So the other day I decided it was past time to reset all my passwords.
I'm pretty good about password hygiene. I've been using a password locker for years, with a unique, randomly-generated* password for every account I use. But I'll admit that, like most of us, I don't do as good a job of password rotation as I might. That's probably because I've managed to amass over 150 different accounts across different sites, and resetting 150 different passwords is a giant pain in the ass.
(I'm thinking that, from here on in, I should pick a subset of passwords to reset every month, so I never wind up having to reset all 150 at once again. It would also help me to clear out the cruft and not keep logins for sites that no longer exist, or which I'm never going to use again, or where I can't even find the damn login page anymore.)
There was one more reason I decided now was a good time to do a mass update: I've got two E-Mail addresses that have turned into spam holes. As I've mentioned previously, I'm currently looking for work and getting inundated with job spam; unfortunately I went and put my primary E-Mail address at the top of my resume, which in hindsight was a mistake. Never post your personal E-Mail in any public place; always use a throwaway.
Which I do, most of the time -- and that's created a second problem: I've been signing up for websites with the same E-Mail address for 15 years, and also used to use it in my whois information. (I've since switched to dedicated E-Mail addresses that I use only for domain registration.) So now, that E-Mail has turned into a huge spam hole; it's currently got over 500 messages in its Junk folder, and that's with a filter that deletes anything that's been in there longer than a week. My spam filters are well-trained, but unfortunately they only run on the client side, not the server side, so any time Thunderbird isn't running on my desktop, my spam doesn't get filtered. (If I'm out of the house, I can tell if the network's gone down, because I start getting a bunch of spam in my inbox on my phone.)
So now I've gone and created two new E-Mail addresses: one that's just for E-Mails about jobs, and another as my new all-purpose signing-up-for-things address.
My hope is that the companies hammering my primary E-Mail address with job notifications will eventually switch to the new, jobs-only E-Mail address, and I'll get my personal E-Mail address back to normal. And that I can quit using the Spam Hole address entirely and switch all my accounts over to the new address. Which hopefully shouldn't get as spam-filled as the old one since I haven't published it in a publicly-accessible place like whois.
Anyway, some things to take into account with E-Mail and passwords:
- Don't use your personal E-Mail address for anything but personal communication. Don't give it to anyone you don't know.
- Keep at least one secondary E-Mail address that you can abandon if it gets compromised or filled up with spam. It's not necessarily a bad idea to have several -- in my case, I've got one for accounts at various sites, several that I use as contacts for web domains, and one that's just for communication about jobs.
- Use a password locker. 1Password, Keepass, and Lastpass are all pretty highly-regarded, but they're just three of the many available options.
- Remember all the different devices you'll be using these passwords on.
- I'm using a Linux desktop, an OSX desktop, a Windows desktop, and an Android phone; that means I need to pick a password locker that will run on all those different OS's.
- And have some way of keeping the data synced across them.
- And don't forget that, even with a password locker, chances are that at some point you'll end up having to type some of these passwords manually, on a screen keyboard. Adding brackets and carets and other symbols to your password will make it more secure, but you're going to want to weigh that against the hassle of having to dive three levels deep into your screen keyboard just to type those symbols. It may be worth it if it's the password for, say, your bank account, but it's definitely not worth it for your Gmail login.
- Of course, you need a master password to access all those other passwords, and you should choose a good one. There's no point in picking a bunch of unique, strong passwords if you protect them with a shitty unsecure password. There are ways to come up with a password that's secure but easy to remember:
- The "correct horse battery staple" method of creating a passphrase of four random words is a good one, but there are caveats:
- You have to make sure they're actually random words, words that don't have anything to do with each other. Edward Snowden's example, "MargaretThatcheris110%SEXY.", is not actually very secure; it follows correct English sentence structure, "MargaretThatcher" and "110%" are each effectively one word since they're commonly-used phrases, the word "SEXY" is common as fuck in passwords, and mixed case and punctuation don't really make your password significantly more secure if, for example, you capitalize the beginnings of words or entire words and end sentences with periods, question marks, or exclamation points. Basically, if you pick the words in your passphrase yourself, they're not random enough; use a computer to pick the words for you.
- And this method unfortunately doesn't work very well on a screen keyboard. Unless you know of a screen keyboard that autocompletes words inside a password prompt but won't remember those words or their sequence. I think this would be a very good idea for screen keyboards to implement, but I don't know of any that do it.
- There are programs and sites that generate pronounceable passwords -- something like "ahx2Boh8" or "ireeQuaico". Sequences of letters (and possibly numbers) that are gibberish but can be pronounced, which makes them easy to remember -- a little less secure than a password that doesn't follow such a rule, but a lot more secure than a dictionary word. But read reviews before you use one of these services -- you want to make sure that the passwords it generates are sufficiently random to be secure, and that it's reputable and can be trusted not to snoop on you and send that master password off to some third party. It's best to pick one that generates multiple passwords at once; if you pick one from a list it's harder for a third party to know which one you chose.
- The "correct horse battery staple" method of creating a passphrase of four random words is a good one, but there are caveats:
- Of course, any password is memorable if you type it enough times.
- And no password is going to protect you from a targeted attack by a sufficiently dedicated and resourceful attacker -- if somebody's after something you've got, he can probably find somebody in tech support for your ISP, or your registrar, or your hosting provider, or your phone company, or some company you've bought something from, somewhere, who can be tricked into giving him access to your account. Or maybe he'll exploit a zero-day vulnerability. Or maybe one of the sites you've got an account with will be compromised and they'll get everybody's account information. Password security isn't about protecting yourself against a targeted attack. It's about making yourself a bigger hassle to go after than the guy sitting next to you, like the old joke about "I don't have to outrun the tiger, I just have to outrun you." And it's about minimizing the amount of damage somebody can do if he does compromise one of your accounts.
- And speaking of social engineering, security questions are deliberate vulnerabilities, and they are bullshit. Never answer a security question truthfully. If security questions are optional, do not fill them out. If they are not optional and a site forces you to add a security question, your best bet is to generate a pseudorandom answer (remember you may have to read it over the phone, so a pronounceable password or "correct horse battery staple"-style phrase would be a good idea here, though you could always just use letters and numbers too -- knowing the phonetic alphabet helps) and store it in your password locker alongside your username and password.
- You know what else is stupid? Password strength indicators. I once used one (it was Plesk's) that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong. You can generally ignore password strength indicators, unless they reject your password outright and make you come up with a new one.
* For the purposes of this discussion, I will be using the words "random" and "pseudorandom" interchangeably, because the difference between the two things is beyond the scope of this post.