Password Security
Posted: Sat Jan 21, 2012 11:09 pm
I started writing this up as a response to another forum in a thread about 1Password. I realized halfway through the post that I started getting off on a tangent that is completely unrelated to 1Password, but would be completely appropriate for my blog and this forum:
I started off using the same password for everything about 10 years ago.
Then once I realized a breach at one site could compromise all of my accounts, I started making slight changes to each password. For example, suppose my "generic" password was "Password" On PP Forum, I might use the password of "PPPassword" so that if it was compromised, it wouldn't also work against "BankofAmericaPassword" but it was simple enough for me to remember to keep them straight in my head.
The concern with that last method is that if someone looked at "PPPassword" and happened to also breach Bank of America in a separate instance and see "BankofAmericaPassword" that hacker could deduce my scheme and exploit it. I realized this was a small concern because a hacker is going to take out the 99% of people that reuse the same password and not try to manually parse my password scheme.
However, once I got 1Password, I decided it was easy enough to have completely random garbage passwords for all websites so while the benefit is marginal compared to a site-specific password schema, the cost is nothing. In fact, the cost is "negative" because using 1Password makes it easier.
I spent a couple hours one day changing all my passwords to pseudo-random generated strings and came to a harsh realization. A lot of sites, especially banking sites, have shitty security. By default I tried to use a 40-ish character random string as a password, because there's no additional "cost" for me to make one that long. Many sites capped out at 12 characters. That's embarrassing. A few didn't even tell me what the restrictions were and I had to continually try shorter and shorter random passwords until one was accepted.
Then I realized, I re-used a lot of the same security questions. I have a "schema" for security questions and always use the same false mother's maiden name and false "first pet name" and false "first high school mascot" so that a hacker can't compromise my account by looking at facebook or other public data and figuring it out.
So that's the real risk I have now. Each site has a unique garbage random password, but the same set of security questions to reset the password. A breach on one site will acquire the security question answers and my email address, which is enough to reset the password at other sites.
I've considered going in and also coming up with random garbage strings for the security questions for each site. In theory, if they are stored in 1Password, then I don't have a need to remember them. This fails for 2 reasons:
1) What if the security questions are stored in plain text in my account, and the account reps have access to them and use it for a phone authentication. This has happened in the past to my embarrassment when I used a joke porn name movie as my "favorite movie" and the female CSR had to authenticate me by verbally answering it. It would suck to tell the CSR that my mother's maiden name is "909u*7fdg%df" and to have to explain why I did that, because he would ask and now I'm the talk of the water coolers at CSR central, where other curious CSRs decide to figure out why I'm so paranoid and snoop around my account.
2) What if 1Password died and I legitimately needed to reset my password? If 1Password is storing fake random garbage security answers, then I lose my ability to reset the password, short of photocopying my drivers license, getting it notarized and mailing in a request.
I believe I can solve both problems with the security question by
a) Using real, but unique answers for each site. i.e. PP Forum may have "Smith" as my mother's maiden name while Bank of America may have "Rodriguez" as mother's maiden name. I choose names that are "fake" but could be real sounding, so that if I have to say them to a CSR, they could be real, but no one could ever guess them on brute force. i.e. mother's maiden name = "Zorkendorf."
b) I physically write these on paper, and store them in a safe deposit box in addition to 1Password. If I wanted to be paranoid, I'd physically write them in code, using a 1-time pad method of encryption, with a separate pad for each name, because since these will be names, with a large enough list the encryption could be cracked. Then I'd have the keys for the 30+ 1-time-pads stored with an attorney in Switzerland that could have his hot secretary type them into a PGP encrypted email if I needed them but anyone who seized my safe deposit box would be unable to crack my online accounts. This is completely a joke, because 99% of people wouldn't need that level of paranoia, but it is a possibility for some.
Another issue I have with 1Password is that it stores your passwords locally in an encrypted file. That's the "best" option, much better than storing it on a server somewhere that may become compromised. But, there's still a risk the file could get stolen off your computer, perhaps if you lost your laptop.
The password file is encrypted, locked by your 1Password password. However, if someone steals the file, they can brute force it eventually.
I believe a reasonable approach would be to follow all of the above, and then reset all your passwords and security questions on a quarterly or biannual basis.
It's possible someone stole your password file without your knowledge through a trojan, and has started brute forcing it already.
It's also possible someone compromised an account of yours on a single site, through no fault of your own, and the server/company didn't know about the breach. The hacker cannot use that password elsewhere, but they still have current access to your account, and may be waiting to exploit it.
By doing all of the above, and changing all your passwords quarterly, that reduces those last few risks. In theory, changing the password daily or hourly would be the best protection but that's ridiculous. I believe a fair balance is every 4 months, and it encourges you to update any contact info on your online accounts and ensure there's no fraud or anything else fishy going on in there.
You may also realize, much like I did, that your life is too connected to large companies/organizations, and you can simplify your life by reducing the number of places you do business with.
My goal is to maximize utility at the lowest cost to myself. The less transactional overhead with the greatest security, the better and in the above post (outside of the 1-time-pad Swiss lawyer joke) seems to be the efficient plane for me.
On a side note, one of my "Accounts" was breached this week on the server side and hackers got 50k+ logins/passwords. I have nothing to worry about (except maybe security question overlap) because that was a unique password to that account only, and literally included 30 characters of mixed letters, numbers, and symbols that are not reused on any other site.
I started off using the same password for everything about 10 years ago.
Then once I realized a breach at one site could compromise all of my accounts, I started making slight changes to each password. For example, suppose my "generic" password was "Password" On PP Forum, I might use the password of "PPPassword" so that if it was compromised, it wouldn't also work against "BankofAmericaPassword" but it was simple enough for me to remember to keep them straight in my head.
The concern with that last method is that if someone looked at "PPPassword" and happened to also breach Bank of America in a separate instance and see "BankofAmericaPassword" that hacker could deduce my scheme and exploit it. I realized this was a small concern because a hacker is going to take out the 99% of people that reuse the same password and not try to manually parse my password scheme.
However, once I got 1Password, I decided it was easy enough to have completely random garbage passwords for all websites so while the benefit is marginal compared to a site-specific password schema, the cost is nothing. In fact, the cost is "negative" because using 1Password makes it easier.
I spent a couple hours one day changing all my passwords to pseudo-random generated strings and came to a harsh realization. A lot of sites, especially banking sites, have shitty security. By default I tried to use a 40-ish character random string as a password, because there's no additional "cost" for me to make one that long. Many sites capped out at 12 characters. That's embarrassing. A few didn't even tell me what the restrictions were and I had to continually try shorter and shorter random passwords until one was accepted.
Then I realized, I re-used a lot of the same security questions. I have a "schema" for security questions and always use the same false mother's maiden name and false "first pet name" and false "first high school mascot" so that a hacker can't compromise my account by looking at facebook or other public data and figuring it out.
So that's the real risk I have now. Each site has a unique garbage random password, but the same set of security questions to reset the password. A breach on one site will acquire the security question answers and my email address, which is enough to reset the password at other sites.
I've considered going in and also coming up with random garbage strings for the security questions for each site. In theory, if they are stored in 1Password, then I don't have a need to remember them. This fails for 2 reasons:
1) What if the security questions are stored in plain text in my account, and the account reps have access to them and use it for a phone authentication. This has happened in the past to my embarrassment when I used a joke porn name movie as my "favorite movie" and the female CSR had to authenticate me by verbally answering it. It would suck to tell the CSR that my mother's maiden name is "909u*7fdg%df" and to have to explain why I did that, because he would ask and now I'm the talk of the water coolers at CSR central, where other curious CSRs decide to figure out why I'm so paranoid and snoop around my account.
2) What if 1Password died and I legitimately needed to reset my password? If 1Password is storing fake random garbage security answers, then I lose my ability to reset the password, short of photocopying my drivers license, getting it notarized and mailing in a request.
I believe I can solve both problems with the security question by
a) Using real, but unique answers for each site. i.e. PP Forum may have "Smith" as my mother's maiden name while Bank of America may have "Rodriguez" as mother's maiden name. I choose names that are "fake" but could be real sounding, so that if I have to say them to a CSR, they could be real, but no one could ever guess them on brute force. i.e. mother's maiden name = "Zorkendorf."
b) I physically write these on paper, and store them in a safe deposit box in addition to 1Password. If I wanted to be paranoid, I'd physically write them in code, using a 1-time pad method of encryption, with a separate pad for each name, because since these will be names, with a large enough list the encryption could be cracked. Then I'd have the keys for the 30+ 1-time-pads stored with an attorney in Switzerland that could have his hot secretary type them into a PGP encrypted email if I needed them but anyone who seized my safe deposit box would be unable to crack my online accounts. This is completely a joke, because 99% of people wouldn't need that level of paranoia, but it is a possibility for some.
Another issue I have with 1Password is that it stores your passwords locally in an encrypted file. That's the "best" option, much better than storing it on a server somewhere that may become compromised. But, there's still a risk the file could get stolen off your computer, perhaps if you lost your laptop.
The password file is encrypted, locked by your 1Password password. However, if someone steals the file, they can brute force it eventually.
I believe a reasonable approach would be to follow all of the above, and then reset all your passwords and security questions on a quarterly or biannual basis.
It's possible someone stole your password file without your knowledge through a trojan, and has started brute forcing it already.
It's also possible someone compromised an account of yours on a single site, through no fault of your own, and the server/company didn't know about the breach. The hacker cannot use that password elsewhere, but they still have current access to your account, and may be waiting to exploit it.
By doing all of the above, and changing all your passwords quarterly, that reduces those last few risks. In theory, changing the password daily or hourly would be the best protection but that's ridiculous. I believe a fair balance is every 4 months, and it encourges you to update any contact info on your online accounts and ensure there's no fraud or anything else fishy going on in there.
You may also realize, much like I did, that your life is too connected to large companies/organizations, and you can simplify your life by reducing the number of places you do business with.
My goal is to maximize utility at the lowest cost to myself. The less transactional overhead with the greatest security, the better and in the above post (outside of the 1-time-pad Swiss lawyer joke) seems to be the efficient plane for me.
On a side note, one of my "Accounts" was breached this week on the server side and hackers got 50k+ logins/passwords. I have nothing to worry about (except maybe security question overlap) because that was a unique password to that account only, and literally included 30 characters of mixed letters, numbers, and symbols that are not reused on any other site.
