Please update your password strategy

A few weeks ago, Mat Honan changed my life. Okay, it wasn’t that drastic, but he really made me step back and really take a look at how I manage my digital life. Because, as he’s shown, your digital life can have a profound impact on your real life.

After I read Mat’s story, I immediately removed all of my stored credit cards from iTunes, Amazon and other services. I weighed the convenience of one- or two-click ordering and being the victim of such a hack (which could have ended a *LOT* worse), and decided that I am more than willing to enter that information each time than to leave it in someone’s potentially vulnerable database.

I also decided that I would be much more careful about where I would order from. If some discount web site has a pair of sunglasses for $5 cheaper than a more reputable site, sorry, but I’m much more interested in providing my credit card information to someone I trust than I am in saving $5. But I’m no longer willing to store that information, even with those retailers I do trust.

And I changed my GMail account to use two-phase authentication. This means that any time I access GMail from a new device or application, I cannot proceed until I enter a verification code, which is texted in real time to my mobile phone. (You can even set it to verify every time even on the same device, but since I am addicted to e-mail, this is far too cumbersome for me.) This also means that I will be instantly notified any time my account is attempted to be accessed and it wasn’t me.

But most importantly, I completely overhauled my password strategy. For my entire online life, dating back to my first monthly dial-up account back in the 90s, I have used very minor variations of a single password for all of my online services. It was a simple 8-character stream that was meaningless to everyone except me: since I had memorized it long ago, at a time where services were not willing to let you change your password. I would rotate the last character between 3 digits so that my passwords across all sites were not identical, and so that it would only ever take me 3 tries (the threshold at which many sites will lock your account).

Mat’s experience reinforced a feeling I’d had for some time: such a simple algorithm is not a good idea. Primarily because it meant that I had the same password across several services. All in the name of convenience. I’ve also heard stories that the password cracker software out there is designed precisely to crack these so-called “strong” passwords – they treat any meaningless string of characters the same, whether they are upper-case, lower-case, numeric or non-alphanumeric. So perhaps an 8-character string with only one digit that varies was an open invitation to hack my life, and using a longer password (rather than a short, “strong” one) would make that type of exploit much more difficult.

So I decided to take a much more aggressive approach:

  • I would create a unique password, per site. No exceptions.
  • My password algorithm would be more complex:
    • 20 characters whenever possible
    • mixture of easy-to-remember and hard-to-guess words and sequences
    • at least one non-alphanumeric character and one number (since this is often a requirement)
    • a site-specific token that is “hidden” in an unintelligible string

So, just as an example, let’s say I chose “nadalgretz” as my first 10 characters (two partial words of favorite athletes combined), then “#1a____7r4” as the second 10 characters (a non-alphanumeric, a number, the first letter of my first name, 4 empty spots for a site-specific token, then my birth year separated by the first letter of my second middle name). I could fill in the four underscores with a site-specific token, and have a *very* strong, impossible to guess, but easy to remember password that is unique for each site. Examples:

  • Amazon:   nadalgretz#1aNZMA7r4
  • Facebook: nadalgretz#1aKBCF7r4
  • Hotmail:  nadalgretz#1aLMTH7r4

Now, the point of these passwords is not to defeat a password cracker – if you throw a large enough dictionary attack at this, and you’re willing to wait for a few years (compared to a completely meaningless 8-character string, which can be cracked in much less time), you’ll crack a single password. And there’s a reason I “hide” the site-specific token inside a larger string and list it backwards: specifically so that it is not obvious to an actual human that this is a site-specific token. Because, let’s face it, stupid companies, even big ones, are going to keep storing your passwords in plain text. And they will get hacked.

This strategy makes it very difficult for the people who obtain those plain-text passwords to use them to access my other online services. You can even mix it up and list only some of them backwards, or swap the two 10-character sections – this makes it even harder for a password on one site to be exploited to gain access to another. Since you can try twice without getting locked out of your account, it is not much of a hardship to mix it up, as long as you can choose an obvious-to-you token for each site.

I had to make a couple of exceptions – one site wouldn’t allow non-alphanumeric characters, another site had a lower character limit. And it took a long time. But I feel much more secure about my digital life now.

And I know what you’re thinking: Remembering passwords is hard!

Yes, it is hard. I use Wallet from Acrylic Software. It’s Mac-based and syncs effortlessly between my Mac Pro, iOS devices and MacBook Pro. If you’re cross-platform or Windows only, you’ll also want to check out 1Password. And there are many other solutions so that you don’t actually have to remember your new, vast array of passwords.

Now, this represents a single point of failure: if someone hacks into your password software, they have all of your passwords (and whatever else you tuck away there). I am not sure there is really a solution to this: you can protect this with a password (which is similarly strong), and some software may do a really good job of encrypting the data on disk, and you can protect your laptop (but not most mobile devices) with a strong password. But if you lose your laptop or phone, a remote wipe may not happen quickly enough. And if you’re not locking your devices with some kind of passcode to at least delay this a bit, you’re doing it wrong. If you lose your device or leave it unlocked on a table somewhere, someone will break in. Hopefully just to put naked firemen or penises on your desktop, but potentially much more sinister things.

This is exactly why I chose the approach that I chose. Eventually I will be able to eliminate software that helps me remember passwords. If I make a memorable enough phrase, and the only parts that vary are the site-specific token (and the few exceptions), I should be able to access all of my services without having to look anything up.

Now if only I could make up my own credit card numbers.

Fidelity : A mixed feelings follow-up

After my last post about Fidelity, I have mixed feelings about the way I was treated by various people in their customer service department. Basically, their policies combined with my former 401K plan administrator’s decision to cut corners, left me in a position where I stood to lose well over 5 figures in tax obligations that I really shouldn’t have owed.

They fixed it, but it took almost a month. I would say it took a bunch of phone calls, but that would be lying. While I did spend a lot of time on the phone with them in the first week of this saga, none if it I would consider progress toward a resolution – in fact all of my phone calls with them over the course of that week resulted in the same answer (para-phrased, of course):

You’re screwed. And our hands are tied.

It was not until I wrote a blog post about the situation – and had the link re-tweeted by many people – that Fidelity actually started to pay attention. After a few direct messages and a couple of phone calls, they decided that maybe it was worthwhile, after all, to actually treat me like the human being who trusted them with a good portion of his life savings for several years.

Long story short: On Tuesday of this week, I was finally able to deposit the *FULL* proceeds of my 401K into my new IRA account at USAA. I love USAA; not only did they make the transition simple, but during the process they also taught me about ways I could limit or even eliminate my tax exposure if Fidelity – for some reason – had refused to bend and kept the 20% withholding. And they committed to walking me through it and making sure all of the paperwork would be absolutely infallible come tax time. Thankfully I didn’t need that in the end, but it was nice to see the “above and beyond” attitude at USAA in the midst of such wallowing failure at Fidelity.

So Fidelity, here is my evaluation of how you handled this process:

A – for finally doing the right thing and fixing a problem completely outside of my control.
F – for forcing me to go to the lengths that I did before you actually started listening to me.

The lesson I took from this: due to its high visibility in comparison to crapping on a customer during a 1-on-1 phone call, social media can be a pretty powerful tool in getting big companies to stop being jerks.

Next stop: Progressive. I’ve been with them for over 10 years, but their actions in this situation are inexcusable and I can’t, in good conscience, continue giving them our business. Like Fidelity, it seems they’re learning about twitter the hard way, too.