Wednesday, September 27, 2006

Password Pandemonium

I hate passwords. There, I said it. I'm a security guy and even I hate them. As a technological society, we should have advanced past the point where we need passwords for everything. But passwords are cheap to implement, the concept is easy to understand, and they work with any existing system that has an input device. For these reasons, they're not going away anytime soon.

So now that we've established the need for them, we might as well learn how to effectively manage and use them. My first password was "qwertyuiop" -- just the top line of letters on the keyboard. It was simple to type, it was easy to remember, and it wasn't a dictionary word. I thought I was doing pretty well coming up with that one. I guess everyone did when they came up with it too. The problem with this password is that it isn't unique (in fact it is fairly common) and it is easy to guess. I don't use that password anymore.

Instead, I use a three-tiered system of passwords. The tiers are based on the type of information contained in the systems. The three types of information that I have are public, private, and secret. Public information is that which is readily available to all, private information is that which I want to keep from all but my friends and people who know me fairly well, and secret information is information that I don't want anyone but myself to know. Other highly respected people use the same system that I do and feel perfectly secure doing it.

The first tier are systems like the Atlanta Journal-Constitution website, the New York Times website, and other systems where I only receive and never give information. Not only that, these sites contain only public information that is available to anyone. Not even my email address is stored there; I used one of the many anonymous email services to register. (I'll cover online anonymity in a later post.) In short, I use a simple, generic password here because it doesn't matter if anyone gets access. In fact, there are places where people register for a login and password then post it so that others don't have to bother.

For the second tier, I use a password that is more secure. This one I use for websites where I have some personal information, but only things that my friends, family, and several others already know about me. Things like my name, some pictures, my address and phone number, etc. But I would NOT use this password to protect financial information or any kind of information I wouldn't want anyone to find out about. This password is one that I only change once a year or so. These types of systems are ones that would merely be inconvenient if they were cracked, like an email account I use to chat with friends or online stores that don't store credit card info.

The third type of password I use is usually 20-60 characters long, mixed with numbers, upper and lower case letters, and special characters. These passwords guard systems that protect financial and private information. Systems like my bank account, my online bill-pay for my home utilities, my credit card website, and the email account that I use to get email from all of these systems. Each system has a unique password and each password is changed at least once every 90 days. These are systems where a loss of confidentiality would severely hurt my financials, my reputation, or be difficult to repair.

If all of this sounds extreme, it probably is. You probably won't ever lose personal information or have your identity stolen because someone cracks your password. These days, it is much more likely that the database itself will be broken into or that you'll have a keylogger installed onto your computer. But this is also the type of password system that I use at work, where the stakes are higher. At work, I'm responsible for keeping other people's secret information.

But believe it or not, there are simple ways to keep track of this stuff. First, you have to classify your information systems and figure out which ones you need to protect and at what level. First, it's best to look at any website where you have financial information, like your credit cards, bank accounts, credit union, investments, utilities, etc. Next, identify your second tier systems -- you may want to double check these to make sure that these don't have any financial information, like bank account emails, etc. If they do, you'll want to include them in the "secret" tier or get a new email account to receive your secret emails.

NOTE: You'll want to pick an email account that lets you login over an encrypted connection. This way, if someone manages to observe your communications with the website they won't see what you're actually seeing. All they'll see is an indecipherable data stream. I recommend hushmail for this.

Second, you'll need to come up with some passwords. For the first tier (public information) systems, you can use any password that you want. Use qwerty, 12345, password, or whatever you'll be able to remember. You might want to use something a bit more complex so that any website that checks for password complexity. Something like q1w2e3r4t5y6 might be good here. It's easy to remember, but will pass most complexity checks for public information websites.

You'll want to put more thought into your private information passwords. I'd recommend a very complex password, something with upper and lower case letters, numbers, and special characters. There are dozens of websites with password generators, advice on how to come up with strong passwords, and ways to remember them. Keep in mind that you'll only change this only once or twice a year, so even a long and difficult password will quickly be easy to remember. Passwords are usually committed to muscle memory after only a few uses, so that will probably mean that after a week or so, you won't be mistyping it anymore.

For the final tier, your secret information, you'll probably want to come up with a passphrase. A good passphrase will be several words long, have a couple of capital letters, punctuation, and numbers. A good passphrase will be nearly impossible to crack by brute force techniques, or even using rainbow tables! Passphrases can be easier to remember than passwords, though they might take more time to type. A good passphrase for your Hotmail account might be "I use Hotmail.com 5 times a day!" This passphrase is 32 characters long, has 2 upper case letters, 1 number, and 8 special characters. This is very secure and very easy to remember. Make sure you have a different passphrase for each of these systems.

Alright, so now you've got your three tiers of passwords, but you may still have over a dozen passwords to keep track of. This is no easy task, even for very smart, security-minded people. In corporations, this can be a problem that costs millions of dollars per year when people flood the helpdesk with calls by employees who have forgotten their passwords. So somebody really smart invented a concept known as Single Sign On. The basic concept is that you only have to login once to access all of the systems needed for business.

But SSO isn't just for businesses. You can get password management utilities for your desktop that will automatically log you into websites. Firefox and Opera have this capability builtin, but they only work for websites. The two best password management programs out there for windows are Password Safe and KeePass. Password Safe was originally written by Bruce Schneier -- the guy who wrote the book on cryptography. Then rewrote it. That gives this program as much credibility as anything else out there. KeePass is another great program with a better user interface and more options. Either one of them is a great way to keep your passwords safe and even auto-login to applications and websites!

This has been a pretty long post, but it pretty much breaks down to this: passwords don't have to be burdensome! Like any security system, a little planning and thought can actually enable you to do more with the resources you have. In this case, planning out how you treat your important information and having a good password management strategy can be easier and more secure.

No comments: