Please update your password strategy

A few weeks ago, Mat Honan changed my life. Okay, it wasn’t that drastic, but he really made me step back and really take a look at how I manage my digital life. Because, as he’s shown, your digital life can have a profound impact on your real life.

After I read Mat’s story, I immediately removed all of my stored credit cards from iTunes, Amazon and other services. I weighed the convenience of one- or two-click ordering and being the victim of such a hack (which could have ended a *LOT* worse), and decided that I am more than willing to enter that information each time than to leave it in someone’s potentially vulnerable database.

I also decided that I would be much more careful about where I would order from. If some discount web site has a pair of sunglasses for $5 cheaper than a more reputable site, sorry, but I’m much more interested in providing my credit card information to someone I trust than I am in saving $5. But I’m no longer willing to store that information, even with those retailers I do trust.

And I changed my GMail account to use two-phase authentication. This means that any time I access GMail from a new device or application, I cannot proceed until I enter a verification code, which is texted in real time to my mobile phone. (You can even set it to verify every time even on the same device, but since I am addicted to e-mail, this is far too cumbersome for me.) This also means that I will be instantly notified any time my account is attempted to be accessed and it wasn’t me.

But most importantly, I completely overhauled my password strategy. For my entire online life, dating back to my first monthly dial-up account back in the 90s, I have used very minor variations of a single password for all of my online services. It was a simple 8-character stream that was meaningless to everyone except me: since I had memorized it long ago, at a time where services were not willing to let you change your password. I would rotate the last character between 3 digits so that my passwords across all sites were not identical, and so that it would only ever take me 3 tries (the threshold at which many sites will lock your account).

Mat’s experience reinforced a feeling I’d had for some time: such a simple algorithm is not a good idea. Primarily because it meant that I had the same password across several services. All in the name of convenience. I’ve also heard stories that the password cracker software out there is designed precisely to crack these so-called “strong” passwords – they treat any meaningless string of characters the same, whether they are upper-case, lower-case, numeric or non-alphanumeric. So perhaps an 8-character string with only one digit that varies was an open invitation to hack my life, and using a longer password (rather than a short, “strong” one) would make that type of exploit much more difficult.

So I decided to take a much more aggressive approach:

  • I would create a unique password, per site. No exceptions.
  • My password algorithm would be more complex:
    • 20 characters whenever possible
    • mixture of easy-to-remember and hard-to-guess words and sequences
    • at least one non-alphanumeric character and one number (since this is often a requirement)
    • a site-specific token that is “hidden” in an unintelligible string

So, just as an example, let’s say I chose “nadalgretz” as my first 10 characters (two partial words of favorite athletes combined), then “#1a____7r4” as the second 10 characters (a non-alphanumeric, a number, the first letter of my first name, 4 empty spots for a site-specific token, then my birth year separated by the first letter of my second middle name). I could fill in the four underscores with a site-specific token, and have a *very* strong, impossible to guess, but easy to remember password that is unique for each site. Examples:

  • Amazon:   nadalgretz#1aNZMA7r4
  • Facebook: nadalgretz#1aKBCF7r4
  • Hotmail:  nadalgretz#1aLMTH7r4

Now, the point of these passwords is not to defeat a password cracker – if you throw a large enough dictionary attack at this, and you’re willing to wait for a few years (compared to a completely meaningless 8-character string, which can be cracked in much less time), you’ll crack a single password. And there’s a reason I “hide” the site-specific token inside a larger string and list it backwards: specifically so that it is not obvious to an actual human that this is a site-specific token. Because, let’s face it, stupid companies, even big ones, are going to keep storing your passwords in plain text. And they will get hacked.

This strategy makes it very difficult for the people who obtain those plain-text passwords to use them to access my other online services. You can even mix it up and list only some of them backwards, or swap the two 10-character sections – this makes it even harder for a password on one site to be exploited to gain access to another. Since you can try twice without getting locked out of your account, it is not much of a hardship to mix it up, as long as you can choose an obvious-to-you token for each site.

I had to make a couple of exceptions – one site wouldn’t allow non-alphanumeric characters, another site had a lower character limit. And it took a long time. But I feel much more secure about my digital life now.

And I know what you’re thinking: Remembering passwords is hard!

Yes, it is hard. I use Wallet from Acrylic Software. It’s Mac-based and syncs effortlessly between my Mac Pro, iOS devices and MacBook Pro. If you’re cross-platform or Windows only, you’ll also want to check out 1Password. And there are many other solutions so that you don’t actually have to remember your new, vast array of passwords.

Now, this represents a single point of failure: if someone hacks into your password software, they have all of your passwords (and whatever else you tuck away there). I am not sure there is really a solution to this: you can protect this with a password (which is similarly strong), and some software may do a really good job of encrypting the data on disk, and you can protect your laptop (but not most mobile devices) with a strong password. But if you lose your laptop or phone, a remote wipe may not happen quickly enough. And if you’re not locking your devices with some kind of passcode to at least delay this a bit, you’re doing it wrong. If you lose your device or leave it unlocked on a table somewhere, someone will break in. Hopefully just to put naked firemen or penises on your desktop, but potentially much more sinister things.

This is exactly why I chose the approach that I chose. Eventually I will be able to eliminate software that helps me remember passwords. If I make a memorable enough phrase, and the only parts that vary are the site-specific token (and the few exceptions), I should be able to access all of my services without having to look anything up.

Now if only I could make up my own credit card numbers.