Passwords | ewerx

Passwords

Like me, you probably have login accounts all over the place. You can bet there are always hackers out there trying to get into those accounts. Yes, it happens, and anybody with a Playstation Network account has learned this the hard way.

Here are some techniques I use to keep my accounts secure while saving my brain from password overload.

Passphrases vs. Passwords

If the service allows you to have a long password, make your password a full sentence instead of a garbled combination of characters. The longer your password, the harder it is to crack by brute force methods. Phrases are also easier to remember, naturally.

Unique Passwords

This is an obvious one: do not use the same password for everything. If one account is compromised, all accounts are compromised, so use a unique password for each. Your brain may be a marvel of biology but it still doesn’t want to remember a hundred different passwords. Fortunately you can overcome your pathetic brain’s weakness by only making a small part of the password unique.

My method is to combine a common pass phrase with the name of the service (or some other unique identifier based on the specific service).

Example: “Facebook is a correct horse battery staple” for Facebook and “Google is a correct horse battery staple” for Google, and so on.

I only have to memorize the common passphrase portion, as the unique part can be inferred whenever I use it. You can also mix it up with multiple common phrases for different tiers of services (finance, websites, email, etc.).

Update (see comments): The above is just an example, and you should make it less obvious, as long as it’s still easy for you to infer without having to rely on memorization.

Password Managers

Another approach is to use a password manager. I use KeePass, because it’s open-source and multi-platform. 1Password and LastPass are also popular but I haven’t tried them. Before I started using the passphrase scheme above I used generated passwords from KeePass for really sensitive accounts (i.e. banks). But having to go through the password manager for each login was very inconvenient.

I do still find KeePass useful for storing other info like bank account numbers, license keys, and so on. KeePass is not cloud-based, it stores everything in a strongly encrypted file. I keep this file on DropBox so I can access it virtually anywhere, including on my phone using the Android client. It has saved me many times when I was at some service counter and asked for an account # and did not have the card on me. Carrying cards is so 20th century and I look forward to the day when my wallet can be fully replaced by my phone.

Two-Step Authentication

Google accounts now support two-step verification and if you use GMail you would be wise to enable this feature. It adds a second step to the login process, requiring you to enter a verification code that you get from an app on your phone (or via SMS). This makes it nearly impossible for anyone to access your account even if they crack your password.

This does add a little bit of inconvenience, but it’s worth it for making your account significantly more hack-proof. Facebook also offers two-step authentication, using SMS only at the moment.

Other Measures

Avoid using public wifi networks. It is extremely easy to steal login info from users on open wifi networks. If you have access to a VPN, use that whenever you are on an open network. If you have a smartphone with 3G data connection, tether your computer to your phone’s connection instead.

If the service you are using has the option, enable “Always use HTTPS”. Gmail, Facebook and Twitter all have this. Even though SSL may not be completely safe, it’s much better than no encryption at all.

What, me worry?

Maybe you don’t worry much about getting hacked, but just because you’re not paranoid doesn’t mean they’re not out to get you. I’m not particularly paranoid, and for a long time I used the same few passwords everywhere for years and thought “why bother?”. But if you can gain a lot of security with very little effort then “why not?” is the more appropriate question.

Next time you login somewhere, take a few seconds to go change your password to something more secure and easier to remember. After a while you will have fortified all your frequently used accounts and made life easier for your brain. Eventually it becomes a natural part of your online habits and you won’t even think twice about it.

I must give credit to Lifehacker for introducing me to many of these tips over the years. This should tide us over until we all have bio-metric ID implants.

 

13. October 2011 by ehsan
Categories: tech | Tags: , , | 3 comments

Comments (3)

  1. I just want to point something out. If you use the following approach:

    Example: “Facebook is a correct horse battery staple” for Facebook and “Google is a correct horse battery staple” for Google, and so on.

    That is … uh, that’s only one password. If you have a password that includes the service in the name and the same random string of words, once one password is cracked then they all are.

    Admittedly it’s still harder to crack than a random string, but if I were a hacker who, say, obtained the password “PSN is a correct horse batter staple”, my algorithm for your Facebook password would try “Facebook is a correct horse battery staple” right off the bat.

    • Good point. I’ll update the post to mention that this is just an example and it would be better to use a more obscure identifier.

      I think most hackers target a service and grab a database of user info (as in the PSN case), rather than target an individual user and spend time figuring out their individual password scheme.

      Most of this is done with automated tools, and in these cases, even the obvious “service name” + “common passphrase” will offer some protection. It’s mainly a first-aid measure. If one of your accounts is confirmed to be compromised, it’s still prudent to change all passwords that share any similarity with the breached one, but you’ll have more time to do so.

  2. Definitely something I will be doing! I tend to use the same or almost the same password for most websites. Trying to come up with 15 different passwords and remembering which one matches which site is just too complicated to even attempt. I’d have to permanent marker them to my foot. (so no one sees them)

Leave a Reply