Passwords Part 2: Your Password Policy

Welcome back for part 2 of my three part series on passwords. Last time we learned about why all of our passwords are getting hacked, and we came to the unfortunate conclusion that the standard security mechanisms today are simply not strong enough to prevent someone from stealing our passwords. However, all is not lost - just because someone got your password (ideally salted & hashed, but even if not), that doesn't mean that your internet life just burst into flames. Having a good password policy is actually the best defense against having your internet life broken into. You hear password policy and probably groan at the idea of "14 characters long, alphanumeric, upper and lower case, symbols, and it has to be something completely nonmemorable" - well, yes, that is one portion of having a good password policy, but it's actually not the most important. The most important part of your password policy is how you choose which password to use on which site. Commonly, people use one of four types of "password distribution policies": one password everywhere, somewhat-random passwords written down, patterned passwords, or random stored passwords. Each option has their ups and downs, and - as is the nature of the universe - the least secure option is the one used by the most people. You can probably guess it, but the least secure option is "one password everywhere". Obviously, this means that when you were first introduced to the internet you decided on a password. Perhaps it was secure, perhaps it was not, but since then you've been using that same password on every site that you register. It's possible that you've switched your password sometime in the past, or even that you bounce between 2 or 3 common passwords, but regardless you have so few passwords that you could count them on one hand.

One Password Everywhere

I get it - I actually used this password policy for a long time. If you're smart, the one password you designed is super strong - it's 15 characters, and has every different type of letter, symbol, and number. Don't get so excited, though; if you read part one of this series, you learned the unfortunate truth that no matter how complex your password is, it's still not secure. If you're using the same password on all services, chances are that one of those services is storing your password in clear-text. All that needs to happen for your internet life to be ripped apart is for that single low-security site to get broken in to - then they have the password for all of your other accounts. If you're using this password policy, stop! Chances are that someone has already broken into a service containing your password - don't give them the luxury of taking over your entire internet life.

Somewhat-random Passwords Written Down

I didn't actually know that this second password distribution policy was as common as it is. Turns out the "somewhat-random passwords written down" method is very common these days. I suppose that's a result of people getting yelled at for the one-password method, but not having a good method for remembering or storing these passwords. Also, as a note, I'm also considering the excel spreadsheet of passwords to be in the same category as this. I've got a lot of potential holes to poke in this idea, the first being that there's not enough paper in the world. OK, technically you could pin tons of pieces of paper up on your walls, but the fact is that there's so many new web sites popping up every day that it's impossible to keep a unique password for every site written down. It would take you just as long to find the correct password on your list as it would to develop a real password policy! Also, consider the situation that you are at work, or at a friend's house and need to access your email. Dang, too bad you don't keep that post-it note in your pocket - I guess you're out of luck until you get home. It's crazy to not be able to access your passwords from anywhere - our world is simply too connected these days. The biggest problem with this method, though, is the fact that no data is permanent. Hard drives fail, ink fades, your mom throws away your post-it note - whatever it is, there is eventually going to be some force beyond your control that is going to rip that precious list of passwords out of your hands. Hopefully you still have access to your email - otherwise there's no amount of "Reset My Password" buttons that are going to bring your internet life back to you.

Patterned Passwords

I've always thought that the "patterened passwords" idea was a pretty good one. It combines three very important things about a password policy - complex passwords, unique passwords on every site, and memorable passwords. This method works like this: you decide on some sort of consistent pattern that you will use, based on the web site you are on. Usually you will combine this pattern with an already complex password. Say you've decided the base password will be "Pa$$word", and your password policy will be to prepend that with all the consonants in the domain name from the site you are using. So your password on WegnerDesign would be "WgnrDsgnPa$$word". That's pretty easy to remember, right? And even if a hacker gets a password from some database using clear-text, they still don't have access to anything other than that account, right? Wrong. This sounds like the holy grail of password policies in theory, but we forget that the enemy in this situation is a human hacker, not a computer. They're going to see your password "WgnrDsgnPa$$word", and instantly know that you're using a pattern to come up with passwords on every site. Granted, there are more complex patterns (see PwdHash) out there that will take longer for them to figure out, but regardless it's a fairly simple game for them to read through your home-brew hashing. Once they know your pattern, it's a very quick jump to figure out your passwords for every other site. Gmail? GmlPa$$word. Chase? ChsPa$$word. It's not hard - it's a game. Remember that the stakes are your bank account, and the hacker knows it. It's worth every minute of their time to try and outsmart you and your pattern, as long as they eventually get access to your life.

Random Stored Passwords

The final way to store your passwords - and I would say by far the least common - is to have randomly generated passwords stored on an internet-accessible site. Hold on - I know you all just started screaming at me that having all of your passwords stored in a single database is the craziest idea you've ever heard. We all know that no database is truly secure, so anything stored on the net is essentially already in the hacker's hands. However, there's a multitude of services out there that realize the danger, and have put in methods to make sure that even if their databases are cracked, your passwords are safe. The method for doing this is called keyed-encryption. That means that the password storage service will have you set a master password, and then whenever you store another password they will encrypt that password in such a way that it can't be decrypted without the key. The important piece here is to find a service that uses a keyed-encryption method, but also one that doesn't store that key anywhere in their databases. Naturally, if the key is in the database, then the hacker can treat the key just like a salt, and use it to decrypt your passwords. I mentioned in the first part of this series a security mechanism called Host-Proof Hosting. Host-Proof Hosting works exactly as described above, and actually does all the decryption of your data - passwords in this case - on your local computer. While there are some alternative methods out there, the vast majority of services that store your password collections in a secure manner will be using Host-Proof Hosting. Personally, I use MySocialCloud (disclaimer: I also work for them) - I'm not allowed to go into full detail of their security mechanisms, but I do have a deep understanding of them and have no worries storing my passwords there. MySocialCloud, along with other features, also has a very nice random password generator and auto-login system. However, there are plenty of alternatives to MySocialCloud - the most popular ones are: LastPass, SplashID, Clipperz, and more (although most of them don't meet high security standards).  

Check out part three of the series, where I share my thoughts on the future of passwords.
comments powered by Disqus