A sensible password strategy

How to remember all of your passwords... don't

Summary

These days most people have a lot of passwords to remember1. Except that you shouldn't be remembering them at all; you should be using technology to help you store them safely and securely and also to retrieve them at the right time. You should also consider using two-factor authentication when it's available and makes sense (e.g. don't opt for two factor authentication if it uses SMS messaging and you're going to be using the password somewhere where you either have no access to your mobile phone or there is no mobile signal). Last year I wrote a guide for setting up two-factor authentication with Facebook, GMail, Office 365 and Hotmail.

It's also true that there are lots of different rules imposed on me concerning my choice of password. Today I want to explore some of these rules and to come up with (what I think is) a definitive set of such rules and a sensible password strategy that people can follow. We'll end up with: I think service providers should do this and I think users should do that.

Background

Over twenty years ago, I came up with a cool password. It was so cool that I used it every time I needed to create a password (including for things which weren't internet-based, it being 1994 at the time). In retrospect that wasn't very sensible, for fairly obvious reasons, and yet lots of people still do exactly the same thing. But back then, I could only think of one possible problem with using my favourite password for everything:

If somebody discovers your password, they can access everything.

I decided this wasn't a problem, because I knew I was far too sensible ever to allow anybody to discover my password. But there was one crucial problem I'd overlooked:

What if the places where I use my password are run by idiots who let other people steal it?

These days, pretty much everybody knows that you're not supposed to store passwords anywhere2. I say pretty much, but there are lots of companies who are not following this advice. Some of them are recorded at http://plaintextoffenders.com/. Not only that, let me show you a tweet of mine from last year.

That really is a thing.

Understand and accept that your password might be revealed in a data breach

If you have an online account anywhere, you should accept that it may well be the subject of a data breach at some point.

The first time I got an email from Troy Hunt's excellent Have I Been Pwned service, I felt a bit sad. But then I realised that it didn't mean I'd done anything wrong, unless I'd been reusing passwords. Last month (20th September 2016), I got yet another email confirming that yet another site had been breached and that they had been storing my password as a salted MD5 hash.

Go to Troy's site and see how many breaches he's loaded into it. Rather a lot. And the list is growing rapidly.

So what can I do about these data breaches?

The real answer is... not much. The best thing to do is to ensure that somebody who has stolen your credentials for one service can't use them to access any other services; in other words, make sure you use a different password for each service.

But what if I need to give my date of birth, mother's maiden name and answers to other security questions?

Do you really need to give that information? Does it need to be true? It might be necessary for your bank, but in most cases you can just make something up. Better still, you might then get lots of automated happy birthday emails on different dates.

If you've been following along, by this point you have probably got a long list of passwords and associated metadata, such as pretend dates of birth, pretend answers to security questions, etc.

How am I going to remember all of that information?

You're not.

900 Passwords [image credit: me]

You're going to store the passwords somewhere. This might seem scary, but it's not as scary as the alternative of weak passwords or password reuse.

In this case we can consider the answers to security questions as being passwords so, if you answer those questions truthfully, that constitutes password reuse.

Is there another way?

Over the years, various suggestions have been made concerning coming up with passwords which are harder to guess.

If you think you've got a password "algorithm" that's something like: take the first and last letters of the website (minus the tld) and add the master password3, please stop that immediately. It doesn't take much imagination to see how the discovery of one or more of your passwords might be sufficient to work out the others. Unfortunately this also holds true for the use of password hints, especially as these are often stored unencrypted (and, by necessity, can be decrypted).

Some people have suggested using phrases of several words, claiming that they are easier to remember than random sequences of characters. This is true, but it's not reasonable to think you can remember hundreds of such phrases and we've already established that it's not safe to reuse passwords because you don't know that they aren't being stored.

Correct Horse Battery Stap... NO! [image credit: me again]

This one is aimed at those people who thought that you could come up with one phrase (I doubt this was the intention of Randall Munroe when he came up with the original xkcd comic this image is referencing).

Memorising "Correct Horse Battery Staple" is fine if you only have one online account, but this sort of thing isn't very scalable.

Don't try to remember your passwords or work them out. Keep them unique and store them safely and securely.

A couple of examples of bad practice from service providers

These are presented from my Twitter feed without further comment.

 

And one from Adrienne Porter Felt :

Bringing it all together

You should use a unique password for every account and you should store your passwords in some kind of password management software.

Several paid versions of these exist with a couple of popular ones being 1Password and LastPass.

If you're paranoid, you might bear in mind what we already said about data breaches and worry whether or not your service provider is secure. Especially in light of what happened to LastPass last June.

With that in mind, I use KeePass for this purpose as it's very good, free and open source. You can use a master password or a key file (or both - which is what I do). There are mobile apps available and you can store your encrypted database and key files online somewhere like OneDrive or DropBox (and in completely separate locations). This means you may still need to remember a master password (unless you opt only to use a key file), but at least then you only need to remember one such password and you know that it's not being stored anywhere, so now you're back to my original situation from 1994; as long as I don't tell anybody my password, I know it's secure.

So where's this strategy you promised us?

This might evolve over time, but I think you won't go far wrong if you observe the following:

What should service providers do?

  • Don't have silly rules about the character sets allowed for passwords
  • Don't use password hints
  • Don't force passwords to be changed unless there is reason to believe they have been compromised
  • Don't allow passwords shorter than 8 characters
  • Do allow passwords of up to 64 (or more) characters
  • Do let me paste my password into the login box
  • Do use a secure hashing algorithm like bcrypt or PBKDF2
  • Do give full disclosure of any data breaches as soon as possible.

What should users do?

  • Do use a unique password for every account
  • Do use made up answers to security questions where possible
  • Do use two-factor authentication where possible
  • Do store everything in a password manager (I use KeePass (free), but there are others)
  • Do use the password manager to generate and store your passwords
  • Do understand that using a password manager carries its own risks and be sure to guard the master password to your password manager very, very carefully
  • Don't ever write your passwords down (especially the master password); I've never even seen most of mine

And a bonus one: if, for some bizarre reason, you need to send a password to somebody, create a temporary password and send it like this. Read the article and see my comment in the discussion. Clearly this is only secure if you send the password URL on its own (i.e. not in an email saying, "click this link to get the password for service m with username n"). Remember to advise the recipient to change the password on receipt.

Conclusion

Password security shouldn't still be a thing. You should choose randomly generated unique passwords of around twenty or more characters for each service and they should be stored in some kind of secure password management utility which should be able to interact with your applications and browser in a safe manner.

And the next time you have to change your password at work, remember this advice from GCHQ (PDF report linked in this article):

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

I'll leave it to you to decide whether or not you want to point that out to your colleagues.

If you found this article interesting or useful (or neither), you can comment below, subscribe or follow me on Twitter.


  1. I've read various articles that estimate the number to be anywhere from 27 to 118 each, on average, with some individuals literally having hundreds.

  2. You stored hashes of salted passwords such that there is no way of converting the thing you've stored back into the original password.

  3. I've seen it done.