Monday, September 03, 2012

Online security and password management

This post is a bit off topic from what I usually write about. I want to take look at a something that is increasingly becoming an issue - being secure online. The internet is an essential utility that one cannot avoid. As such it’s more important than ever to have good security hygiene.


Wired journalist Mat Honan was recently hacked hard. Hackers gained access to his Apple iCloud, Twitter and Google accounts. They posted some vile comments via his Twitter, deleted his Google account, and wiped his iPhone, iPad and MacBook Air. His MacBook air was the only place he had more than a year’s worth of photos, covering the entire lifespan of his daughter. (He's since recovered his data, at a cost of about $1500.) Really, he was lucky in that they did this for the “lulz”, not to gain access to a bank account or steal his identity.

There is no such thing as perfect security when online, but you can take steps to be more secure. Before looking at solutions, let's consider the issues.

Authenticating yourself involves providing evidence that you are you. You can prove who you are through:
  • something you are (e.g. a finger print)
  • something you know (e.g. a password)
  • something you have (e.g. a mobile phone).
Logging on to a website generally uses "something you know" - a password. The problem with this is that this is inherently insecure. If a hacker gains access to your password - game over.

I've spent a fair bit of time getting secure as reasonable. The main ways of doing this are:
  1. Using strong passwords
  2. Two factor authentication
This post will take you through some apps that make it easy to do this with hopefully not too much effort. It is more effort than not being secure, but much less effort than trying to recover a destroyed digital life, or worse, a stolen identity.

What to not do

Most people use terrible passwords. The most common passwords are:
  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567
If one of yours is here... sheesh. (And one assumes number 8 is referring to the popular house pet.)

Some basics of things you shouldn't do. Do not use:
  • personal information in your password that someone could work out
  • dictionary words, or geographical or biographical names
  • a password that is the same as your account information.
If you think you're okay because you use an "un-guessable" password of your own, think again. If your password isn't actually random, then it's getting worse over time. Every time a password database is leaked, hackers get a better idea of the patterns that people use, as this great article explains. Other points:

  • The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them.
  • In the past year alone more than 100 million passwords have been published online.
  • 8.2 billion average passwords combinations per second are able to be tried by a PC running a single AMD Radeon HD7970 GPU.
Passwords people think are secure follow patterns that hackers have cracked. E.g:
  • Adding numbers or non-alphanumeric characters such as "!!!" to them, usually at the end, but sometimes at the beginning.
  • "Mangling" — transforming words such as "super" or "princess" into "sup34" and "prince$$".
  • Mirror imaging — "book" becomes "bookkoob" and "password" becomes "passworddrowssap".
  • Appending a date of birth or similar to a name — Julia1984.
The bottom line is you're not really that clever or original. Any pattern you thought of using, someone else has probably thought of using it too, and at some stage a password database leak has enabled hackers to add that pattern to the lists of passwords they cycle through.

How to create a strong password

The fundamentals of making a password strong are:
  1. A bigger set of characters: numbers only (10 characters), numbers + lowercase + uppercase letters (10 + 26 + 26 = 62 characters), all the characters on your keyboard (92).
  2. The longer the better. Longer means exponentially more possible combinations an attacker has to try. A four character password would take about 0.0004 seconds to crack. A 10 character one would take about a year.
  3. Increase entropy. Use random characters for your passwords.

What to do

If you follow the advice above, the biggest problem is trying to remember your passwords. Given on average people seem to use the same password for more than one account (a huge "no-no"), this is clearly a problem.

Best option
Invest time and effort (it's really not that hard - but will take some time) into setting up a password manager, such as:
See this recent article from PC Mag or this from InfoWorld for some reviews and comparisons of these and other apps.

These all work in essentially the same fashion. You store all your website logins and passwords (and any other information you like) in a "vault". The vault is encrypted and you have a single master password to login. On logging in, you can then easily enter any website. The beauty is you now only have to remember your master password (make sure it’s a good password…).

Most of these applications have password generators. You can now have completely random and long secure passwords for all your other sites such as: ;BnIuL$MK55?sPe+0t1gK+wD0hAB0Nl or BB=d5%&&TaJJS~w?NK7Oph&ICnRDO4e. They all have the ability to sync across devices and there is a range of prices (including free options).

Blurbs from their websites
Never forget a password again and log into your sites with a single mouse click. Automatically synchronizes your data: access it from anywhere at any time. Protect yourself against phishing scams, online fraud, and malware. All of your data is encrypted locally on your PC - only YOU can unlock it. No catches or gimmicks. It's free to use on all your computers! Using a Mac, Windows, or Linux? LastPass works everywhere.
1Password can create strong, unique passwords for you, remember them, and restore them, all directly in your web browser.Go & Fill: 1 Click, That's It.
Selecting one of your saved logins from 1Password's Go & Fill menu takes you to the site, securely fills your username and password, and logs you in, all with a single click or a few keystrokes.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.
All of these have apps for Windows, Mac OSX, iOS, Android and so on. KeePass and 1Password keep your passwords in sync (i.e. if you change or add a password on one device, it will automatically be updated in the app on all your devices) using Dropbox. LastPass uses its own servers to stay in sync.

KeePass is free. It's the geekiest in terms of setup. 1Password is $49. I've never tried it but many people swear by it. LastPass is free for desktops/laptops, or $12 per year to sync with the mobile apps. I spend more than $12 a week on coffee - so LastPass premium was a no-brainer for me.

But wait you say - you're entrusting your logins and passwords to a third party?

Yep. The key to these apps being safe and secure, is that the encryption happens before the data is sent to the cloud (Dropbox or the application vendor's server). Encryption and decryption is done on the device and the key stays on the device. If you lose your master password - no one can get your data back. It is literally impossible (until quantum computing happens for real) for your passwords to be accessed without the master password - which only you should have.

If you investigate any password management app - pre-internet encryption is essential. Not having this is a deal breaker.

LastPass won for me because it's very easy to use, autofills logins and most importantly, does everything right. And it's ridiculously cheap. If your still not sure about using a password manager, or why you should trust one like LastPass, check out this thorough review by security guru Steve Gibson.

Second best option
If you don't decide to use a password manager, one thing you can do to make your password harder to crack without adding any extra cognitive load in remembering it, is to add a string of characters to the beginning and/or end of your "usual" password in a pattern that’s easy to remember. This method, password haystacks, also comes from Steve Gibson. Essentially you can dramatically add to the password length without any real inconvenience. E.g.:
  • Your usual password is bad, it's password (short, dictionary word, no numbers or punctuation).
  • Your new password is improved by adding an easily remembered sequence, and now is 1111111111password………. (long, not just dictionary word, has punctuation and numbers).
This is still not as good as a randomly generated password, but the universe will end before it's brute forced by a modern computer. The good thing is it's easy to remember. The pattern is 10 ones before the "usual" word you use and 10 periods after (you'd obviously use something different). It's still problematic in that it's a pattern and if many people start doing this, no doubt hackers will start taking it into account. But this would still be tough to crack purely because it's so long, and the password cracking software won't know how many characters it is.

Two factor authentication

So far we have only looked at one aspect of verifying yourself to a website - "something you know" - your password. Another factor is "something you have". Two factor authentication uses the "something you have" to really tighten up security.

A website that is set up for two factor authentication not only requires you to provide the password, it then requires to provide proof that you have an object in your possession. In the case of Google and Facebook's implementation - the second factor is your phone.

If you turn on two factor authentication, whenever you login to a Google service or Facebook from a new device (or a hacker who has obtained your login and password tries to), a 6 digit code is sent to your phone (or you can use the Google Authenticator or Facebook app on your phone) which you have to enter before being able to login. I.e. you need to know your password and be in physical possession of your phone to login.

On doing this for the first time with a new device, you are given the option of "trusting" the device, which means you are not required to use the second factor next time you login.

Another reason I like LastPass is it also uses two factor authentication. In order to login from a new device, as above, I need the second factor.

Turning on two factor authentication
For Google services (such as gmail), see Getting started with 2-step verification (as they call it), for how to set up two factor authentication.

For Facebook, see Introducing logon approvals for how to set up two factor authentication.

This was also covered a part of a recent episode of Know How, where they take you through setting up both.

Other things to do

  • Avoid security questions. If you have to set up a security question, don't give real answers that people could work out. This is how most celebrity phone "hacking" has worked.
  • Set up a password recovery email that is only for this purpose (you never actually use it for emailing) and no-one would guess from your name or other email addresses.