/ Security

I Don't Know 99% of My Passwords, and Neither Should You

Use a Unique Password For Every Site

This might seem overly paranoid. What could possibly be the consequences of someone obtaining your network password, watching a bunch of shows your behalf?

The concern isn't to protect your Netflix account, but your critical accounts such as your bank and email. If you use the same password across all of your accounts, and Netflix spills your password, then criminals can access your bank account as well.

Unfortunately, data breaches are fairly common. It's honestly not a matter of if your information will be spilled, but when. No system is perfect, and hackers attack popular sites every single day because they know the average person still, unfortunately, uses the same password across multiple sites. Some of the worst breaches so far:

  • LinkedIn: This breach was in 2012. While the passwords were hashed, more than 90% of the passwords were cracked in just under a week!
  • Yahoo: Fortunately the billion passwords were hashed using bcrypt, but along with that data was real names, email addresses, dates of birth, and telephone numbers.
  • Panera

And as a result of past breaches including those above, there are lists of plaintext passwords floating around on the Internet, such as this list of 1.4 BILLION passwords.

But I think the best example isn't a breach but an example from an account I have. I had forgotten my password to my J Crew account, and they sent it to me in plain text! (I've changed it since)
J-Crew-Password-Plain-Text

Imagine if I used this same password across all my accounts. Then anybody that managed to get this password would instantly have the password to my bank and investment accounts.

Hopefully it's clear by now that by using the same password for multiple accounts, you're vastly increasing your risk to data breaches.

How to Have a Unique Password Per Site: Password Managers

Obviously nobody can memorize a unique password for all of their online accounts. That's where password managers come to the rescue. A proper password manager will store all of your usernames and passwords in encrypted form. You MUST use a really strong password (and I highly suggest using some form of two factor authentication (2FA) as well) as you're putting all of your eggs in one basket.

Of course, I'm sure some of you are concerned about creating a single point of failure for your online accounts. And that's certainly true. However, if you're using the same password for all of your accounts, you're no worse than you started: if your one password is compromised all of your accounts are compromised. Furthermore, even if you're slightly better and use a handful of passwords (or variations thereof) across multiple accounts, you're still relying on other companies to keep your passwords safe (which we know they don't). You have to weigh the risk of a security breach from any of the services you use against the risk of a compromise of your password manager. And I think it's pretty clear the risk of a breach of some random account you created is much greater than the risk of compromise of your password manager (assuming you've picked a good password).

Option 1: Passwords Written on Paper

Pros:

  • Immunity from electronic hacking.

Cons:

  • Only have one copy of your passwords (unless you make copies, but then even keeping the copies up to date is a chore)
  • Risk of theft
  • Accessibility: either kept at home or taken with you
  • Risk of loss, particularly if taken with you

I strongly advise against this option

Option 2: Online Password Managers

There are quite a few reputable online password managers, such as LastPass, Dashlane, and 1Password. They all claim to encrypt your passwords and otherwise practice sensible security.

Pros:

  • Accessible anywhere you have Internet
  • Accessible offline as well if a mobile app is offered (most do)
  • Very secure
  • Allows for a dead man's switch (see later section)

Cons (fairly insignificant overall):

  • Have been compromised before
  • Can cost money

That's not to say that other (offline) password managers don't have security vulnerabilities either: they probably do considering ultimately they're all written by fallible humans. But the biggest difference is that online password management services are a big fat target for hackers and are surely attacked every single day. That is essentially the only reason I don't use an online password manager; I just don't like the idea of having my passwords stored in an online service and its potential consequences. However, I still think using online password managers are vastly superior to not using a password manager at all. If you don't like the next option, definitely use an online password manager.

Option 3: Offline Password Managers

There are a couple offline password managers, the most notable of which is KeePassXC, my password manager of choice. It is completely open source and supported on all the major platforms (Windows, Mac, and Linux). There's KeePass2Android Offline (also open source) for Android (obviously). And KeePass Touch for iOS, apparently. I don't have an iPhone so I don't know how good or bad it is.

Pros:

  • You have control of the encrypted copy of your passwords at all times
    • Avoids the big target issue of online password managers

Cons:

  • You have to keep the password database in sync yourself. This can be accomplished via a service like Dropbox, but that usually means giving your mobile app Internet access (which then means your app could, in theory, transmit all of your passwords in plain text!). In theory, enough paranoid people have read through the code of the app and verified that it doesn't do this, but you never really know unless the app was audited
  • You have to backup your password database yourself (Dropbox would be sufficient)
  • You rely on the open source community to keep the software up to date

Offline password managers definitely take some more set up time, and may not be worth it to some (most?) folks.

That's Great and All, But I Still Need a Super Strong Password Manager Password!

No, you actually want a super strong passphrase, not password. xkcd explains this well:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

A ten character password of random upper and lower case letters has 52^10 possibilites. But by drawing six words from a dictionary of say, the 1000 most common words, your password has 1000^6 possibilities, which is almost ten times as many as the random password, while being easier to remember.

But it gets better if you use a bigger dictionary. So try to think of a passphrase of at least five words, with at least one word being obscure. Perhaps an off brand, or some technical term used in your line of work, etc.

Other Uses of Password Managers

Pasword managers can be used for more than just passwords. It's ultimately an encrypted container of information. I use it to also store

  • Credit and debit cards
    • I put the full number as the password and the first four digits as the username. Considering I have around 30 credit cards open at any give time, it's really handy to be able to look up cards by the last four digits (especially when the chance of having two Amex issued cards with the same last four digits is significant) by sorting by username
    • I also write into the notes field the
      • Expiration Date
      • CVV code (3 digit code on the back of your card, except in the case of Amex, the 4 digit code on the front)
      • 3 digit code on the back of Amex cards
      • Phone number for customer service (both domestic and international)
      • PIN if I haven't changed it from the default
  • Bank account routing and account numbers
  • Gift cards
  • Driver's license number and date of issue and expiration
  • Passport number and date of issue and expiration

Storing my credit card and bank account numbers in my password database have come in really handy while traveling.

Make Sure Your Email Password is Really Strong

Your email is what protects access to almost every account you have. Forgot your Netflix password? Reset it via email. Forgot your bank password? Reset it via email.

Set your email password to be as long as your email provider will allow (remember, you're using a password manager so you should never have to type it in manually anyways!)

Autotype

Password managers can often enter your username and password for you, oftentimes faster than you could type in your own password even if you had memorized it. With LastPass I believe they do this with a browser extension. With KeePassXC, you can define a shortcut (I use Ctrl+Alt+A) and it will try to find a substring match of the name of the currently active window - such as Login | ProtonMail - Mozilla Firefox to the name of one of your entries in your database. If no match is found, you can always define the autotype yourself for each entry in your database (so in this example, you'd edit the Protonmail entry to match Login | ProtonMail - Mozilla Firefox for auto-type).

Make Up Answers to Security Questions (and save them in your password database)

This one is a little bit more advanced, and I don't expect too many people will do this, but I will always make up answers to security questions and save them in the notes of the appropriate entry in the password database. If you answer them truthfully, anybody who knows you, or scours your social media accounts for clues, has a decent chance of being able to reset your passwords by guessing the answers to your security questions. Remember, your security is only as good as its weakest point.

Furthermore, please don't answer questions on Facebook posts where they for your favorite movie or what not. Those are your security questions! [1]]

Use a Unique Username for Each Account

Another advanced technique. A criminal cannot even begin to attack your account if they don't even know your username.

This might sound difficult to implement, but remember, if you use a password manager, you won't have to memorize your usernames either so this shouldn't take any extra effort when creating new accounts.

Unfortunately, some services do not allow you to create a username, and instead use your email as your login. You can get around this by purchasing a domain (which costs about $10-$20 a year), and using a catch-all. That is, you can set up the email for the domain such that if I own the domain somesite.com, I can receive all emails @somesite.com, such as hi@somesite.com, somebody@somesite.com, etc. If you decide to purchase a domain and use it for your email, you should not use email addresses of servicename@somesite.com. Put a number of at least four digits after the service name - so netflix2838@somesite.com, etc. so as to prevent someone from realizing your pattern of email addresses and being able to immediately guess your email for the service.

LastPass Has a Really Cool Feature: The Dead Man's Switch

They actually call it emergency access, but I like to refer to it as a dead man's switch. Essentially what you do is add the email addresses of trusted people (that have a LastPass account) to your account, and set a timer. At any time (though intended in the event of your death), these trusted people can request access to your account. If you do not decline the email notification of the request within the time limit, the trusted person will gain access to your account.

I actually bought a subscription to LastPass just for this feature (though I haven't put anything in my actual LastPass account yet). The plan is not to actually put my passwords into LastPass, but to leave the password to my password manager in the account (there's an encrypted notes section) along with instructions on how to find the password manager on the backup computer I set up at my parents' house.


  1. LinkedIn ↩︎

I Don't Know 99% of My Passwords, and Neither Should You
Share this

Subscribe to Seonwoo's Musings