Your Most Important Password

I’ve mentioned passwords before, but today I’d like to tell you about the most important password in your possession, the single password that keeps the hordes at bay.

Take a moment to think about the passwords you use for your various secret stuff. If you’re like me, you have your ordinary password for unimportant stuff, then you ratchet up the entropy for sites that involve money. For a long time I had two passwords, my ‘secure’ one and my ‘other’ one. Now I’ve started taking my passwords a lot more seriously, which means keeping a file of all my passwords, itself protected with massive encryption and the most awesome passphrase ever. No one’s getting into that file.

But here’s the thing: they don’t have to. There’s another password I have that’s just as powerful and easier for a bad guy to use. My primary email password.

How does that password drop my trousers universally? Simple: if someone had access to my email, they could click “I forgot my password” on every site in the world and harvest the responses. If the evil robot cleared out the emails before I read them, I’d be none the wiser. And I’d be fucked.

You might think your online banking password is the one you must protect most diligently, but your email password will hand them your bank account along with everything else. This is the password to protect and change regularly.

As an aside, you can make things a little tougher for bad guys by modifying your email address when you register for stuff. For instance, if I register at xyz.com, I might use vikingjs+abc@mac.com for my email address. The cool thing about ‘+’ is that it doesn’t change the delivery (the above will go to vikingjs@mac.com) but you can sort your email based on the suffix, and you can track who gave your email address away. Most significantly, if some wrongdoer has your email password, they still have to guess the +suffix part for each site before they can use the “I forgot my password” feature. If your email password gets out, that second line of defense could really save your ass.*

Also, know that if your email provider gets hacked, you could be hosed. There is one major company (rhymes with achoo!**) that seems to have a hard time keeping the wrong guys out of your account (although I think it’s the address book that has been compromised, and not direct access to your emails). There are likely others that do a better job keeping their names out of the press when they spill your information.

So, to flog the horse: If bad guys gets access to your email, they own you. Protect that password diligently. Change it fairly often. Use email+suffix@whatever.com when you sign up for stuff. In databases around the globe, your email is quite literally your entire identity.

* I read somewhere that hotmail and some others don’t support the + in emails. I haven’t tested personally, but if your provider is one of those, drop them immediately and find a better service.

** I’m pretty sure I have stock in a company that ends oo!, so I’m not just slinging mud here.

9 thoughts on “Your Most Important Password

  1. Google’s Gmail has a two step authentication process that uses can enable. It uses a mobile app that generates a codes every minute to verify that you are who you say you are when you login via a browser. You can also generate lengthy one time passwords for apps and services that want access to one’s email. Of course these features are useless if they aren’t used.

    • *ahem* I think you meant to say “log in”.

      Anyway, that’s good information. I almost never use a browser to read my mail, but that sounds like an interesting authentication system. Although for “apps and services that want access to one’s email”, I believe “none” is the best answer (other than email reader, of course). Places like Facebook and LinkedIn where you can provide access to your email account so they can search for connections with people you know might be benign, but how well do they protect that information?

      If nothing else, you’re sending the information to them in the clear. For the One Password that Rules Them All this seems a bit risky.

  2. Very interesting post.
    In your estimation, how true is that cartoon you linked a while back, that encouraged an easy to remember three word pass phrase instead of the usual jibberish+numbers+case-sensitive+characters password recommendations?
    In your estimation, how secure/insecure is the 4 digit ATM pin?
    I have an almost universal password, because with the HUMONGOUS number of password protected places these days it isn’t practical to memorize that many unique passwords. As it is, I have to keep a notebook. Computer security professionals love to rolleyes at the secretary with the post-it note password stuck inside her desk. This is because security IT have probably never taken psychology 101, sociology 101, and they are better than us*
    */dripping sarcasm

    • The only thing that makes the 4-digit PIN secure is that the number of tries a would-be abuser gets is limited. There are 10,000 possible PINs (and at least at some places 1-2-3-4 and the like are not allowed, so the number is actually less), so a computer could blast through those in less than a second if the system on the other side let it. With PINs you really are relying on your bank to not be careless.

      Even then, someone who finds your card gets three tries. That’s a better than 0.03% chance of getting in. With some study of common PINs, that probability goes up dramatically for people who don’t choose their PINs randomly. This may be OK for ATMs where the biggest risk is $400 or whatever, but for a while my bank used my PIN as my online password as well. And now with smart phone apps that have much greater power, the risk is magnified greatly.

      Almost always, longer is better for passwords. Some of the math in that cartoon presupposed that the attacker had some idea in advance what type of password you were using. Most brute-force attackers are going to try patterns like those we were taught all these years. Doing things differently than other people helps.

      Your last point is the key: if the secretary used a passphrase that was nonsense but easy to form a mnemonic for, she might not have that post-it in her drawer. That alone improves security mightily.

      Note that all these measures are about a single kind of attack – the brute force attack, where a robot tries every imaginable combination until one works. Well-configured servers shouldn’t allow this to happen anyway.

      There are other sorts of attacks that will get your password no matter how clever and cryptic it is. For instance, about a decade ago there was a super-hacker who got into all kinds of places. His most common method: Phone the people up, say he was with IT, and he needed their passwords for testing. These days, “phishing” emails do the same thing. Never send your password over email, no matter who’s asking. Anyone can read those, and legitimate providers know that so they won’t ask.

      When you communicate via the Internet, anyone can listen in. If you log into your favorite site and your password is not encrypted, anyone can intercept it. There was a guy not too long ago who sat in a Starbucks and harvested something like 14 Facebook passwords in an hour while he relaxed and sipped his coffee. I believe after that incident Facebook now uses encryption for logging in, but to be honest I’m not sure. And if you use the same password for Facebook and everything else, well, then, every time you update your status without encryption you’re dropping your pants.

      Even if the password for logging in is now protected, does Facebook encrypt the form that includes BOTH your email and your email password when you click the “let us find your friends for you!” button? I bet not. If I was a bad guy, that’s where I’d put my sniffer. If not Facebook, then LinkedIn, or Twitter, or any of the others. Some of them are being careless, you can bet your hat.

      Even if you’re just loading files up to your Web host, you can have trouble. FTP always sends your password unencrypted. There’s no avoiding it. You should never, ever use FTP on an insecure network; on my server I don’t have FTP enabled at all. SFTP is built from the ground up to be more secure, and SCP is better for moving large numbers of files.

      In the end, that’s why you need to use different passwords in different places. Passwords are only secure as the people you share them with, no matter how diligent you are.

      Of course, my computer has offered to remember many of my passwords for me. That’s nice, but that means anyone with physical access to my machine can cause me trouble. That’s a risk I’ve chosen to take, since the machine itself is protected well enough to buy me enough time to change my passwords were my laptop to be stolen.

      I wonder if I could get a tiny little USB drive with a super-encrypted keychain on it. Then I could set things up so all the passwords were on the dongle, and nothing would work without the bit of hardware. The dongle would have a thumbprint reader and a retina scanner, of course, and would shoot acid into the eyes of people who tried to activate it once too often. That would be cool.

      Until I lost it.

      • I should have noted in this long discourse that GMail at least has an answer for the “sending your password to other people” problem, as noted above by Gerald. If you use GMail for stuff like that, NEVER EVER send your password to Facebook or LinkedIn or whoever; instead go to GMail and get a special password that only works once. Then you won’t have a problem — as long as Facebook (or whoever) uses that password faster than the bad guy does.

        Not a guarantee of safety, but better than giving anyone your main password. Still, it’s like condoms and sex: a lot safer, but not as safe as not giving anyone access to your account at all.

  3. Pingback:

    Vote -1 Vote +1
    Call me g2-587217eb4d0b8b1710372695336f2a58 « Muddled Ramblings and Half-Baked Ideas

  4. Pingback:

    Vote -1 Vote +1
    Protect Your Passwords, an Encore Performance « Muddled Ramblings and Half-Baked Ideas

Leave a Reply

Your email address will not be published. Required fields are marked *