The ProblemAs noted in the first post in the Security 100 series:
The more you follow patterns, and the simpler those patterns are, the easier it is for someone to hack you. More specifically, if you use say 5 different passwords for all the hundreds of web sites and software you use, and those passwords are always 8 characters, have an upper-case first letter, and a number at the end, and replace certain letters with certain numbers - voila, that's a simple pattern. If you use the same password for Google ID, Apple ID, Hertz, Avis, Marriott, Delta, Southwest, American Express, and your bank - well, you get the picture. Once someone has one password, they have all your passwords!So, let's dive into passwords and authentication. Back in the old days, the ancient civilizations had an authentication problem. Think the Greeks, with thousands in their armies, and they needed to know friend or foe, and trust the carrier of a message. The first form of authentication is facial recognition - know each other. But there's only so much you can remember, or what happens if you just haven't met them yet? So, many different devices have been used - from carved stamps in wax that are hard to reproduce, to some personal token (a ring, an amulet), to passwords.
In the Digital Age, this has become the now ubiquitous "enter your user name and password." And, what are probably 99% of user names? E-mail addresses, which of course are public knowledge. So half of your authentication is public knowledge. What do we use for passwords? Something we can remember, something meaningful - so that anyone who knows us probably can guess, and anyone who gets to know us can figure out.
Since we have been inundated with thousands of different systems that don't talk to each other, each one has to have its own authentication - and as users of various systems, we can only keep track of so many in our heads. This has been helped somewhat with common logons like OpenID, Google, Facebook, and more where systems use those common logons to authenticate - but the problem is, if you have one ID hacked, the hacker is into all those systems. Have you ever tried to log into your bank site, only to realize you forgot the password? And, you can't remember the damn security questions you set up to re-establish your password?
What do we do? If you are like almost everyone, you do the following:
- Use some word that is meaningful to you.
- Change it up a bit - but only a bit, so you can remember the changes! For example, if your word is puppy, make it "pUppy1" or "p0Ppy" or some such replacement.
- Use the same password on many sites
General Security ProceduresSome things you can do in general to make your digital life more secure:
- Use random, complex passwords. Yes, you won't be able to remember them.
- They should be 12 characters or longer, be unintelligible, and be different for each system or site you log into.
- Use a password management system to store your passwords - so you unlock it from a trusted device, with some super-secret master password that you only use for that one purpose.
- Do some research and find out if the system you log into offers multifactor authentication. Specifically, there are many forms of this - from a question and answer that you select or make up, to some second password algorithm that is "unguessable" - for example, Google Authenticator generates a number every 30 seconds, and you can enter your name, password, and GA number for a specific logon (say Dropbox or LastPass or Hootsuite). That way, even if a hacker does gain your password for the 1 system, they don't have your GA code, and thus can not possibly enter the number it generates.
- Do not write your passwords down anywhere.
- For a long time I stored my passwords in a Google Drive spreadsheet - but if anyone does hack my Google Drive account, they would then have access to all my passwords. Plus, I had to manually update the list every time I added a new web site, or the web site changed because the company merged, or updated the password. A pain!
- Multifactor authentication means more than just a password to authenticate you. The various forms so far are:
- You can make up or pick a question, and enter an answer. ("What is your favorite color?" "Blue")
- A number generator, like RSA SecureID, Google Authenticator, and others to generate a constantly changing number that you use as a password.
- Physical token security like Yubikey, Transakt, Toopher, Duo Security - these make you have a physical key (think the signet ring in the opening paragraph), that you insert into the PC in order to log into a system.
- Biometrics - this refers to reading the unique "signatures" in your body. Your eye retina pattern, your fingerprints, etc.
- Find out if the system you use offers Multifactor Authentication. If they do, then use it. I like Google Authenticator because it is free, and reasonably secure. It provides you a mobile app (which on iPhone is backed up with system backup) that reads a QR code that the system gives you. It then uses that QR code to add a number generator for that app, so you can now use your name, password, and the GA code to log in. Each Google Authenticator number sequence is specific to the system or app you are authenticating to - so my Dropbox Google Authenticator code only works for Dropbox logons - and I need to enter my logon name, password, and GA Dropbox code on a non-trusted device.
The SolutionSo what am I saying, to have a different password for every system you log into? YES.
But, that's impossible, you say. How can you remember it? Write it all down? IN A WAY.
I have been using a system called LastPass for almost a year now. There are others out there, but LastPass is:
- A complete solution, covering computers and mobile devices. The system integrates with all of the most popular browsers, on the top 3 desktop operating systems (Mac, Windows, Linux), and all of the mobile OS's.
- Secure - they were not affected by Heartbleed because they did not use Open SSL.
- Inexpensive - it's free unless you want mobile device access - then it is $1 per month.
- Sharable - for that $1/month Premium upgrade, you can share passwords with your friends/family. They don't need to have a paid account. That bank account you share with your wife? Share the password in LastPass with her LastPass account. If you or she changes it, it automatically updates in the LastPass vault, and next time you go to log in, it is filled in automatically from your web browser.
- Helpful - Tools help you identify duplicated passwords, and it has a password generator to generate a random password that is hard to guess by the most advanced hacking techniques.
On the iPhone, since Apple has secured the rest of the device, they have a web browser in the LastPass Premium app, so that you can go to any web site and your stored authentication will be filled in automatically from your password vault. Android and Windows devices, of course do not have sandboxed apps and allow LastPass to integrate to their web browsers. (Side note: This is to me, an inherent security weakness in non-Apple or jailbroken devices.)
What if you use a work computer and can't install any software? No problem, you can put your LastPass on a USB stick, and run it from there without any installation or administrative rights needed.
Now what happens if someone hacks LastPass? Good question! One I don't have a good answer to - because if they do somehow get your master password, then you are ^$#*ed.