Note: This reflects an outdated view of security I had in the dark ages of 2012. While some parts of these recommendations, like using a password manager, are still very valid, most of this information here is out of date, so you shouldn\u2019t take the following text too seriously.<\/p>\n\n\n\n
I am sorry to let you know that your email has been hacked. Or if it hasn\u2019t, then it will. Very soon.<\/p>\n\n\n\n
When I first got into this Internet thing, say some 16 years ago. I made my first email address at HoTMaiL (bonus points if you also made it when it wasn\u2019t part of Microsoft). And I was asked for a password.<\/p>\n\n\n\n
Actually it was probably the first time I had to make a password. I had no idea what a password should look like, so I just went and made something like \u201cilove[random girl which I liked at the time]\u201d.<\/p>\n\n\n\n
Then I made a GeoCities website. That one also required a password, so I went with the same one for GeoCities.<\/p>\n\n\n\n
And then I joined a bunch of sites. Each time I had to write a password, I used the same old password.<\/p>\n\n\n\n
This password policy (use the same trivial password on a bunch of sites) probably describes the vast majority of people in the Internet. I know a bunch of people who do this, and actually send me their password by email so I can login somewhere and fix something for them.<\/p>\n\n\n\n
\u201cBut who\u2019s going to -want- to hack little old me?\u201d they say. And I\u2019d have to agree that most people in the world, me included, are so irrelevant in this world, that nobody will even consider the possibility of trying to get into their email accounts. And even if they did, what will they find? Emails from mom showing off her latest gadget? A small, easy-to-remember password for every site is a very simple solution, and the risk of forgetting a complex password very much outweights the perceived little probability of getting your password brute-forced and your account hacked.<\/p>\n\n\n\n
And there lies the main problem. Passwords, by themselves, are a complete nuisance. Most people see passwords as one annoying barrier between \u201cI want to see my email\u201d, and \u201cI saw my email\u201d. In fact, I\u2019d say a lot of people would be happiest if there were no passwords at all. These people are the ones who keep their computers with no password, and have their browser remember their passwords.<\/p>\n\n\n\n
Sysadmins would love for everybody to have really long randomlike passwords, and have us change them to a completely different password every 14 days. Some actually enforce this, but eventually people end up using stupid substitutions like !L0V3Y0u, and then !L0V4Y0u, and then !L0V5Y0u. \u00a0Character substitutions are not only\u00a0useless<\/a>, but also troublesome when you use symbols and happen to live outside of those magical realms where they only have one type of keyboard layout.<\/p>\n\n\n\n It is a cost-benefit problem. It\u2019s not that the risk of losing control of your online identity isn\u2019t low (even when you do completely idiotic things such as\u00a0sending yourself passwords via email<\/a>). It\u2019s that the cost of remembering secure passwords is so high, and the risk of locking yourself out when you forget your secure password is even higher, that people resort to either using the same trivial password, or writing it down on a post-it note below your keyboard, which is even worse.<\/p>\n\n\n\n So fast forward a few years. Now I have a ton of accounts in websites, Linux servers, banks and local libraries. I arbitrarily decided that some of these accounts are \u201cmore important\u201d than the rest, so I decided I should make a \u201csecure password\u201d. This is a random, somewhat long password, that took me a huge amount of effort to remember, and that\u2019s what I used for the \u201cimportant accounts\u201d. The rest used another simpler password. Now I felt \u201csecure\u201d.<\/p>\n\n\n\n Well, maybe my \u201csecure password\u201d was tougher (but not impossible<\/a>) to crack. But was this a good solution? As I mentioned before, who would like to hack my account? I\u2019m so irrelevant in this world\u2026<\/p>\n\n\n\n Fast forward to the present. Indeed, I remain being irrelevant, and there\u2019s no reason I can think of why somebody would actually want to pinpoint target me. Are all my accounts safe?<\/p>\n\n\n\n I think we\u2019re missing the entire point of password policies. Unless you\u2019re a security door standing between James Bond and the villain, I can pretty much guarantee you that the odds of somebody wanting to brute-force your password are minuscule.<\/p>\n\n\n\n No. The real problem is not brute-force. The real problem is\u00a0moron sysadmins<\/a>\u00a0who store plain-text passwords, or non-salted passwords (which is basically the same) in their databases; session hijacking; and phishing attacks.\u00a0Hackers won\u2019t try to brute-force your password. They\u2019ll plant some traps, and expect you to give them your password at some time. Unlike the brute-force defense of \u201cI\u2019m too unimportant to be hacked\u201d, these threats are very real, and it is just a matter of time until either you fall, or some site you have trusted with your passwords, falls.<\/p>\n\n\n\n Finally, there\u2019s another threat I haven\u2019t mentioned. If you happen to use netcafes, unsecure WiFi connections (or with WAP, which is exactly the same), use other people\u2019s computers, or simply use a laptop in a public place, your passwords may get stolen as you write them, using extremely\u00a0hi-tech expensive tools<\/a>,\u00a0less expensive tools<\/a>, or even with the old \u201cwatch the password as it is typed over the shoulder\u201d.<\/p>\n\n\n\n This is a matter of damage minimization. Suppose that your password, secure or not, is already known to somebody else. Once you interiorize that, I would like you to agree with me that your password policy is pathetic. You may want to use the\u00a0\u201cI use two-factor authentication, therefore I am better than you\u201d defense<\/a>\u00a0(which hopefully won\u2019t give you a\u00a0false sense of security<\/a>). But what about all those other dozens, if not hundreds of sites that you must use, and don\u2019t let you use other ways to secure your login?<\/p>\n\n\n\n Good passwords are long, random, and most importantly,\u00a0unique<\/a>. You should be able to painlessly change a password each time you have the slight feeling it may have been compromised, each time your sysadmin wants you to, or whenever you just feel like it, and still be able to remember them. I am able to do that, and some other things. And I am going to explain to you how I did it. So without any more foreshadowing, I\u2019d like to introduce my setup: I\u2019m using\u00a0KeePass<\/a>. It\u2019s an open source password manager that securely stores your passwords in a file.<\/p>\n\n\n\n Since KeePass only requires the software, the passwords file, and the master password to open, I store both the passwords file and the software in my\u00a0Dropbox<\/a>\u00a0public folder. That way, I have my passwords file synchronized, and I can access it at home, at work and in my android phone. The Dropbox password itself is also inside the passwords file. So even if disaster strikes, and I lose access to my home and office computers, and the phone, I still have access to all of my passwords.<\/p>\n\n\n\n I also have a Linux server, which downloads the passwords file from the public folder once a week (using cron) and stores it in a completely different location, which is publicly accessible via HTTP. This file is for the \u201cDropbox got pwnd like MegaUpload\u201d scenario. But is also useful if I happen to lose my file at Dropbox, either accidentally or maliciously.<\/p>\n\n\n\n So far, this scheme allows me to recover my file in a wide array of situations. Now, let\u2019s talk about the master password. Or dare I say, master\u00a0passphrase<\/em>. It has been widely\u00a0proved<\/a>\u00a0that a long passphrase is both safer and easier to remember than a short complex password. But since a passphrase is easier to remember, it is also easier to change: KeePass allows you to set a time limit on your master passphrase. I set it to 30 days, and once a month, I just think of a new passphrase and change it! It\u2019s much easier to remember one passphrase, than a bunch of passwords for a bunch of sites.<\/p>\n\n\n\n So what about this passphrase? It is long, and easy to remember. My current passphrase is 45 characters long, but trivial for me to remember. I just imagine a bizarre scenario, such as \u201cA garden hose vibrated over the latte drinking cosmonaut\u201d, and make that my passphrase. Sometimes it gets a little tricky to remember, so I just make a small drawing in a post-it, that reminds me of the scenario. Even if somebody sees the drawing, and knows that it represents my passphrase, it is so crude that it is basically impossible to derive the passphrase out of it. I eventually end up destroying the post-it after a few days when I completely remembered the new passphrase.<\/p>\n\n\n\n So now I have a secure scheme, that also lets me recover the password file in even the most unimaginable scenarios. Let\u2019s now talk about how I use the software.<\/p>\n\n\n\n Each site gets a different password, and sometimes a different username. Some sites have some password policies that are\u2026 let\u2019s say stupid (such as the bank, which only lets you use a 4 digit PIN). Others impose minimum complexity requirements, while others have arbitrary restrictions. But that\u2019s okay. KeePass allows you to randomly generate passwords which you can fit into any password policy. For everything else, I go with the KeePass default of 20-character alphanumeric, which rounds to some 110 bits of entropy. When I want to change a site password, I just generate a new one.<\/p>\n\n\n\n The Windows version of KeePass also allows you to automatically input the password with several methods (Ctrl-Alt-A is my favorite). This makes it very convenient for me when actually using the passwords. KeePass also provides clipboard auto-clear, database auto-lock, file transactions, memory curtaining and secure desktop database unlock. I strongly recommend you use all of these settings (and understand what each one does) for maximum security.<\/p>\n\n\n\n But good things also come with goodies! By using a password manager, not only I get to have my passwords stored. I also get the websites remembered. Have you ever done the obligatory and arbitrary sign-up for some\u00a0obscure website<\/a>, and then one year later, when you are forced to use the site again, ask yourself \u201chave I signed up here?\u201d. Well, with KeePass, each password comes right with the website I registered at, so I don\u2019t have to remember whether or not I have signed up.<\/p>\n\n\n\n And last, but not least, KeePass allows me to store non-web passwords. Things like game passwords, Linux logins, VNC logins, credit card numbers, complex (two-stage or more-stage passwords) and even important phone numbers can be safely stored in KeePass.<\/p>\n\n\n\n So far, I have been using this scheme for a long time, and not only I consider myself safer, but it has also simplified my life in many aspects. Okay, now let the flaming begin.<\/p>\n","protected":false},"excerpt":{"rendered":" Note: This reflects an outdated view of security I had in the dark ages of 2012. While some parts of these recommendations, like using a password manager, are still very valid, most of this information here is out of date, so you shouldn\u2019t take the following text too seriously. I am sorry to let you … Continue reading “The solution to the passwords problem”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[23,21,22],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-programming","tag-hacking","tag-passwords","tag-security"],"_links":{"self":[{"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/comments?post=83"}],"version-history":[{"count":1,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/posts\/83\/revisions"}],"predecessor-version":[{"id":84,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/posts\/83\/revisions\/84"}],"wp:attachment":[{"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/media?parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/categories?post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rapapaing.com\/blog\/wp-json\/wp\/v2\/tags?post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
You know where this is going. Use a password manager. I had been very reluctant to do so, simply because I believe that it means putting all the eggs in the same basket, and losing them to some hacker or in the memory hole is a risk too big to even consider. But the way in which I implemented my password manager is good enough for me. I have been using it for some six months, and I couldn\u2019t be happier.<\/p>\n\n\n\n
Before I finish, I would like to talk about some other tools or schemes I considered, and why I think they are to be avoided.<\/p>\n\n\n\n