Passwords

But, first two short breaks.

Have you ever thought about how hard it is to do a selfless act without telling anyone, since the very act of telling someone makes it a selfish one?

And, the word of the day today is defenstrate which is my absolutely favorite word in the English language. My second favorite is "moist".

So, passwords. In this last week, one of the major things that got tested was my passwords. I know it doesn't sound very impressive, but remarkably, this was probably the most stressful thing I encountered since I had to abandon my apartment for a week, sans laptop.

I'll start with history. One of the common recommendations when creating passwords is to create a high quality password. This means capital letters, numbers, and punctuation (periods, underscores, percents, etc). In general, I avoid dollar signs because of shell expansions, but otherwise I create very good, quality passwords. They aren't really guessable because I use a program called apg to do them, or I use a 8-12 character hash of a random number on my machine. In other words, you probably won't guess them.

Another thing they tell you, to avoid identity theft is to create a unique password for every site. I think I started doing that about five years ago, when I first saw it for two reasons. One, I don't want to recommend something that I can't do, and two, I want to know if it was a viable thing. In my case, no one has stolen one account from me, much used that to steal my other accounts. So, it worked.

On the other hand, with high-quality passwords, it means I can't remember them all. I mean, the number of times I had to use the "I forgot my password" in the beginning was bordering on silly and probably made it even more insecure since I had to have a new password sent every time I used a website.

So, I found a program to manage my password. One really good, password (> 12 characters) that I could remember and I had access to all the other passwords I needed. Same principle as the key chain in Gnome and OS X, but in theory more flexible since I could use it on any machine. I kept the file on a USB thumb drive, which is attached to my keys. Its encrypted, so I don't worry about people stealing it because it becomes a serious issue for your average sociopath to decrypt a 1,024 bit encrypted file.

Everything worked great until a single bug in Debian caused my entire system to collapse. For two weeks, I couldn't get to my passwords because the two-way hash library the program used had a bug. The second I got my passwords back (by reverting my system actually a few weeks), I switched over to an entirely different application: GNU Privacy Guard or PGP. I wrote a little set of scripts to edit passwords and moved everything over. And that is what I was using for the last three years. Constantly. Except for the time when Fluffy borrowed my thumb drive and somehow managed to destroy it. I had backups as part of the scripts, which were all encrypted on all of my machines, so I honestly wasn't impacted too badly, but I still won't let her use my password thumb drive. Any other, no problem, just not the one on my keys.

When Hurricane Katrina happened, one of the things I remembered was a suggestion of putting your bank account numbers and everything you need to recover your life on a thumb drive. That way, if you have to flee, you just have one item. So, naturally, I started doing that for the same reasons I tried to have a unique password. To see if it was a viable choice and how much trouble would it be.

Fast forward a few years. I have 784 unique passwords in a file. I also have another thousand lines worth of account information. I have a ton of personal account information, PINs, social security numbers, and information that would probably make an identity thief orgasm in their pants. According to the "how much is your personal information worth" sites, the data on my unencrypted thumb drive is somewhere near a thousand dollars. Encrypted, its worth about a dollar or two for scrap metal. Not a big deal.

When I left my apartment without my laptop, I didn't really think about it. The USB drive was with me, that was the entire reason I keep it on my keys. But, the computer that normally accesses it wasn't.

I finally managed to get an Internet access a few days later at Ack!'s place. Just a few hours to fulfill my desperate Internet addiction and to pay bills since I'm still check-to-check and it was payday.

It took me two solid days to recover my passwords. I had to find a program to decrypt the files, I tried a couple of things before I downloaded one and manually did it. I had to install programs on someone else's machine, which I'm never comfortable with and it is something you can't do on an Internet cafe machine. So, I tried everything I could to not install things, mainly because I shouldn't have it.

And I couldn't remember my passwords, and I didn't have access to the "remember my password" feature on my computer, so I had jump through a lot of hoops because I used high-quality passwords and I had a unique one for every damn site. And I knew what I was doing. Imagine someone who barely knows a computer trying to do this. At this point, a unique, high-quality password is great for day-to-day things (well, mostly great, it was a pain in the ass I'll be honest), but in a emergency situation, I think it will actually cause a great deal of problems.

I had to get to my bank account. I had my primary bank's password, including those stupid "and what is your favorite book" questions they think save you. But, I couldn't pay my car payment because I didn't remember my password. And I couldn't recover my password because I couldn't remember my favorite teacher (I don't have favorite anything, except maybe books). And if you don't have that, you need to have the account number, which I forgot to update. So, my car payment never got paid and its getting late (in more than one way).

One of my bank accounts is pretty good. They require some of the basics (username and password), but then they have a set of pictures and tell you to pick the one you selected before. That was a breeze to get through, simply because it is nothing to remember a picture. The "what is your favorite" was either an obvious answer, or I kept getting nailed by it not being exactly what I wrote a year ago. There is a reason I use the remember answer feature, I can't remember all these stupid little questions, answers, passwords, and accounts. The one that required me to have numbers in my account name really annoyed me because I'd rather have a good password and a consistent username. Not "a982fsdlfkjs82sdvj" which I could not remember to get into the damn account. Nor could I really remember what my favorite teacher was or what job Fluffy had in 1990 (since I also manage her accounts).

The other thing that was really nice was OpenID. Any site that let me connect to there was an absolutely breeze because that is a common password, nicely decentralized, and worked beautifully. Every. Single. Time. Though, I wish places like LiveJournal would let you assign an OpenID to a LJ account since I couldn't remember my LJ account but I knew my OpenID. At this point, I wish 99% of my accounts, forums, and everything else would use OpenID. Mainly because it would have made my life actually easier than a unique password per site.

In the end, I have a lot of opinions on passwords and I'm probably going to drastically change how I deal with it, mainly because of what I just went through.

1. High-quality passwords are a must. Learning to make those is probably a good thing. That part didn't change. Having a password per site is a good idea, but very difficult to recall in emergencies. More so when you are a social butterfly like me and every damn site seems to require an account. The only way I can see around this is to create and learn how to make hashes in my head. Something that creates a good password and I could figure out without having to look up a file. After all these years of a password file, it simply gets too difficult to use.

From this point, I need to find some way of taking a website URL and come up with a system of making a good password out of it. Without needing a computer, without needing anything besides a pad of paper and a pencil.

2. Become a zealot for OpenID. My OpenID logins were so easy, and I knew they were secure because it was my password. I set it up, I controlled it, and I felt confident that the one password would work. I think there needs to be a lot more integration and I'm going to start moving my applications over to it. Mainly because of the ease and it offloads the password entry and storage somewhere else, where the user can trust it (like ClaimID which is awesome).

3. Tell banks to get rid of that stupid "what is your favorite" crap. People's favorites change all the damn time and sometimes you don't have a favorite. I can't remember how I spelled the teacher's name and my account got locked out and I wasn't even sure if I was typing the right one. The picture lookup, that was a lovely. Having to pick 1 picture out of 16, piece of cake. They could make that a lot more secure (i.e. have some pictures that always show up for a specific user) and it wouldn't have caused a problem.

Plus, banks really should use OpenID for the initial stuff, then just validate. Since they are charged with needing two-phase identities, then just require two valid OpenID accounts. If I had to use my ClaimID and my local to log into my bank, I'd be fine with that. I can remember those two. And needing your username to be "vj982vc89jwdf" sucks. Also, don't think one of those hardware cards is really good; they won't work on Linux and if it doesn't work on Mac, Windows, and Linux without installing something, I won't use it. SecureID is good though, because you just enter a number instead of having to plug something in. Actually, I have a fondness for SecureID, just from where I used it, but its pricey for the common man.

Not that that banks would ever do this, they seem to just want to make me feel secure when all they do is make it more difficult to actual do online banking; and I typically bypass most of their security features by using "remember password" (or Greasemonkey to let me remember passwords). And if any bank starts using Silverlight or Flash for their login, I will stop using them in a matter of seconds. Period. Neither works on my Linux machine, and while I'm the minority, it is still a popular operating system and the only one I use because of personal preferences.

4. I'm going to keep my USB key chain, with an encrypted file. I have a Windows installer on it in case I have to do this again, but I'm also going to look into making it a bootable Linux partition. If I figure out a password hash, I'll just keep all the account stuff updated on it.

5. UPDATE THE DAMN KEY! I was missing a few passwords. And account numbers. And, because I can't remember, I also had the answers to most of the "what is your favorite headache" questions simply because I can't remember all 40+ questions across 8 (3 banks, 3 student loans, 1 mortgage, and 1 car payment, all different).

You never really think about emergencies. You don't think about when you won't have your comfortable computer. These don't seem to come up with IT comes up with policies like changing passwords every three months, each one must be high-quality, and you can't repeat the last 63 passwords. But, after what I went through, which is relatively minor and wasn't as serious, I could easily see where most of today's suggestions are great but don't help when you are in an Internet cafe with only twenty minutes to connect to your rapidly growing online life.

Metadata

Categories: