I must have hundreds of accounts with passwords on different web sites, and I expect you are the same. Our passwords protect information that ranges in value from inconsequential to critical banking and email details. Wired magazine senior writer Mat Honan discovered first hand this summer how vulnerable our password protected services are when hackers compromised his email accounts and remotely deleted everything on his iPhone, iPad, and MacBook. Lacking proper backups, he lost significant personal data including every picture he had ever taken of his 18 month old daughter. Most photos were later retrieved (at considerable expense) by a forensic disk recovery lab, but Honan was left shaken. Reflecting on the incident in December's edition of Wired magazine, he concludes that passwords alone are a flawed way to authenticate identity in a networked world filled with inexpensive and powerful computers. Though it might be a little frightening, I highly recommend reading the full article, or listening to last Friday's interview on Q.
Even if Honan is right that "the age of the password has come to an end," the reality is that we keep using passwords dozens of times a day. We need incorporate practices that give as much protection as possible until more robust authentication methods gain wide-spread use. Here are five things to consider as you decide how to manage your passwords:
Changing Passwords
My new resolution is to change my most important passwords at least annually. I see changing passwords as valuable for two reasons. "Brute force" attacks where a hacker methodically guesses passwords can sometimes be done quite slowly to avoid detection, and changing passwords reduces the probability of success. Second, the duration and breadth of use of a password increase the chances that it might fall into the wrong hands somewhere. Not all information breaches are publicized as widely as Sony's security failings last year, so you might not know right away if your credentials have been compromised and a password change gives a fresh start.Choosing Passwords
The best way to protect against brute-force (guessing) attacks on your accounts is to choose a very long password. Each additional character increases the number of possible passwords in an exponential way, so a full sentence could be both memorable and strong. A trusted site like PC Tools Secure Password Generator could give you some random ideas. A collegue of mine also suggests combining fragments of previous passwords in a new password, which gives a balance between being secure and being memorable.Remembering Passwords
Avoid recording passwords in a digital device like your computer or phone. If this device is compromised then it would give access to other accounts. Instead, write passwords on a piece of paper and store in a secure place.To reduce the number of passwords to remember, consider this strategy:
1. Categorize the sites and services you use into levels of importance.
2. Use unique passwords for the most important and personal services like email, Facebook, AppleID, banking, etc.
3. Reuse passwords in categories of services with similar levels of importance and personal information. This is a compromise. It would be more secure to always have unique passwords, but will anyone actually do that? [1] For me about 3 categories seems a good compromise.
4. Always use new, strong, passwords when changing the top level (most important) passwords, but reuse old high security passwords for lower categories of importance in the future.
Alternatively, you might consider using an password manager like lastpass.com to make many or all of your passwords accessible through a single secure password. An advantage of a password manager is that long, complicated, unique passwords can be used for every site you use without needing to remember all those awkward passwords. Alternatives to LastPass availalbe, including some that work offline, but I still feel a little hesitant to aggregate my passwords in one location.
"Security" Questions
Many websites now ask us to submit answers to 3-5 questions, ostensibly to verify our identity in case our password is lost or we connect from an unknown location. Unfortunately, many of these questions have to do with personal trivia which friends or family might know too, and in a socal-networked world it might not be difficult for a dedicated intruder to figure out your mother's middle name or your first car. Mat Honan suggests using these questions a cues and making up answers. What was the street you grew up on? Perhaps "Rideau Crescent?"Multi-factor authentication
Mat Honan sees multi-factor authentication as the first step beyond the password. In a
multi-factor system, in addition to typing a password, your identity is verified by alternate methods. This could be an SMS to your cell phone, a key chain
that gives a synchronized confirmation code that changes every minute, a retinal scan, or photo of you verified by two random friends. There are endless
possibilities, but all come with different trade-offs in convenience and privacy.
Google , Facebook , Yahoo,LastPass, Dropbox and others all offer two-factor authentication. Honan comments that every Gmail user should enable two-factor authentication immediately, and I expect he would endorse its use as widely as possible. I use it, and while there is a small degree of inconvenience, that is more than compensated for by peace of mind.
[1]
...that is without a password manager. We'll get to that shortly.
No comments:
Post a Comment