[Editor’s note: The below post, “Living post-password”, was originally posted on this blog on 2 April 2013. It’s been reposted below with several updates and new insights as part of this blog’s ‘Marching Toward 2014’ series of posts.]
Passwords and passphrases. I (still) hate them.
Yes, I used the ‘h’ word. Passwords and passphrases give people the illusion of safety and security when they are one of the easiest things to crack. I cringe when I come across major banks whose login mechanisms are weaker than, say, Facebook’s mechanisms.
I’ll admit that the inspiration for this post came in November 2012 after reading the story of Mat Honan in WIRED Magazine. The article’s linked but I’ll summarize: Mr. Honan had his entire digital life wiped away because a hacker could defeat his email account password.
Do I have your attention? Good. Because for the next few paragraphs, I’ll showcase some alternatives and addition to passwords and some questions that you need to ask yourself about your own computing practices.
The password is an antiquated relic of an era when computing was innocent. Hackers didn’t go after individuals; they went after big enterprises. The tides have turned and no organization nor individual is safe from a hack. In addition to most of my entire life being in the cloud, I have several servers running various web applications (including this blog and some websites of my clients) that are cloud servers. If I’ve got the chance, I disable passwords altogether OR pair a passphrase up with a second form of authentication. Data safety and backup is something that I constantly have to tackle…and it’s something that you have to think about, too.
There are some easy things that you can do and I’ll go through them from the least technical to the most.
1. Never repeat passwords! This is perhaps the biggest mistake that most people make. Even Mr. Honan confesses that he had the same password for multiple accounts. An enterprising hacker who guesses your password for one service can guess other services that you have; or, if the hacker can get into your email, then all that data is listed like an encyclopedia. The major Internet browsers have password managers that do a reasonable job at creating unique passwords as well as remembering them. Some browsers, like Mozilla Firefox or Google Chrome, can sync passwords across installations. I use a service called LastPass to generate and remember my passwords. The upshot to LastPass compared to a browser’s native solution is that I can access my passwords I’ve created on my Linux desktop on my iPhone or vice versa. There’s a free version which is a very serviceable solution but for $12 a year, you can get the premium version, which includes mobile access. It’s one step on the way to peace of mind that I think you need to have. If you use a local password manager, make sure that you’ve regularly made a backup of your data otherwise you’d be locked out of your accounts!
2. Make your passwords as long as possible. Short passwords, no matter the complexity, can be cracked in less time than a longer password. An eight-character password comprised of a combination of lowercase letters, uppercase letters, numbers, and a palette of 20 special characters has a total of options. A 25-character password using that same palette has a combination of characters, which is almost infinitely more.
2. Don’t answer the security questions truthfully. Like passwords and passphrases, I also dislike security questions. Most of the questions and answers are things that a hacker can easily locate on the Internet and are often self-supplied on a social media profile! If a service asks for an answer to, ” What street did you grow up on?”, don’t answer truthfully. Respond with an answer like “Purple Flying Rabbit Hippos” or something equally crazy yet memorable. There isn’t a logic engine in those security questions to make sure that you’re answering truthfully. Be creative in your answer! (But remember what you’ve said…because that would defeat the purpose!)
3. Ensure you have anti-virus and anti-spyware software on your computer. A lot of rogue software tracks your keystrokes and sends that information to a central server. Many anti-virus programs and anti-spyware programs capture, quarantine, and eliminate those threats. The best news is that you don’t have to shell out a lot of money for a good anti-virus or anti-spyware program: my favorites are AVG Anti-Virus free edition and Spybot Search & Destroy (anti-spyware), also free.
4. When signing up for a service, make login security a part of your evaluation framework. It does sound like something silly but it’s something that you absolutely have to consider in this new world. Does your bank’s password requirements seem woefully inadequate? If I came to the decision between two services that are otherwise equal in service and dignity, a service that had a more robust login solution would get my nod.
5. Consider where you’re doing your computing. A lot of us take public wi-fi networks in coffee shops, public spaces, or civic institutions for granted these days. The problem is that these networks are open to all and their security questions are less than ideal. If you’re using a public network, ask yourself: “Do I really need to be doing my online banking or transmitting this otherwise confidential information at this time?” Safe computing is a mindset, too, and you have to be aware of your surroundings when you do your computing. But at home, make sure that your router is locked and that only devices you’ve authorized are connected to the network. Check the directions for your router.
6. Enable two-factor/multi-factor authentication when available. In summary, two-factor/multi-factor authentication is a level of protection that goes beyond your password. It relies on something you know (e.g. your password) and something you have (e.g. your mobile phone.) Google was the pioneer of consumer multi-factor authentication. It does take awhile to set up and requires some patience but it is something that you should do. Likewise, Facebook has a version that they call “Login Approvals” that uses their mobile app or text messages. Many banks are starting to set up multi-factor authentication. My blog and websites require multi-factor authentication to get in. Recently, Apple enabled multi-factor authentication for their Apple ID service a couple weeks ago, replacing their woefully inadequate security questions. According to this list from Lifehacker, other services that have multi-factor authentication include LastPass, Dropbox, some Microsoft products, Yahoo! email, Amazon Web Services, and DreamHost. If you have your own WordPress self-hosted blog, you can set up two-factor authentication on that blog for additional protection.
7. When signing up for service, consider linking that new service to an account that has more robust authentication. To get new people to sign up for their service, companies will enable users to sign up using their Google or Facebook account instead of the traditional username/password combination. I used to think that this was a bad thing but I’ve changed my mind. Both Google and Facebook have multi-factor authentication for their services (have you set it up yet?) which is used when you sign up or log in to the new service.
8. Change your passwords frequently and regularly. If you have a password management system (browser or online), then that’s easy to do. If you’re not using one, then consider this genius solution that was shared by a former colleague of mine: Consider a routing of a recent trip you took. When you’re going to change your password, move it to the next city in the list (e.g. on a trip along the Northeast Corridor, move from New York City to Stamford). But really, you should use a password manager.
9 (new to this list). Consider using a different DNS service on your home router. If you have home high speed Internet, chances are that you’re using your Internet provider’s DNS servers. What’s a DNS server, you ask? It’s something that translates web addresses you type (like edwardjensen.net) into IP addresses (like 126.96.36.199), which are like Internet addresses. You’re not restricted to using your Internet provider’s DNS servers; there are alternate DNS servers that you can use. On my home network, I use OpenDNS, which can be used for DNS lookups (the translation I mentioned above) or as a “parental controls” filtering system, blocking unwanted websites. I also like it because it blocks unwanted Internet traffic.
10. Don’t use passwords. Some services don’t issue passwords but instead issue certificates that are imported into your browser for authentication. These certificates verify the identity of both you and the server to which you’re connecting. It’s a very emergent technology. If you manage a lot of servers and need to SSH (secure shell) into them, disable password authentication in the SSH configuration file and ensure that you’re using SSH keys to log in.
Now there’s one big caveat: Following along with all these steps makes things better. But when you’re computing, never never ever! let your guard down. Like I mentioned in number 5, safe computing is also a mindset.
What strategies do you use for account security and safeguarding? Let us know in the comments.