, and swap it.  Once I get home, I sync up the last drive.  So theoretically, Jan 01 all drives are the same, with one being offsite.  Worst case scenario, March 29th the house burns down and I lose both drives(fire proof safe does not mean media will survive.)  But I still have the one at the bank.  The same goes for the B set too...except I only have two drives and that set is for long term archive storage.  I generally don't even swap it from the bank unless I have some big changes.  The other reason I have multiple drives is because the drives I use (Western Digital) use hardware encryption, and if you have a failure of the encryption module, you can not use a data recovery service.

I also have Time Machine backups and we download all our photos to both my laptop and my wife's.  So at any given time, there should be a total of 7 copies of our photos and documents.   Other than the sunk cost of our laptops, this backup system is less than $800.  I dare you to find an offsite system that keeps 7 copies all encrypted, and is entirely manageable by the less technical family members.  I used to have rsync set up and scripts all over with Linux RAID systems, but if I were to get run over by a bus, my wife would need some serious help to manage that.

I really wish I didn't know anyone who has lost data, but I do.  Do me a favor, and if you read this and still aren't sure what to do, just contact me and we can work something out that will protect you.

1 comment:

Unknown said...
This comment has been removed by a blog administrator.