Passwords are like smoke detector batteries

smoke_detector_160213532_stdScott Wright at Security Views has this great idea regarding when you should change your passwords.

If you’ve changed your smoke detector batteries more recently than you’ve changed your passwords, then you should think about changing some of them now.

If you can change passwords more often, great. But I realize that some of us have upwards of 25 passwords to manage on a regular basis. It’s not fun having to change them all. But with the number of security breaches at websites these days, it’s only a matter of time until somebody gets one of your passwords. And if you use the same password across all your accounts, hackers will have a pretty easy time assuming your identity at places like eBay, PayPal, Amazon, etc.

That’s a great plan. Think about changing your passwords every time Daylight Savings time changes. Of course nobody does the 6 month symmetric Spring and Fall time change any more. Now it’s a lot more asymmetrical like early Spring and early Winter, and I’m guessing that it won’t be too long before we do away with Daylight Savings time altogether (or go with it exclusively).

I’ve switched from the free open source Password Safe password manager to the similarly free open source KeePass (for Windows) and KeePassX (for Linux and OS/X) password manager precisely because KeePass supports password expiration. So I have some passwords that expire annually, some semi-anually, some quarterly and even a few monthly. So I’m thinking that it would be good to try the inverse of Scott’s idea and set my smoke detector batteries to expire every 6 months in KeePass.

Sarah Palin and the great Yahoo! angst

I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.

So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes! (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! – I like that one).

Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:

Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.

Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?

  1. What is the benefit received from a web-based email/calendar/contacts system?
  2. What are the information assets that would be exposed?
  3. What are the threats to those assets?
  4. How can those threats be mitigated?
  5. Given the value of the exposed assets, can the threats be mitigated sufficiently such that the risk can be accepted?
  6. Do the benefits outweigh the cost in money and risk?

So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.

In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.

The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.

I’ve already written a blog entry about password security and I also use some of the stuff outlined here.

The value of my exposed information assets is pathetically low – my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.

Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.

But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity – er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk – some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.

I’m pretty sure I wouldn’t get promoted to Vice President.

Keys to the kingdom

You think we’d have gotten past this by now. After all the research, mathematical and technological advancement almost all of our most valuable digital – and ultimately real – assets are protected by one little word. Usually something lame like our dog’s name or favorite team mascot. That’s right, I’m talking about passwords. In spite of efforts by Payment Card Industry (PCI) Security Standards Council and others to promote multi-factor authentication – i.e. some combination of

  • something you know (like a password)
  • something you have (like an access card)
  • something you are (biometrics like fingerprints or retinal scan)

Even most financial institutions can only manage a password and some personal questions (which incidentally is not really multi-factor it’s multiple single-factor, i.e. several things that you know) to authenticate us for the most sensitive and important transactions. And forget about web sites. Everybody wants you to have a password. Presumably a good – and unique – one for each.

By now most people have heard the about the guidelines for good passwords. For example Wikipedia lists the following common guidelines.

Guidelines for strong passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

  • Include numbers, symbols, upper and lowercase letters in passwords
  • Password length should be around 12 to 14 characters
  • Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.

I can see heads start spinning! How in the world can I remember only one 12-14 character password that contains nothing I can remember, and is more or less random? Much less the 50 or so passwords I need for all my web sites and financial stuff? Yeah – that’s a problem. And it’s exacerbated by the fact that as the need for passwords has proliferated, the practicality (i.e. horsepower) of password crackers has improved exponentially. Oh and by the way, to really achieve decent security (i.e. mitigate the threat of exposure) you should really change your passwords at least annually and preferable more often.

Yikes! So how exactly can a person possibly memorize 50 pseudo-random character strings that all change every year? Well, in a nutshell – you can’t. No one can. Well maybe someone with an eidetic memory, but not you or me. There is, however, hope. SecurePuter has a great post on “How to Create and Remember Multiple Secure Passwords” wherein an easy to remember but hard to guess formula is presented that will allow you to calculate what your password is so it removes the randomness and requirement to memorize many different things. It’s a great idea, and be sure to read all of the comments as further refinements are suggested.

Still, if you’re like me and make an actual effort to forget things as soon as possible, this might not be an optimal solution. So how do I manage to remember 50 (or in my case more like 150) dynamic random character strings. It’s easy – I don’t even try. I use a password generator and storage system. There are quite a few good packages out there. The one I use is the open source package Password Safe partly because Bruce Schneier started the project, partly because it runs on all of the platforms I use, partly because it has great encryption but mostly because I’m cheap and it’s free (as in free speech and free beer). I keep my fully encrypted password safe database file on a USB thumb drive so all of my passwords are available on whatever device I’m using – except my iPhone (which is a rant for another time). Basically the way it works is that I make an entry for whatever web site or computer I need a password for and then let it generate one for me. There are all sorts of policy options so you can get insanely long and complex passwords. When I save the new password, it is encrypted using the one and only password I need to remember. That’s it. So not only do I not remember my 150 different passwords, I never knew what they were to begin with. Now there are situations where this kind of password safe mechanism will have an issue, specifically you can run into a race condition with computer logons that require a regularly changing password (e.g. most corporate networks) whereby you must be able to type in the password to log in so that you can get access to the password safe. I get around this by generating a random 12-character password that I can remember for the 90 days that it will be valid. So I guess I really have to remember 2 passwords. But even I can do that. And so can you.