Passwords & Security

One of the single most problematic things in the world of computing is security.

This is a major point of frustration and contention between normal end users and computer nerds/IT professionals. There’s a give and take that goes on between what end users should be doing for their passwords and what they can reasonably manage. Like all the help pages I write and advice I give to people, I can only base things on what I’ve seen day in and day out for quite a few years. And what I’ve seen over the years when it comes to password security truly makes me cringe just thinking about it. I don’t like to be one of those IT people who just berates users for doing things wrong. I always try to help them as best as I can, but in this area I’ve come to the realization over the years that until a user experiences a situation where one or more of their accounts, or worse yet identities, has been breached, they are wildly reluctant to take this topic seriously. In recent years, this is becoming something I’m trying to more actively force people I know into doing right. If you are reading this, it hopefully indicates that you have some intention of taking this topic seriously, so here are some of my top recommendations for the average user. Sure, there are stronger, better ways to truly lock things down, but those measures are typically best reserved for those whole truly need it (banking institutions, security professionals, etc). Like everything on these help pages, this information is meant for the average day-to-day user. I try to balance what will keep them best secure while still being easy enough to not be counterproductive.

Do not use the same one (or few) password for everything

I can’t stress this one enough. And it makes me sad that the vast majority of people I interact with do exactly this. I have to admit to having fallen prey to a variation of this problem. For many years, I used a set of 5 or so passwords that I used for different “levels” of security. If it was some random forum registration that I couldn’t care less about, I used my simplest “least secure” password. If it was my bank account, I used the strongest, best one. But like a great many users, I used all of these passwords on a great many different sites. I explain this as an example of what NOT to do. All it takes is one disreputable site, or even a reputable one that is simply compromised (such as the high-profile hack of Gawker Media’s sites or the even larger hack of Zappos), to cause the security of your digital world to unravel. I had that happen to me back in 2008 for one of those passwords I mentioned (my second strongest of the bunch), and I spent much of a day getting out ahead of whatever automated bot it was that was hacking into my various accounts that used that password. Thankfully, I realized it had happened in less than an hour of when it started. I got lucky and had absolutely no real damage come from the situation, but it could have been so much worse. Even though I caught it early, it took hours for me to get under control. And I knew what I was doing. I pity the average user who has to get a situation like that under control. There are a few schools of thought on this, but what I use and recommend to people who want a good middle ground approach is…

Use a standard “core” password and a pattern based variation for every account

Here is an excellent write-up on this very thing (including a quick 3 minute video on it), but I’ll go ahead and give you my take on it. As this topic varies in recommendations from folks, some of what I say here is slightly different from that linked article. Choose a base password that will be part of all of the rest (and whatever you do, it better not be so simple that it’s on this list of top 20). I would say to make it 8 or more characters, include at least one number, one capital letter and one symbol (such as *, !, # and what-not). Here’s a simple grid to help put the need for a good core password into perspective. Here’s a great site to test out variations of passwords you are considering (it gives all the reasons why it’s good or not). Put a good amount of thought and consideration into this core password. Make it something completely random, not even closely resembling a word. Once you’ve typed a password a dozen or two times, it will become burned into your brain and will be memorable in the long run no matter how random and crazy, so go out of your way to make it as good as possible. Now, try typing it a few times to see how it “feels.” I personally like passwords I can type with one hand (or as much as possible on one hand), so I can hold a phone or do something else while typing it. If you use a mobile device like an iPhone or Android, try typing it on the device’s keyboard. This is particularly important when choosing which symbol(s) to use, as some of them may be more buried on the mobile device’s keyboard than others.

Once you have the core password figured out, now come up with a unique pattern to add into it. This might sound complicated, but like everything, once you have repeated the process a half dozen times, it becomes second nature. For example, you may wanna put the number of characters of the first word of the site/service before the password (so if it was Amazon, you’d put a 6 before the core password), then stick the last vowel of the first word of the name in lower case after a specific character in the pattern, then tack on the first consonant of the first word of the name in caps at the end. So if you had “F23!qfvC” as your core password, and you tacked on the last vowel after the exclamation point, your Amazon password would be “6F23!oqfvcM”. It has the “6″ at the beginning, the core password with the lower case “o” (the last vowel) after the exclamation point, then a capital “M” (capital of the first consonant). But that’s just an example. Come up with any pattern approach that works for you. Like I said, the more complicated (and longer in total length), the better. Make sure the total length of the passwords are at least 10 characters.

You will also run into situations where you’ll need to know how to handle exceptions. For instance, if you are doing one for a site name with no vowels in the first word (come up with how you’d handle that, be it to not include it at all, or whatever). It would also be a nice extra step to have something completely different and unique for each of a few of the most important sites you deal with (your bank account, your primary e-mail account, etc), so that even if somebody ever did figure out the pattern you were using somehow, those would still be safe. Now, after you’ve read all this, your first thought is going to be, “this all sounds too complicated and I’ll never remember any of it.” I understand the feeling, and for the first week or so of the process, it will be a bit awkward, but in the long run it will be a piece of cake. Like any process, once you’ve repeated it a number of times, it will become second nature. It has for me. But there’s another major recommendation that will make all of this a whole lot easier…

Use a password management application

Many web browsers have systems for storing various passwords, but I would recommend against using them. For one thing, you never know if you’ll be sticking with that browser in the long run. If you’d have asked me a couple years ago how likely I would be to not be using Firefox as my primary browser anymore a couple years later, I would have considered it nearly impossible. But then Google launched Chrome, for which I’ve been a happy user as my primary browser. And Opera is a highly attractive browser. The point is, you want something that’s not specific to a single browser, and something with a bit more general flexibility and internal security. Most of the good browsers (Chrome, Firefox, etc) do a decent job protecting their stored info, but they will not be as good as…

While Gina recommends the nice Keypass in the post I linked to above, I strongly recommend Lastpass (which is a variation of Keypass, anyway). There are many great advantages to Lastpass. For one, it is a cloud based system that is a single, central point of your password information. Lastpass takes the security of your info very seriously, and it’s encrypted on the client side before being stored on their side (so they can’t see the actual info, either). The beauty of it all being centrally stored, is that it’s easy to get at the info from anywhere on whatever device or browser. They also have extensions for all the major browsers that integrates the service very well right into the browser, so it can fill in your login info automatically at sites (or even log you in automatically to sites – which works better on some sites than others). They’ve also got apps for mobile devices, such as iPhones, iPads, Androids, etc. And speaking of Lastpass, this brings me to another main topic…

Use two-factor authentication where possible

A two-factor login process involves providing both the password and a second form of proof that you are who you say you are. There are a number of different approaches to two-factor authentication. Many bank sites do a form of two-factor authentication, in some cases to a lesser degree like texting a security code to your cell phone number they have on file for you to plug in when you log in from a browser you have not logged in from before. There are better and more secure approaches to it, but any form of two-factor authentication is a good thing.

Lastpass supports a number of two-factor authentication methods for getting into your Lastpass data. I personally use the Yubikey approach. It carries an additional cost of $25 for the hardware, so you may want to go with one that does not require special hardware. They recently added the ability to use Google’s Authenticator two-factor authentication platform, which is quite nice. If I were not already using the Yubikey approach, it is the one I would be using for Lastpass. I do recommend (and personally use) Google’s two-factor authentication for your Google account. It gives you an option for a couple approaches to using it. Systems like the Yubikey and Google’s Authenticator are excellent secondary security measures.

Both of them rotate the security key they give you, down to a degree of every 30 seconds or whatever it is. On systems where you are using such secondary authentication steps, your password and the secondary authentication method are useless to somebody else by themselves. So if I lost my Yubikey, it is useless to anyone else without the password for the services that it goes along with. And since I only use it with Lastpass, if I were to lose it, I could just remove that Yubikey from my Lastpass settings and not care that anyone out there has it. And many of these two-factor (sometimes referred to as “multi-factor”) authentication systems have a number of settings that can lock things down to your preference (every time you login, after a certain amount of time-out period, on unrecognized browsers, etc).

Avoid using open wi-fi if possible

This is a major risk that most people aren’t particularly aware of. When you are communicating with unencrypted websites on an open network, you’d be absolutely horrified to see how easy it is to compromise your account for the site(s) you are actively talking to. Tools like the astoundingly simple-to-use Firesheep make it so easy to compromise somebody’s security, it’s a real wake-up call to anyone who sees it in action. Seriously, if I showed you this in action (I’ve tried it – it works very well), you would be sobered up enough to take this topic very seriously. For starters, make sure that if possible the network is encrypted (via WPA/WPA2 – as WEP is wildly unsecure these days). When you’re connecting to a wireless network on most computers/devices, it’ll show the network as encrypted or not, and on most devices will say what encryption method is employed (or at least show a little padlock icon next to the network name or something). Some newer devices and operating systems will even toss up a warning when you are connecting to open networks.

And while I’m not trying to overly scare you, network administrators (folks such as myself) can pull off a similar trick on wired connections, too (it takes more effort, but we can enable features on network hardware that dumps all traffic to a device for network performance analysis, which accomplishes the same thing). And to be even more scary, there are any number of networks in between you and the site you are talking to which can do the same thing (though that would be a pretty rare instance – to date, anyway). If you aren’t communicating with web sites for which you are not logged in, then using an open wi-fi is harmless (assuming you wouldn’t mind if someone saw what sites you were looking at). Just be sure you’re not currently logged in to whatever site you’re talking to.

And needless to say, if you have a wireless network at your house, make sure it’s encrypted (there are more reasons than this to do so) – and make sure it’s using WPA level or better encryption (most any in recent years should be by default). If you’re paying attention, you’ll still have one question regarding this: “you still haven’t addressed the topic of unencrypted web sites.” Which brings me to…

Use an encrypted connection with web sites whenever possible

This one’s sadly a bit tougher to conquer, but important. I put it last on this list not because it’s least important, but because it’s a royal pain to properly do right. Despite years and years of sites being hounded to provide secure connectivity capabilities, tons of them have yet to get it right. I must admit to being guilty of this very thing with this site that you are reading right now (but for a site like mine, it really is not important to anyone but me, because you are not actually logged into my site in any way). Your risk is nil on sites like this where you don’t log in and/or share personal info.

Sites with millions of users, however, should already be doing this if they are at all worth actually using (Facebook took a depressingly long time to do this, but they finally did). There are browser extensions out there to take care of this as best as possible. On Firefox, there are extensions like HTTPS Everywhere (among others). That’s the best of the bunch, but even it has limitations. On Chrome, there’s KB SSL Enforcer, which has further limitations due to the way the browser works (though I still use it, and recommend other Chrome users do, too). It’s currently the best solution for Chrome. Any of these extensions can cause unpredictable results on some sites, because some of the sites will respond to a secure connection request, but not actually deliver the desires site/content. In those cases, the extensions will have an option to exclude/blacklist the site so it does not try to auto-redirect you to a secure connection on them again. Other browsers like Opera may have something similar (I have not looked). To put it bluntly, you should not be using Internet Explorer as your browser in this day and age (for many more reasons than security). If you have any say in the matter, you should be using a different browser. With IE9, it is a better browser than it used to be, but it is still the worst of the browsers out there.

Put simply, the world of HTTPS/SSL on websites is a messy one, which will hopefully improve in the near future. More sites need to just automatically drop people onto the HTTPS version of the site by default. Many popular sites have this as an option (Google doesFacebook does, etc – you should take the time to set this option wherever possible on sites you frequently use). Also, you can pay attention to the bit in your browser that indicates if a site is using secure communications or not. Here’s a guide to how Chrome displays that. Note that some sites, like GMail, may somewhat incorrectly show as not on a completely secure connection (a result of “Mixed content” mode – where the app like GMail is secure, but the e-mail it has displayed contains links to content that is not).

Like I said, this particular topic is still a mess in the online world today. Your best bet is to use one of the browser extensions that does its best to keep you on secure connections whenever it can. And to enable the setting to make HTTPS/SSL default on web sites that support it. Beyond that, you can simply try changing the http part of a web address to https on any site and see if it works. If so, use it that way (and modify any shortcut you have to it to include the “s”). Hopefully in the near future, this will become more of a non-issue as sites correct default behavior on their side of things. One thing is for darn sure, if it’s a financial institution or transaction you are involved with, ALWAYS make sure that your browser indicates that it is on a secure connection. ALWAYS, ALWAYS, ALWAYS! If your bank is doing financial transactions over a non-SSL/HTTPS connection, you need to find a new bank, plain and simple. At the very least, do not even consider there web site as a resource you should use. Heck, I’d find a new bank even if I didn’t use their web site if I knew they were dumb enough to be doing so.