It’s an old paradox to wonder why there are any doctors that smoke. It’s somewhat hypocritical, but mostly just confusing that the people who know the most about the effects of smoking should partake in it as well. I would like to say that I know better, but until a few days ago, I didn’t. Until then, my passwords for computer accounts and online services were all stored in plain text in a GMail draft. Were you to know that you could find it there, it would be very easy to steal all of them.
Using computers securely is a big battle for experts and users, and the best practices really depend from person to person. Every person needs to decide what their tradeoff between security and convenience is. On the completely secure side, one can remember long, random, unique strings of characters for every account. This, however, is extremely inconvenient to remember. On the completely convenient side, one can use “password” for every password. This, however, is extremely easy for hackers to break. Everyone’s practices lies somewhere in-between, using known methods and a little bit of personal construction.
That personal construction, however, is where we really get ourselves into trouble. Security is very hard, and most methods of compromising aren’t good. For example, I know that I should have long, unique, hard-to-guess passwords for everything. Because I couldn’t remember that, I decided it would be okay to record them in an easily accessible place for me. Unfortunately, that happened to be a really awful practice.
Most people aren’t security experts and don’t know the best way to use computers securely. Given that, I think that a lot of bad practices can be rooted out with a quick 2 question quiz:
- If a hacker knew where you store your passwords, could they guess your passwords easily?
- If a hacker knew a subset (none, one, a few) of your passwords, could they guess any of your other passwords easily?
The first question mostly deals with people securing their passwords by obscurity. This is mostly how my old system worked, and it’s a bad idea. The United States National Institute of Standards and Technology (NIST) thinks it’s a bad idea. It’s unlikely that you’ll come up with a method on your own that no one else has thought of, and if you’re borrowing someone else’s system, you’re already screwed. And even if you hide things, they can be found easily.
The second question deals with bad security design. In a world where you create passwords for many different services, some of which are well-built and some of which aren’t, it’s not hard to imagine that one of your passwords might be leaked to a hacker. That itself is somewhat unavoidable. If knowing that password, however, allows them to determine the rest of your passwords (either as a straight copy or by design), you’re in trouble.
Let me walk through a few common methods I’ve heard from friends recently (and a few trivial examples) and point out the possible problems with each of them:
- Use “password” for all passwords. This password is very common and not hard to guess. By question 2, a hacker could guess your password knowing a subset of size 0 of all of your passwords. This is an awful idea, as you can imagine.
- Use a small set (maybe 3) of passwords for everything. This is also a problem for question 2. If a hacker gets 1 of your passwords, they can now guess 1/3 of your accounts fairly easily.
- Store passwords in a (unencrypted) document on your computer. Even if you name it something other than “passwords.txt”, it’s not hard for a hacker who gets read access to your computer to find the file and copy it. At that point, this method fails on question 1.
- Start with a base password and modify it slightly for each service. For example, Google might be “abc123GoogleRocks” and Facebook might be “abc123FacebookSucks”. This ensures that each password is unique and somewhat long. Unfortunately, this is still a problem for question 2 because other passwords are deducible from a single password. In the example above, even though “Rocks” and “Sucks” are different suffixes that you can remember, it’s still a systematic method that doesn’t ultimately leave that many possibilities.
As you might have guessed, some of the above are better than others, but assuming you’re okay with the level of security each will give you, they’re all fine if they work for you. You should just be aware of the risks associated with it.
Given all this talk, I need to support my claims, so my new method is using a password manager (specifically, 1Password). Essentially, I have a single master password for an encrypted database that stores all of my other passwords. With that, I only need to type in my master password, copy the specific account password into the box (or use the auto-fill feature), then lock my manager again. Like other methods that aren’t memorized, random, long, unique strings, it’s not perfectly secure, but it’s good.
It isn’t susceptible to the flaw of question 1. Because the database is encrypted (using tested methods), it is presumed to be secure*, so even though I have announced that I’m using 1Password and the file is not hidden on my computer, a hacker shouldn’t be able to get my passwords without knowing my master password. Question 2 is a problem: if a hacker knows my master password, my world is open to them. Otherwise, my passwords can be arbitrarily complex.
The caveat to all this is that I trust that the creators of the password manager are honest people using secure methods of security. If they’re sending all of my passwords out to their secret server, of if they screwed up the implementation of some security protocol, I’m in trouble. But that’s the line I draw for myself between convenience and security: I believe that my master password cannot be guessed and that 1Password is honest and secure, and this is the furthest I’m willing to go to be secure.
So maybe a password manager is a solution for you, or maybe it isn’t. I just wanted to write about it since I had thought about it so much recently and think it’s worth it for everyone to evaluate the ways that they are being secure. Again, it’s a tradeoff between convenience and security. Just be aware and comfortable with the consequences of your method, keeping in mind these 2 questions:
- If a hacker knew where you store your passwords, could they guess your passwords easily?
- If a hacker knew a subset (none, one, a few) of your passwords, could they guess any of your other passwords easily?
* I say presumed because even security experts don’t know if any construction is completely secure, but it’s the best that anyone knows. The limit of that is whether P=NP, for the CS literate among you, so it’s pretty certain.